ArcSight ESM Event Ingestion integration

  • Release version: Zurich
  • Updated July 31, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of ArcSight ESM Event Ingestion integration

    The ArcSight ESM Event Ingestion integration with ServiceNow Security Incident Response (SIR) enables security analysts to continuously collect and correlate events from ArcSight ESM. This integration automates the creation of security incidents within the ServiceNow platform, allowing analysts to efficiently identify and respond to cybersecurity threats. It supports periodic ingestion of correlated events, field mapping between ArcSight ESM events and SIR incident fields, and previewing event-to-incident setups to ensure accurate incident creation.

    Show full answer Show less

    Profiles in ServiceNow customize how different ArcSight ESM correlation event types are displayed and processed as security incidents, enhancing SOC analyst visibility and response capability.

    Key Features

    • Create multiple event ingestion profiles tailored for specific threat types like malware or unauthorized access attempts.
    • Use drag-and-drop mapping to associate ArcSight ESM correlation event fields with SIR security incident fields, simplifying configuration.
    • Preview the layout of SIR security incidents based on sample correlated events to validate field mappings before deployment.
    • Ingest both historical and new correlation events on configurable schedules, ensuring comprehensive event coverage.
    • Filter out low-priority or irrelevant correlation events to reduce noise and focus on actionable incidents.
    • Aggregate related events into existing SIR incidents to prevent duplicate incident creation and streamline incident management.
    • Enable bi-directional updates between ArcSight ESM events and SIR incidents, reflecting incident creation and closure statuses.

    Supported Versions and Requirements

    The integration supports ServiceNow AI Platform releases New York Patch 6 and Orlando and requires installation of key Security Operations applications from the ServiceNow Store in a specified order to ensure proper functionality. These include the Security Integration Framework, Security Support Common, Security Incident Response, Event and Alert Ingestion, and Integration Hub plugins and runtime components.

    ArcSight ESM Manager version 7.0.0.2436 has been tested for compatibility. Both on-premises and cloud-hosted ArcSight ESM environments are supported.

    A configured MID Server is required to connect ServiceNow to the ArcSight ESM server if ArcSight ESM is deployed within a corporate network. MID Server is not needed when using ArcSight ESM cloud services.

    Practical Benefits for ServiceNow Customers

    This integration enables security teams to streamline threat detection and incident response by automating the ingestion and correlation of security events directly into ServiceNow SIR. Customers can expect improved incident accuracy through customizable event profiles and field mappings, reduced incident duplication, and enhanced visibility into ArcSight ESM events. The ability to filter and aggregate events ensures analysts focus on high-priority threats, accelerating investigation and remediation workflows within ServiceNow.

    The ArcSight ESM event ingestion integration with the Security Incident Response product allows security incident analysts to collect correlated events and automate creation of security incidents with the ServiceNow platform. Data is ingested continually based on a configured polling schedule, and it is used by analysts to identify and respond to potential cyber security threats.

    With this integration, correlated events that are candidates for security incidents can be ingested on a periodic basis. You can map fields in correlated events to security incident fields, preview the setup of an event as a security incident, and setup scheduled ingestion of events to automatically create security incidents on an ongoing basis.

    Overview of ArcSight ESM Event Ingestion integration

    This integration provides a security operations center (SOC) analyst with visibility to correlation events in ArcSight ESM. This data can be integrated into ServiceNow AI Platform Security Incident Response (SIR) security incidents for further investigation and remediation. Profiles are created in your ServiceNow AI Platform instance to handle different correlation event types that are created and made available via correlation query viewers in ArcSight ESM. These profiles customize how different ArcSight ESM correlated event fields are displayed on SIR security incidents.

    Key features

    This integration includes the following key features:
    • Create multiple event ingestion profiles to create SIR security incidents for specific types of threats such as malware and unauthorized access attempts.
    • Drag-and-drop mapping of ArcSight ESM correlation event field values to associated SIR security incident fields.
    • A preview of the SIR security incident layout based on sample correlation events to validate event mapping details.
    • Ingest historical correlation events as well as new notable events on configurable intervals.
    • Filter out correlation events that do not meet SIR incident generation criteria, e.g. low priority events
    • Aggregate events to existing SIR security incidents based on matching field values to avoid duplicate security incidents.
    • Update correlation events based on SIR incident creation and/or closure conditionals via a bi-directional interface.

    Supported ServiceNow AI Platform versions

    This integration supports the New York Patch 6 and Orlando ServiceNow AI Platform releases.

    The following Security Operations applications must be installed and activated from the ServiceNow Store. Install and then activate one application at a time in the order listed below to ensure a smooth installation:

    1. Security Integration Framework
    2. Security Support Common
    3. Security Incident Response
    4. Event and Alert Ingestion for Security Operations
    5. Integration Hub Plugins
      1. ServiceNow Integration Hub Runtime
      2. ServiceNow Integration Hub Action Step - REST

    For more information about installing the Security Operations core applications, see Get entitlement for a Security Operations product or application and Activate a ServiceNow Store application.

    ArcSight ESM supported versions

    This integration has been tested with Version 7.0.0.2436 of the ArcSight ESM Manager. The integration supports both ArcSight ESM on-premises and Cloud/Hosted service environments.

    MID Server

    This integration requires an installed and configured MID Server in your ServiceNow AI Platform® instance to connect to the ArcSight ESM service when the ArcSight ESM server is deployed within your corporate network. If you are using the ArcSight ESM cloud service, a MID Server is not required. See the ServiceNow Product Documentation website for more information about MID Servers.

    References

    Reference Document Identifier Document Title
    1 ArcSight ESM product documentation ArcSight product documentation.
    2 ServiceNow Product documentation website ServiceNow Product Documentation website