Introduction

The ArcSight ESM product has a very powerful, if slightly poorly documented, REST API interface. In this post I am going to show some useful functions which can be performed on ActiveLists using this API.

The idea is to be able populate some open source Threat Intelligence feeds into the ESM without the need for a seperate SmartConnector to read the CSV file, or a load of Lightweight Rules to push the events into an ActiveList. Instead at the end of this post you will have everything needed to populate an ActiveList with a single Python script. Additionally there is the ability to remove specific entries through the API as well.

General Overview

A list of available REST API calls are available from the following two pages, replacing esm with the hostname of your ESM as applicable:
https://esm:8443/www/core-service/services/listServices
This is where we find the essential login and logout services

https://esm:8443/www/manager-service/services/listServices
This is where we find the resource specific services, in our case ActiveListService.

Below I will provide a description of the API calls required to perform the list, read, write and delete actions against an ActiveList. Python scripts will be provided, and I have attempted to keep each API call as a seperate function for ease of use.

Note on Scripts

All of the scripts provided are written in Python and require a few libraries which are listed in the import section at the top of the scripts, these can be installed using the pip install command. The scripts perform web certificate validation against the ESM Web Certificate. This certificate needs to be downloaded using a web browser and placed in the same folder as the scripts are running from.

These scripts have been written and tested on a Centos 7 device. If running on a Windows server some changes may need to be made.

List all ActiveLists

Link to script - list.py

Output from script:

H1UDsG18BABCA60aoNDEnoQ== /All Active Lists/BASEC/01 - Physical Access/People on Wifi
H3aejy2ABABCL8baIULip6g== /All Active Lists/BASEC/07 - Threat Intelligence/Whois Lookups
H5wtztCoBABCC01fXRe9YMg== /All Active Lists/ArcSight Administration/Connectors/System Health/EPS/Connector Daily Average EPS
H77VcOgQBABCAKcikqcW9YA== /All Active Lists/ArcSight System/Threat Tracking/Infiltrators List
H7GfZOfMAABCAEkfFgoQ8IA== /All Active Lists/ArcSight System/Targets/Hit List
H7QOMG18BABCAaPIk6FleOQ== /All Active Lists/BASEC/04 - System Access/Current VPN Users

Pseudocode:

authToken = authenticate() #Authenticates with the ESM and receives a token for use with future calls
activeLists = listActiveLists(authToken) #Requests a list of resourceIds for every ActiveList on the ESM
activeListDetails = getResourcesByIds(authToken, activeLists) #Requests the details for the lists of ActiveLists received above
for activeList in activeListDetails:
        print activeList['reference']['id'] + " " + activeList['reference']['uri'] #Prints out the resourceId and URI for each ActiveList
logout(authToken) #Invalidates the authToken and logs out from the ESM

Call descriptions:

  • authenticate
    A simple GET call to https://esm:8443/www/core-service/rest/LoginService/login?login=api&password=password&alt=json
    will return the following JSON object:
{"log.loginResponse":{"log.return":"CEgkh5Iltx4VO6yQ-pXX58acqQr2CCdNGnG0MaKEmS4."}}
  • listActiveLists
    A simple GET call to https://esm:8443/www/manager-service/rest/ActiveListService/findAllIds?authToken='+authToken+'&alt=json adding the authToken where required will return the following JSON Object:
{u'act.findAllIdsResponse': {u'act.return': [u'H1UDsG18BABCA60++NDEnoQ==', u'H3aejy2ABABCL8baIULip6g==', u'H5wtztCoBABCC01fXRe9YMg==', u'H77VcOgQBABCAKcikqcW9YA==', u'H7GfZOfMAABCAEkfFgoQ8IA==', u'H7QOMG18BABCAaPIk6FleOQ==', u'H7nDOZB0BABCB337GCqa7qw==', u'HC3RPPe0AABCAATRMay889A==', u'HD2vbOfMAABCAE0fFgoQ8IA==', u'HFz6JXBoBABCKyxNV2v9A2A==', u'HHMDelDABABCX36qVVkqC2w==', u'HIYBKPe0AABCAAdGjSMnsPw==', u'HJa0VwCQBABCBZZiy2jXu3A==', u'HKRIgjT8BABCAgSy8B+oWwA==', u'HLTq7aWABABCBEonQQ9mfrA==', u'HLZRc9yYBABC-lHtlf3-f0Q==', u'HLgSPXBoBABCK9RNV2v9A2A==', u'HLoaacUUBABCwfCaRWQMIeA==', u'HMTCR0V4BABCJEZt2q2wY3w==', u'HNsSQZB0BABCBD37GCqa7qw==', u'HPPhtfi4BABCZpzyf0B-0Gg==', u'HPfppzl4BABCRVJw6xd64Mw==', u'HQsF2KR8BABCB-dHnQejEAg==', u'HRGaky2ABABCL9M8amUoLtg==', u'HRfSKG18BABCAYyCQfdwC3A==', u'HRgrIpi4BABCQY591zH+Q8A==', u'HSMcC9mABABCAC0OJOGsKCA==', u'HUH5BoisBABCEObJYg6HiLQ==', u'HYNeKERgBABCAPXgkwT5NrQ==', u'HYT9c4CsBABCIkeRIllKOdA==', u'HZ4nCpi4BABCP+p91zH+Q8A==', u'HZoBh1EUBABCKGhabVkkDug==', u'Hc6edcUUBABCwyN0Sez5rng==', u'HdgWkQfsAABCB-RHAUwsmgg==', u'He2zyZB0BABCCEH7GCqa7qw==', u'Hgl2RPe0AABCAAY+kzt4gbA==', u'HgllRPe0AABCAAY+kzt4gbA==', u'HiFXLoicBABCA7XaJz9atdQ==', u'Hiz1vlDABABCCZh-AzO0hdw==', u'HkJyjQfsAABCBv8WZ6-B1EQ==', u'HnWoMcBkBABCBOMUyo9Ug3A==', u'HoJJyzV4BABCCwrWnx5elSQ==', u'HomDyvy4BABCEU5rDGdtA5g==', u'Hr5nFpi4BABCQH591zH+Q8A==', u'HyaXA8WABABCCfXzPBUgIjw==', u'HycbNbEUBABCBKGt8PZShUw==', u'HzBMVwCQBABCBZJiy2jXu3A==']}}
  • getResourcesByIds
    This is a more complex call as it requires a specifically formatted JSON object to be passed through in a POST call. The call is https://esm:8443/www/manager-service/rest/ActiveListService/getResourcesByIds?alt=json
    The JSON object to pass is:
{
	"act.getResourcesByIds" : {
	"act.authToken" : 'B8ssTf9iM8LQ8Ul2goJQQKiRDsckr4rB2mdS5eLauXA.',
	"act.ids" : [ 'H1UDsG18BABCA60++NDEnoQ==', 'H3aejy2ABABCL8baIULip6g==', 'H5wtztCoBABCC01fXRe9YMg==', 'H77VcOgQBABCAKcikqcW9YA==', 'H7GfZOfMAABCAEkfFgoQ8IA==', 'H7QOMG18BABCAaPIk6FleOQ==', 'H7nDOZB0BABCB337GCqa7qw==', 'HC3RPPe0AABCAATRMay889A==', 'HD2vbOfMAABCAE0fFgoQ8IA==', 'HFz6JXBoBABCKyxNV2v9A2A==', 'HHMDelDABABCX36qVVkqC2w==', 'HIYBKPe0AABCAAdGjSMnsPw==', 'HJa0VwCQBABCBZZiy2jXu3A==', 'HKRIgjT8BABCAgSy8B+oWwA==', 'HLTq7aWABABCBEonQQ9mfrA==', 'HLZRc9yYBABC-lHtlf3-f0Q==', 'HLgSPXBoBABCK9RNV2v9A2A==', 'HLoaacUUBABCwfCaRWQMIeA==', 'HMTCR0V4BABCJEZt2q2wY3w==', 'HNsSQZB0BABCBD37GCqa7qw==', 'HPPhtfi4BABCZpzyf0B-0Gg==', 'HPfppzl4BABCRVJw6xd64Mw==', 'HQsF2KR8BABCB-dHnQejEAg==', 'HRGaky2ABABCL9M8amUoLtg==', 'HRfSKG18BABCAYyCQfdwC3A==', 'HRgrIpi4BABCQY591zH+Q8A==', 'HSMcC9mABABCAC0OJOGsKCA==', 'HUH5BoisBABCEObJYg6HiLQ==', 'HYNeKERgBABCAPXgkwT5NrQ==', 'HYT9c4CsBABCIkeRIllKOdA==', 'HZ4nCpi4BABCP+p91zH+Q8A==', 'HZoBh1EUBABCKGhabVkkDug==', 'Hc6edcUUBABCwyN0Sez5rng==', 'HdgWkQfsAABCB-RHAUwsmgg==', 'He2zyZB0BABCCEH7GCqa7qw==', 'Hgl2RPe0AABCAAY+kzt4gbA==', 'HgllRPe0AABCAAY+kzt4gbA==', 'HiFXLoicBABCA7XaJz9atdQ==', 'Hiz1vlDABABCCZh-AzO0hdw==', 'HkJyjQfsAABCBv8WZ6-B1EQ==', 'HnWoMcBkBABCBOMUyo9Ug3A==', 'HoJJyzV4BABCCwrWnx5elSQ==', 'HomDyvy4BABCEU5rDGdtA5g==', 'Hr5nFpi4BABCQH591zH+Q8A==', 'HyaXA8WABABCCfXzPBUgIjw==', 'HycbNbEUBABCBKGt8PZShUw==', 'HzBMVwCQBABCBZJiy2jXu3A==' ]
	}
	}

The JSON object returned is:

{u'act.getResourcesByIdsResponse': {u'act.return': [{u'entryTimeToLive': 180000, u'reference': {u'uri': u'/All Active Lists/BASEC/01 - Physical Access/People on Wifi', u'referenceString': u'<Resource URI="/All Active Lists/BASEC/01 - Physical Access/People on Wifi" ID="H1UDsG18BABCA60++NDEnoQ=="/>', u'isModifiable': True, u'referenceName': u'ActiveList', u'referenceType': 24, u'managerID': u'MQojjV4BABCAW-naM1oL1w==', u'id': u'H1UDsG18BABCA60++NDEnoQ=='}, u'disabled': False, u'typeName': u'ActiveList', u'inactive': False, u'inCache': True, u'initialized': True, u'timePartitioned': False, u'capacity': 10000, u'attributeInitializationInProgress': False, u'resourceid': u'H1UDsG18BABCA60++NDEnoQ==', u'modifierName': u'admin', u'isAdditionalLoaded': False, u'fieldNames': u'Person', u'modificationCount': 2, u'caseSensitiveType': u'CASE_SENSITIVE', u'state': 2, u'type': 24, u'partialCache': False, u'modifiedTime': {u'milliSecond': 941, u'timezoneID': u'Europe/London', u'hour': 20, u'month': 9, u'second': 49, u'year': 2017, u'day': 14, u'minute': 11}, u'creatorName': u'admin', u'URI': u'/All Active Lists/BASEC/01 - Physical Access/People on Wifi', u'createdTimestamp': 1508001989510, u'activeListType': u'FIELD_BASED', u'localID': 103079215146, u'fieldSubTypes': {u'@xsi.nil': u'true'}, u'optimizeData': False, u'multiMap': False, u'name': u'People on Wifi', u'deprecated': False, u'fieldTypes': u'String', u'modifiedTimestamp': 1508008309941, u'createdTime': {u'milliSecond': 510, u'timezoneID': u'Europe/London', u'hour': 18, u'month': 9, u'second': 29, u'year': 2017, u'day': 14, u'minute': 26}, u'keyFields': False}, {u'entryTimeToLive': 1209600000, u'reference': {u'uri': u'/All Active Lists/BASEC/07 - Threat Intelligence/Whois Lookups', u'referenceString': u'<Resource URI="/All Active Lists/BASEC/07 - Threat Intelligence/Whois Lookups" ID="H3aejy2ABABCL8baIULip6g=="/>', u'isModifiable': True, u'referenceName': u'ActiveList', u'referenceType': 24, u'managerID': u'MQojjV4BABCAW-naM1oL1w==', u'id': u'H3aejy2ABABCL8baIULip6g=='}, u'disabled': False, u'typeName': u'ActiveList', u'inactive': False, u'inCache': True, u'initialized': True, u'timePartitioned': False, u'capacity': 10000, u'attributeInitializationInProgress': False, u'resourceid': u'H3aejy2ABABCL8baIULip6g==', u'modifierName': u'admin', u'isAdditionalLoaded': False, u'fieldNames': [u'IPAddress', u'NetworkName', u'Description'], u'modificationCount': 0, u'caseSensitiveType': u'CASE_SENSITIVE', u'state': 2, u'type': 24, u'partialCache': False, u'modifiedTime': {u'milliSecond': 336, u'timezoneID': u'Europe/London', u'hour': 13, u'month': 0, u'second': 13, u'year': 2018, u'day': 6, u'minute': 23}, u'creatorName': u'admin', u'URI': u'/All Active Lists/BASEC/07 - Threat Intelligence/Whois Lookups', u'createdTimestamp': 1515244993336, u'activeListType': u'FIELD_BASED', u'localID': 103079215148, u'fieldSubTypes': [{u'@xsi.nil': u'true'}, {u'@xsi.nil': u'true'}, {u'@xsi.nil': u'true'}], u'optimizeData': False, u'multiMap': False, u'name': u'Whois Lookups', u'deprecated': False, u'fieldTypes': [u'String', u'String', u'String'], u'modifiedTimestamp': 1515244993336, u'createdTime': {u'milliSecond': 336, u'timezoneID': u'Europe/London', u'hour': 13, u'month': 0, u'second': 13, u'year': 2018, u'day': 6, u'minute': 23}, u'keyFields': [False, False, False]}, {u'entryTimeToLive': 604800000, u'reference': {u'uri': u'/All Active Lists/ArcSight Administration/Connectors/System Health/EPS/Connector Daily Average EPS', u'referenceString': u'<Resource URI="/All Active Lists/ArcSight Administration/Connectors/System Health/EPS/Connector Daily Average EPS" ID="H5wtztCoBABCC01fXRe9YMg=="/>', u'isModifiable': True, u'referenceName': u'ActiveList', u'referenceType': 24, u'managerID': u'MQojjV4BABCAW-naM1oL1w==', u'id': u'H5wtztCoBABCC01fXRe9YMg=='}, u'disabled': False, u'typeName': u'ActiveList', u'inactive': False, u'inCache': False, u'initialized': True, u'timePartitioned': False, u'capacity': 10000, u'localID': 103079215117, u'resourceid': u'H5wtztCoBABCC01fXRe9YMg==', u'modifierName': u'admin', u'isAdditionalLoaded': False, u'fieldNames': [u'ConnectorName', u'AverageEPS'], u'modificationCount': 2, u'caseSensitiveType': u'CASE_SENSITIVE', u'state': 2, u'type': 24, u'partialCache': False, u'description': u'This active list stores the daily average EPS for all connectors. The data is from a trend.', u'modifiedTime': {u'milliSecond': 188, u'timezoneID': u'Europe/London', u'hour': 11, u'month': 11, u'second': 42, u'year': 2017, u'day': 4, u'minute': 40}, u'creatorName': u'admin', u'URI': u'/All Active Lists/ArcSight Administration/Connectors/System Health/EPS/Connector Daily Average EPS', u'createdTimestamp': 1505606360340, u'activeListType': u'FIELD_BASED', u'attributeInitializationInProgress': False, u'fieldSubTypes': [{u'@xsi.nil': u'true'}, {u'@xsi.nil': u'true'}], u'optimizeData': False, u'multiMap': False, u'name': u'Connector Daily Average EPS', u'deprecated': False, u'fieldTypes': [u'String', u'Double'], u'modifiedTimestamp': 1512387642188, u'createdTime': {u'milliSecond': 340, u'timezoneID': u'Europe/London', u'hour': 0, u'month': 8, u'second': 20, u'year': 2017, u'day': 17, u'minute': 59}, u'keyFields': [True, False]}, {u'entryTimeToLive': 0, u'reference': {u'uri': u'/All Active Lists/ArcSight System/Threat Tracking/Infiltrators List', u'referenceString': u'<Resource URI="/All Active Lists/ArcSight System/Threat Tracking/Infiltrators List" ID="H77VcOgQBABCAKcikqcW9YA=="/>', u'isModifiable': True, u'referenceName': u'ActiveList', u'referenceType': 24, u'managerID': u'MQojjV4BABCAW-naM1oL1w==', u'id': u'H77VcOgQBABCAKcikqcW9YA=='}, u'disabled': False, u'typeName': u'ActiveList', u'inactive': False, u'modifiedTimestamp': 1505606340859, u'inCache': True, u'initialized': True, u'timePartitioned': False, u'capacity': 10000, u'localID': 103079215105, u'resourceid': u'H77VcOgQBABCAKcikqcW9YA==', u'isAdditionalLoaded': False, u'fieldNames': [u'AttackerAddress', u'AttackerZone'], u'modificationCount': 1, u'caseSensitiveType': u'CASE_SENSITIVE', u'state': 2, u'type': 24, u'partialCache': False, u'description': u'This active list contains hosts which have compromised (infiltrated) a system. ', u'modifiedTime': {u'milliSecond': 859, u'timezoneID': u'Europe/London', u'hour': 0, u'month': 8, u'second': 0, u'year': 2017, u'day': 17, u'minute': 59}, u'URI': u'/All Active Lists/ArcSight System/Threat Tracking/Infiltrators List', u'createdTimestamp': 1505606333387, u'activeListType': u'FIELD_BASED', u'attributeInitializationInProgress': False, u'fieldSubTypes': [u'IP', u'Zone'], u'optimizeData': False, u'multiMap': False, u'name': u'Infiltrators List', u'deprecated': False, u'fieldTypes': [u'IPSubnet', u'ResourceReference'], u'contentVersionID': u'AAAAAkLZB4SI0rY7', u'versionID': u'AAAAAkLZCeSI0rY6', u'createdTime': {u'milliSecond': 387, u'timezoneID': u'Europe/London', u'hour': 0, u'month': 8, u'second': 53, u'year': 2017, u'day': 17, u'minute': 58}, u'keyFields': [False, False]}, {u'entryTimeToLive': 1209600000, u'reference': {u'uri': u'/All Active Lists/ArcSight System/Targets/Hit List', u'referenceString': u'<Resource URI="/All Active Lists/ArcSight System/Targets/Hit List" ID="H7GfZOfMAABCAEkfFgoQ8IA=="/>', u'isModifiable': True, u'referenceName': u'ActiveList', u'referenceType': 24, u'managerID': u'MQojjV4BABCAW-naM1oL1w==', u'id': u'H7GfZOfMAABCAEkfFgoQ8IA=='}, u'disabled': False, u'typeName': u'ActiveList', u'inactive': False, u'modifiedTimestamp': 1505606340859, u'inCache': True, u'initialized': True, u'timePartitioned': False, u'capacity': 10000, u'localID': 103079215106, u'resourceid': u'H7GfZOfMAABCAEkfFgoQ8IA==', u'isAdditionalLoaded': False, u'fieldNames': [u'address', u'zone', u'customer'], u'modificationCount': 1, u'caseSensitiveType': u'CASE_SENSITIVE', u'state': 2, u'type': 24, u'partialCache': False, u'description': u'This active list contains hosts targeted by a potential attacker.', u'modifiedTime': {u'milliSecond': 859, u'timezoneID': u'Europe/London', u'hour': 0, u'month': 8, u'second': 0, u'year': 2017, u'day': 17, u'minute': 59}, u'URI': u'/All Active Lists/ArcSight System/Targets/Hit List', u'createdTimestamp': 1505606333391, u'activeListType': u'FIELD_BASED', u'attributeInitializationInProgress': False, u'fieldSubTypes': [u'IP', u'Zone', u'Customer'], u'optimizeData': False, u'multiMap': False, u'name': u'Hit List', u'deprecated': False, u'fieldTypes': [u'IPSubnet', u'ResourceReference', u'ResourceReference'], u'contentVersionID': u'AAAAAkLZKlKI0rY5', u'versionID': u'AAAAAkLZMGiI0rY4', u'createdTime': {u'milliSecond': 391, u'timezoneID': u'Europe/London', u'hour': 0, u'month': 8, u'second': 53, u'year': 2017, u'day': 17, u'minute': 58}, u'keyFields': [False, False, False]}, {u'entryTimeToLive': 4200000, u'reference': {u'uri': u'/All Active Lists/BASEC/04 - System Access/Current VPN Users', u'referenceString': u'<Resource URI="/All Active Lists/BASEC/04 - System Access/Current VPN Users" ID="H7QOMG18BABCAaPIk6FleOQ=="/>', u'isModifiable': True, u'referenceName': u'ActiveList', u'referenceType': 24, u'managerID': u'MQojjV4BABCAW-naM1oL1w==', u'id': u'H7QOMG18BABCAaPIk6FleOQ=='}, u'disabled': False, u'typeName': u'ActiveList', u'inactive': False, u'inCache': True, u'initialized': True, u'timePartitioned': False, u'capacity': 10000, u'attributeInitializationInProgress': False, u'resourceid': u'H7QOMG18BABCAaPIk6FleOQ==', u'modifierName': u'admin', u'isAdditionalLoaded': False, u'fieldNames': u'username', u'modificationCount': 1, u'caseSensitiveType': u'CASE_SENSITIVE', u'state': 2, u'type': 24, u'partialCache': False, u'modifiedTime': {u'milliSecond': 44, u'timezoneID': u'Europe/London', u'hour': 22, u'month': 9, u'second': 19, u'year': 2017, u'day': 14, u'minute': 16}, u'creatorName': u'admin', u'URI': u'/All Active Lists/BASEC/04 - System Access/Current VPN Users', u'createdTimestamp':
 1507995681839, u'activeListType': u'FIELD_BASED', u'localID': 103079215145, u'fieldSubTypes': {u'@xsi.nil': u'true'}, u'optimizeData': False, u'multiMap': False, u'name': u'Current VPN Users', u'deprecated': False, u'fieldTypes': u'String', u'modifiedTimestamp': 1508015779044, u'createdTime': {u'milliSecond': 839, u'timezoneID': u'Europe/London', u'hour': 16, u'month': 9, u'second': 21, u'year': 2017, u'day': 14, u'minute': 41}, u'keyFields': False}, {u'entryTimeToLive': 0, u'reference': {u'uri': u'/All Active Lists/ArcSight System/Tuning/Event-based Rule Exclusions', u'referenceString': u'<Resource URI="/All Active Lists/ArcSight System/Tuning/Event-based Rule Exclusions" ID="H7nDOZB0BABCB337GCqa7qw=="/>', u'isModifiable': True, u'referenceName': u'ActiveList', u'referenceType': 24, u'managerID': u'MQojjV4BABCAW-naM1oL1w==', u'id': u'H7nDOZB0BABCB337GCqa7qw=='}, u'disabled': False, u'typeName': u'ActiveList', u'inactive': False, u'modifiedTimestamp': 1505606340859, u'inCache': True, u'initialized': True, u'timePartitioned': False, u'capacity': 10000, u'localID': 103079215107, u'resourceid': u'H7nDOZB0BABCB337GCqa7qw==', u'isAdditionalLoaded': False, u'fieldNames': [u'deviceEventClassId', u'name', u'attackerZoneName', u'attackerAddress', u'targetZoneName', u'targetAddress'], u'modificationCount': 1, u'caseSensitiveType': u'CASE_SENSITIVE', u'state': 2, u'type': 24, u'partialCache': False, u'description': u'This active list stores event information that is used to exclude specific events from one system to another system that has been determined to be not relevant to the rules that would otherwise trigger on these events.', u'modifiedTime': {u'milliSecond': 859, u'timezoneID': u'Europe/London', u'hour': 0, u'month': 8, u'second': 0, u'year': 2017, u'day': 17, u'minute': 59}, u'URI': u'/All Active Lists/ArcSight System/Tuning/Event-based Rule Exclusions', u'createdTimestamp': 1505606333392, u'activeListType': u'EVENT_BASED', u'attributeInitializationInProgress': False, u'fieldSubTypes': [{u'@xsi.nil': u'true'}, {u'@xsi.nil': u'true'}, {u'@xsi.nil': u'true'}, u'IP', {u'@xsi.nil': u'true'}, u'IP'], u'optimizeData': False, u'multiMap': False, u'name': u'Event-based Rule Exclusions', u'deprecated': False, u'fieldTypes': [u'String', u'String', u'String', u'IPSubnet', u'String', u'IPSubnet'], u'contentVersionID': u'AAAAAiwORw46tx0E', u'versionID': u'AAAAAiwNv146tx0D', u'createdTime': {u'milliSecond': 392, u'timezoneID': u'Europe/London', u'hour': 0, u'month': 8, u'second': 53, u'year': 2017, u'day': 17, u'minute': 58}, u'keyFields': [False, False, False, False, False, False]}, {u'entryTimeToLive': 1209600000, u'reference': {u'uri': u'/All Active Lists/ArcSight System/Threat Tracking/Hostile List', u'referenceString': u'<Resource URI="/All Active Lists/ArcSight System/Threat Tracking/Hostile List" ID="HC3RPPe0AABCAATRMay889A=="/>', u'isModifiable': True, u'referenceName': u'ActiveList', u'referenceType': 24, u'managerID': u'MQojjV4BABCAW-naM1oL1w==', u'id': u'HC3RPPe0AABCAATRMay889A=='}, u'disabled': False, u'typeName': u'ActiveList', u'inactive': False, u'modifiedTimestamp': 1505606340859, u'inCache': True, u'initialized': True, u'timePartitioned': False, u'capacity': 10000, u'localID': 103079215108, u'resourceid': u'HC3RPPe0AABCAATRMay889A==', u'isAdditionalLoaded': False, u'fieldNames': [u'address', u'zone'], u'modificationCount': 1, u'caseSensitiveType': u'CASE_SENSITIVE', u'state': 2, u'type': 24, u'partialCache': False, u'description': u'This active list contains hosts that have been attempting attacks on systems.', u'modifiedTime': {u'milliSecond': 859, u'timezoneID': u'Europe/London', u'hour': 0, u'month': 8, u'second': 0, u'year': 2017, u'day': 17, u'minute': 59}, u'URI': u'/All Active Lists/ArcSight System/Threat Tracking/Hostile List', u'createdTimestamp': 1505606333393, u'activeListType': u'FIELD_BASED', u'attributeInitializationInProgress': False, u'fieldSubTypes': [u'IP', u'Zone'], u'optimizeData': False, u'multiMap': False, u'name': u'Hostile List', u'deprecated': False, u'fieldTypes': [u'IPSubnet', u'ResourceReference'], u'contentVersionID': u'AAAAAkLZecmI0rY9', u'versionID': u'AAAAAkLZfOeI0rY8', u'createdTime': {u'milliSecond': 393, u'timezoneID': u'Europe/London', u'hour': 0, u'month': 8, u'second': 53, u'year': 2017, u'day': 17, u'minute': 58}, u'keyFields': [False, False]}, {u'entryTimeToLive': 1209600000, u'reference': {u'uri': u'/All Active Lists/ArcSight System/Targets/Scanned List', u'referenceString': u'<Resource URI="/All Active Lists/ArcSight System/Targets/Scanned List" ID="HD2vbOfMAABCAE0fFgoQ8IA=="/>', u'isModifiable': True, u'referenceName': u'ActiveList', u'referenceType': 24, u'managerID': u'MQojjV4BABCAW-naM1oL1w==', u'id': u'HD2vbOfMAABCAE0fFgoQ8IA=='}, u'disabled': False, u'typeName': u'ActiveList', u'inactive': False, u'modifiedTimestamp': 1505606340859, u'inCache': True, u'initialized': True, u'timePartitioned': False, u'capacity': 10000, u'localID': 103079215109, u'resourceid': u'HD2vbOfMAABCAE0fFgoQ8IA==', u'isAdditionalLoaded': False, u'fieldNames': [u'address', u'zone', u'customer'], u'modificationCount': 1, u'caseSensitiveType': u'CASE_SENSITIVE', u'state': 2, u'type': 24, u'partialCache': False, u'description': u'This active list contains hosts that have been scanned by a potential attacker.', u'modifiedTime': {u'milliSecond': 859, u'timezoneID': u'Europe/London', u'hour': 0, u'month': 8, u'second': 0, u'year': 2017, u'day': 17, u'minute': 59}, u'URI': u'/All Active Lists/ArcSight System/Targets/Scanned List', u'createdTimestamp': 1505606333394, u'activeListType': u'FIELD_BASED', u'attributeInitializationInProgress': False, u'fieldSubTypes': [u'IP', u'Zone', u'Customer'], u'optimizeData': False, u'multiMap': False, u'name': u'Scanned List', u'deprecated': False, u'fieldTypes': [u'IPSubnet', u'ResourceReference', u'ResourceReference'], u'contentVersionID': u'AAAAAgDLXhMAF5us', u'versionID': u'AAAAAgDLUnYAF5ur', u'createdTime': {u'milliSecond': 394, u'timezoneID': u'Europe/London', u'hour': 0, u'month': 8, u'second': 53, u'year': 2017, u'day': 17, u'minute': 58}, u'keyFields': [False, False, False]}, {u'entryTimeToLive': 0, u'reference': {u'uri': u'/All Active Lists/ArcSight Administration/Connectors/System Health/Reporting Devices', u'referenceString': u'<Resource URI="/All Active Lists/ArcSight Administration/Connectors/System Health/Reporting Devices" ID="HFz6JXBoBABCKyxNV2v9A2A=="/>', u'isModifiable': True, u'referenceName': u'ActiveList', u'referenceType': 24, u'managerID': u'MQojjV4BABCAW-naM1oL1w==', u'id': u'HFz6JXBoBABCKyxNV2v9A2A=='}, u'disabled': False, u'typeName': u'ActiveList', u'inactive': False, u'inCache': True, u'initialized': True, u'timePartitioned': False, u'capacity': 10000, u'localID': 103079215118, u'resourceid': u'HFz6JXBoBABCKyxNV2v9A2A==', u'modifierName': u'admin', u'isAdditionalLoaded': False, u'fieldNames': [u'DeviceAddress', u'DeviceHostname', u'DeviceZone', u'DeviceVendor', u'DeviceProduct', u'LastEventReceived', u'TotalCount', u'EventCountSinceLastCheck'], u'modificationCount': 2, u'caseSensitiveType': u'CASE_SENSITIVE', u'state': 2, u'type': 24, u'partialCache': False, u'description': u'This active list stores the devices with the total count of events, the event count since last check, and the timestamp of the last event received by the device. The active list is updated every time the Manager receives a Connector Device Status event for that device.', u'modifiedTime': {u'milliSecond': 744, u'timezoneID': u'Europe/London', u'hour': 21, u'month': 9, u'second': 14, u'year': 2017, u'day': 26, u'minute': 2}, u'creatorName': u'admin', u'URI': u'/All Active Lists/ArcSight Administration/Connectors/System Health/Reporting Devices', u'createdTimestamp': 1505606360343, u'activeListType': u'FIELD_BASED', u'attributeInitializationInProgress': False, u'fieldSubTypes': [u'IP', {u'@xsi.nil': u'true'}, u'Zone', {u'@xsi.nil': u'true'}, {u'@xsi.nil': u'true'}, {u'@xsi.nil': u'true'}, {u'@xsi.nil': u'true'}, {u'@xsi.nil': u'true'}], u'optimizeData': False, u'multiMap': False, u'name': u'Reporting Devices', u'deprecated': False, u'fieldTypes': [u'IPSubnet', u'String', u'ResourceReference', u'String', u'String', u'Date', u'Long', u'Long'], u'modifiedTimestamp': 1509048134744, u'createdTime': {u'milliSecond': 343, u'timezoneID': u'Europe/London', u'hour': 0, u'month': 8, u'second': 20, u'year': 2017, u'day': 17, u'minute': 59}, u'keyFields': [True, True, True, True, True, False, False, False]}, {u'entryTimeToLive': 0, u'reference': {u'uri': u'/All Active Lists/ArcSight Administration/ESM/System Health/Storage/CORR-Engine/Critical Archive Failures', u'referenceString': u'<Resource URI="/All Active Lists/ArcSight Administration/ESM/System Health/Storage/CORR-Engine/Critical Archive Failures" ID="HHMDelDABABCX36qVVkqC2w=="/>', u'isModifiable': True, u'referenceName': u'ActiveList', u'referenceType': 24, u'managerID': u'MQojjV4BABCAW-naM1oL1w==', u'id': u'HHMDelDABABCX36qVVkqC2w=='}, u'disabled': False, u'typeName': u'ActiveList', u'inactive': False, u'inCache': True, u'initialized': True, u'timePartitioned': False, u'capacity': 10000, u'localID': 103079215139, u'resourceid': u'HHMDelDABABCX36qVVkqC2w==', u'modifierName': u'admin', u'isAdditionalLoaded': False, u'fieldNames': [u'ArchiveName', u'ArchiveCategory', u'DeviceIP', u'DeviceZone', u'SignatureID', u'EventName', u'FailureReason', u'ArchiveTime'], u'modificationCount': 2, u'caseSensitiveType': u'CASE_SENSITIVE', u'state': 2, u'type': 24, u'partialCache': False, u'description': u'This active list stores archive archival failure events.', u'modifiedTime': {u'milliSecond': 750, u'timezoneID': u'Europe/London', u'hour': 1, u'month': 9, u'second': 56, u'year': 2017, u'day': 7, u'minute': 0}, u'creatorName': u'admin', u'URI': u'/All Active Lists/ArcSight Administration/ESM/System Health/Storage/CORR-Engine/Critical Archive
 Failures', u'createdTimestamp': 1505606361208, u'activeListType': u'FIELD_BASED', u'attributeInitializationInProgress': False, u'fieldSubTypes': [{u'@xsi.nil': u'true'}, {u'@xsi.nil': u'true'}, u'IP', {u'@xsi.nil': u'true'}, {u'@xsi.nil': u'true'}, {u'@xsi.nil': u'true'}, {u'@xsi.nil': u'true'}, {u'@xsi.nil': u'true'}], u'optimizeData': False, u'multiMap': False, u'name': u'Critical Archive Failures', u'deprecated': False, u'fieldTypes': [u'String', u'String', u'IPSubnet', u'String', u'String', u'String', u'String', u'Date'], u'modifiedTimestamp': 1507334456750, u'createdTime': {u'milliSecond': 208, u'timezoneID': u'Europe/London', u'hour': 0, u'month': 8, u'second': 21, u'year': 2017, u'day': 17, u'minute': 59}, u'keyFields': [True, True, True, True, False, False, False, False]}, {u'entryTimeToLive': 1209600000, u'reference': {u'uri': u'/All Active Lists/ArcSight System/Threat Tracking/Suspicious List', u'referenceString': u'<Resource URI="/All Active Lists/ArcSight System/Threat Tracking/Suspicious List" ID="HIYBKPe0AABCAAdGjSMnsPw=="/>', u'isModifiable': True, u'referenceName': u'ActiveList', u'referenceType': 24, u'managerID': u'MQojjV4BABCAW-naM1oL1w==', u'id': u'HIYBKPe0AABCAAdGjSMnsPw=='}, u'disabled': False, u'typeName': u'ActiveList', u'inactive': False, u'modifiedTimestamp': 1505606340859, u'inCache': True, u'initialized': True, u'timePartitioned': False, u'capacity': 10000, u'localID': 103079215110, u'resourceid': u'HIYBKPe0AABCAAdGjSMnsPw==', u'isAdditionalLoaded': False, u'fieldNames': [u'address', u'zone'], u'modificationCount': 1, u'caseSensitiveType': u'CASE_SENSITIVE', u'state': 2, u'type': 24, u'partialCache': False, u'description': u'This active list contains hosts which have performed suspicious activity, either on the local system or over the network.', u'modifiedTime': {u'milliSecond': 859, u'timezoneID': u'Europe/London', u'hour': 0, u'month': 8, u'second': 0, u'year': 2017, u'day': 17, u'minute': 59}, u'URI': u'/All Active Lists/ArcSight System/Threat Tracking/Suspicious List', u'createdTimestamp': 1505606333396, u'activeListType': u'FIELD_BASED', u'attributeInitializationInProgress': False, u'fieldSubTypes': [u'IP', u'Zone'], u'optimizeData': False, u'multiMap': False, u'name': u'Suspicious List', u'deprecated': False, u'fieldTypes': [u'IPSubnet', u'ResourceReference'], u'contentVersionID': u'AAAAAgDLrmUAF5ui', u'versionID': u'AAAAAgDLocEAF5uh', u'createdTime': {u'milliSecond': 396, u'timezoneID': u'Europe/London', u'hour': 0, u'month': 8, u'second': 53, u'year': 2017, u'day': 17, u'minute': 58}, u'keyFields': [False, False]}, {u'entryTimeToLive': 0, u'reference': {u'uri': u'/All Active Lists/ArcSight Administration/Logger/System Health/Logger Status', u'referenceString': u'<Resource URI="/All Active Lists/ArcSight Administration/Logger/System Health/Logger Status" ID="HJa0VwCQBABCBZZiy2jXu3A=="/>', u'isModifiable': True, u'referenceName': u'ActiveList', u'referenceType': 24, u'managerID': u'MQojjV4BABCAW-naM1oL1w==', u'id': u'HJa0VwCQBABCBZZiy2jXu3A=='}, u'disabled': False, u'typeName': u'ActiveList', u'inactive': False, u'modifiedTimestamp': 1505606374419, u'inCache': True, u'initialized': True, u'timePartitioned': False, u'capacity': 10000, u'attributeInitializationInProgress': False, u'resourceid': u'HJa0VwCQBABCBZZiy2jXu3A==', u'modifierName': u'admin', u'isAdditionalLoaded': False, u'fieldNames': [u'LoggerAddress', u'SensorType', u'SensorName', u'SensorStatus'], u'modificationCount': 1, u'caseSensitiveType': u'CASE_SENSITIVE', u'state': 2, u'type': 24, u'partialCache': False, u'description': u'This active list stores the status of the various hardware sensors on the Loggers. The active list stores the Logger address, the sensor type, the sensor name, and the sensor status. The Logger address is the key field. This active list is used by a set of rules to identify the overall status of a Logger.', u'modifiedTime': {u'milliSecond': 419, u'timezoneID': u'Europe/London', u'hour': 0, u'month': 8, u'second': 34, u'year': 2017, u'day': 17, u'minute': 59}, u'creatorName': u'admin', u'URI': u'/All Active Lists/ArcSight Administration/Logger/System Health/Logger Status', u'createdTimestamp': 1505606360345, u'activeListType': u'FIELD_BASED', u'localID': 103079215119, u'fieldSubTypes': [u'IP', {u'@xsi.nil': u'true'}, {u'@xsi.nil': u'true'}, {u'@xsi.nil': u'true'}], u'optimizeData': False, u'multiMap': True, u'name': u'Logger Status', u'deprecated': False, u'fieldTypes': [u'IPSubnet', u'String', u'String', u'String'], u'contentVersionID': u'AAAAAl-+OXj+-5pf', u'versionID': u'AAAAAl-+PJH+-5pe', u'createdTime': {u'milliSecond': 345, u'timezoneID': u'Europe/London', u'hour': 0, u'month': 8, u'second': 20, u'year': 2017, u'day': 17, u'minute': 59}, u'keyFields': [True, False, False, False]}, {u'entryTimeToLive': 604800000, u'reference': {u'uri': u'/All Active Lists/ArcSight Administration/ESM/Licensing/Storage Licensing Data by Connector', u'referenceString': u'<Resource URI="/All Active Lists/ArcSight Administration/ESM/Licensing/Storage Licensing Data by Connector" ID="HKRIgjT8BABCAgSy8B+oWwA=="/>', u'isModifiable': True, u'referenceName': u'ActiveList', u'referenceType': 24, u'managerID': u'MQojjV4BABCAW-naM1oL1w==', u'id': u'HKRIgjT8BABCAgSy8B+oWwA=='}, u'disabled': False, u'typeName': u'ActiveList', u'inactive': False, u'inCache': True, u'initialized': True, u'timePartitioned': False, u'capacity': 10000, u'localID': 103079215120, u'resourceid': u'HKRIgjT8BABCAgSy8B+oWwA==', u'modifierName': u'admin', u'isAdditionalLoaded': False, u'fieldNames': [u'ConnectorID', u'StartTime', u'ConnectorName', u'ConnectorType', u'EventCategoryID', u'RawEventlength'], u'modificationCount': 2, u'caseSensitiveType': u'CASE_SENSITIVE', u'state': 2, u'type': 24, u'partialCache': False, u'description': u'This active list stores the raw event length reported by the raw event statistics events for each connector.', u'modifiedTime': {u'milliSecond': 518, u'timezoneID': u'Europe/London', u'hour': 1, u'month': 8, u'second': 31, u'year': 2017, u'day': 17, u'minute': 18}, u'creatorName': u'admin', u'URI': u'/All Active Lists/ArcSight Administration/ESM/Licensing/Storage Licensing Data by Connector', u'createdTimestamp': 1505606360346, u'activeListType': u'FIELD_BASED', u'attributeInitializationInProgress': False, u'fieldSubTypes': [{u'@xsi.nil': u'true'}, {u'@xsi.nil': u'true'}, {u'@xsi.nil': u'true'}, {u'@xsi.nil': u'true'}, {u'@xsi.nil': u'true'}, {u'@xsi.nil': u'true'}], u'optimizeData': False, u'multiMap': False, u'name': u'Storage Licensing Data by Connector', u'deprecated': False, u'fieldTypes': [u'String', u'Date', u'String', u'String', u'String', u'Long'], u'modifiedTimestamp': 1505607511518, u'createdTime': {u'milliSecond': 346, u'timezoneID': u'Europe/London', u'hour': 0, u'month': 8, u'second': 20, u'year': 2017, u'day': 17, u'minute': 59}, u'keyFields': [True, True, False, False, False, False]}, {u'entryTimeToLive': 864000000, u'reference': {u'uri': u'/All Active Lists/BASEC/12 - Auth/Basic Auth', u'referenceString': u'<Resource URI="/All Active Lists/BASEC/12 - Auth/Basic Auth" ID="HLTq7aWABABCBEonQQ9mfrA=="/>', u'isModifiable': True, u'referenceName': u'ActiveList', u'referenceType': 24, u'managerID': u'MQojjV4BABCAW-naM1oL1w==', u'id': u'HLTq7aWABABCBEonQQ9mfrA=='}, u'disabled': False, u'typeName': u'ActiveList', u'inactive': False, u'inCache': True, u'initialized': True, u'timePartitioned': False, u'capacity': 10000, u'attributeInitializationInProgress': False, u'resourceid': u'HLTq7aWABABCBEonQQ9mfrA==', u'modifierName': u'admin', u'isAdditionalLoaded': False, u'fieldNames': [u'SourceAdd', u'DestinationAdd', u'RequestURL', u'HashValue'], u'modificationCount': 1, u'caseSensitiveType': u'CASE_SENSITIVE', u'state': 2, u'type': 24, u'partialCache': False, u'modifiedTime': {u'milliSecond': 752, u'timezoneID': u'Europe/London', u'hour': 12, u'month': 11, u'second': 32, u'year': 2017, u'day': 22, u'minute': 5}, u'creatorName': u'admin', u'URI': u'/All Active Lists/BASEC/12 - Auth/Basic Auth', u'createdTimestamp': 1513602420075, u'activeListType': u'FIELD_BASED', u'localID': 103079215147, u'fieldSubTypes': [u'IP', u'IP', {u'@xsi.nil': u'true'}, {u'@xsi.nil': u'true'}], u'optimizeData': False, u'multiMap': False, u'name': u'Basic Auth', u'deprecated': False, u'fieldTypes': [u'IPSubnet', u'IPSubnet', u'String', u'String'], u'modifiedTimestamp': 1513944332752, u'createdTime': {u'milliSecond': 75, u'timezoneID': u'Europe/London', u'hour': 13, u'month': 11, u'second': 0, u'year': 2017, u'day': 18, u'minute': 7}, u'keyFields': [False, False, False, False]}, {u'entryTimeToLive': 604800000, u'reference': {u'uri': u'/All Active Lists/ArcSight Administration/ESM/System Health/Resources/Query Running Time', u'referenceString': u'<Resource URI="/All Active Lists/ArcSight Administration/ESM/System Health/Resources/Query Running Time" ID="HLZRc9yYBABC-lHtlf3-f0Q=="/>', u'isModifiable': True, u'referenceName': u'ActiveList', u'referenceType': 24, u'managerID': u'MQojjV4BABCAW-naM1oL1w==', u'id': u'HLZRc9yYBABC-lHtlf3-f0Q=='}, u'disabled': False, u'typeName': u'ActiveList', u'inactive': False, u'inCache': True, u'initialized': True, u'timePartitioned': False, u'capacity': 500000, u'localID': 103079215121, u'resourceid': u'HLZRc9yYBABC-lHtlf3-f0Q==', u'modifierName': u'admin', u'isAdditionalLoaded': False, u'fieldNames': [u'Name', u'ResourceType', u'Path', u'StartTime', u'EventClassID', u'Status', u'Duration'], u'modificationCount': 2, u'caseSensitiveType': u'CASE_SENSITIVE', u'state': 2, u'type': 24, u'partialCache': False, u'description': u'This active list stores query information used to monitor and report the query duration.', u'modifiedTime': {u'milliSecond': 538, u'timezoneID': u'Europe/London', u'hour': 1, u'month': 8, u'second': 31, u'year': 2017, u'day': 17, u'minute': 30}, u'creatorName': u'admin', u'URI': u'/All Active
 Lists/ArcSight Administration/ESM/System Health/Resources/Query Running Time', u'createdTimestamp': 1505606360347, u'activeListType': u'FIELD_BASED', u'attributeInitializationInProgress': False, u'fieldSubTypes': [{u'@xsi.nil': u'true'}, {u'@xsi.nil': u'true'}, {u'@xsi.nil': u'true'}, {u'@xsi.nil': u'true'}, {u'@xsi.nil': u'true'}, {u'@xsi.nil': u'true'}, {u'@xsi.nil': u'true'}], u'optimizeData': False, u'multiMap': False, u'name': u'Query Running Time', u'deprecated': False, u'fieldTypes': [u'String', u'String', u'String', u'Date', u'String', u'String', u'Long'], u'modifiedTimestamp': 1505608231538, u'createdTime': {u'milliSecond': 347, u'timezoneID': u'Europe/London', u'hour': 0, u'month': 8, u'second': 20, u'year': 2017, u'day': 17, u'minute': 59}, u'keyFields': [True, True, True, True, False, False, False]}, {u'entryTimeToLive': 1800000, u'reference': {u'uri': u'/All Active Lists/ArcSight Administration/Connectors/System Health/Custom/Reporting Devices - Critical', u'referenceString': u'<Resource URI="/All Active Lists/ArcSight Administration/Connectors/System Health/Custom/Reporting Devices - Critical" ID="HLgSPXBoBABCK9RNV2v9A2A=="/>', u'isModifiable': True, u'referenceName': u'ActiveList', u'referenceType': 24, u'managerID': u'MQojjV4BABCAW-naM1oL1w==', u'id': u'HLgSPXBoBABCK9RNV2v9A2A=='}, u'disabled': False, u'typeName': u'ActiveList', u'inactive': False, u'modifiedTimestamp': 1505606374419, u'inCache': True, u'initialized': True, u'timePartitioned': False, u'capacity': 10000, u'attributeInitializationInProgress': False, u'resourceid': u'HLgSPXBoBABCK9RNV2v9A2A==', u'modifierName': u'admin', u'isAdditionalLoaded': False, u'fieldNames': [u'DeviceAddress', u'DeviceHostname', u'DeviceZone', u'DeviceVendor', u'DeviceProduct', u'LastEventReceived', u'TotalCount', u'EventCountSinceLastCheck'], u'modificationCount': 1, u'caseSensitiveType': u'CASE_SENSITIVE', u'state': 2, u'type': 24, u'partialCache': False, u'description': u'This active list stores the devices that are considered critical, with the total count of events, the event count since last check, and the timestamp of the last event received by the device. The active list is updated every time the Manager receives a Connector Device Status event for that device.', u'modifiedTime': {u'milliSecond': 419, u'timezoneID': u'Europe/London', u'hour': 0, u'month': 8, u'second': 34, u'year': 2017, u'day': 17, u'minute': 59}, u'creatorName': u'admin', u'URI': u'/All Active Lists/ArcSight Administration/Connectors/System Health/Custom/Reporting Devices - Critical', u'createdTimestamp': 1505606360349, u'activeListType': u'FIELD_BASED', u'localID': 103079215122, u'fieldSubTypes': [u'IP', {u'@xsi.nil': u'true'}, u'Zone', {u'@xsi.nil': u'true'}, {u'@xsi.nil': u'true'}, {u'@xsi.nil': u'true'}, {u'@xsi.nil': u'true'}, {u'@xsi.nil': u'true'}], u'optimizeData': False, u'multiMap': False, u'name': u'Reporting Devices - Critical', u'deprecated': False, u'fieldTypes': [u'IPSubnet', u'String', u'ResourceReference', u'String', u'String', u'Date', u'Long', u'Long'], u'contentVersionID': u'AAAAAhiAnMZ+BEiw', u'versionID': u'AAAAAhiAmO5+BEiv', u'createdTime': {u'milliSecond': 349, u'timezoneID': u'Europe/London', u'hour': 0, u'month': 8, u'second': 20, u'year': 2017, u'day': 17, u'minute': 59}, u'keyFields': [True, True, True, True, True, False, False, False]}, {u'entryTimeToLive': 0, u'reference': {u'uri': u'/All Active Lists/ArcSight Administration/Devices/Whitelisted Monitored Devices', u'referenceString': u'<Resource URI="/All Active Lists/ArcSight Administration/Devices/Whitelisted Monitored Devices" ID="HLoaacUUBABCwfCaRWQMIeA=="/>', u'isModifiable': True, u'referenceName': u'ActiveList', u'referenceType': 24, u'managerID': u'MQojjV4BABCAW-naM1oL1w==', u'id': u'HLoaacUUBABCwfCaRWQMIeA=='}, u'disabled': False, u'typeName': u'ActiveList', u'inactive': False, u'modifiedTimestamp': 1505606374419, u'inCache': True, u'initialized': True, u'timePartitioned': False, u'capacity': 100000, u'attributeInitializationInProgress': False, u'resourceid': u'HLoaacUUBABCwfCaRWQMIeA==', u'modifierName': u'admin', u'isAdditionalLoaded': False, u'fieldNames': [u'DeviceHostName', u'DeviceVendor', u'DeviceProduct', u'DeviceZone', u'Customer', u'TotalEventCount', u'EventCountSLC', u'DeviceAddress', u'AgentName', u'LastEventReceived'], u'modificationCount': 1, u'caseSensitiveType': u'CASE_SENSITIVE', u'state': 2, u'type': 24, u'partialCache': False, u'description': u'This active list includes non-critical devices that you want to exclude from monitoring. This list is populated manually. The entries never expire.', u'modifiedTime': {u'milliSecond': 419, u'timezoneID': u'Europe/London', u'hour': 0, u'month': 8, u'second': 34, u'year': 2017, u'day': 17, u'minute': 59}, u'creatorName': u'admin', u'URI': u'/All Active Lists/ArcSight Administration/Devices/Whitelisted Monitored Devices', u'createdTimestamp': 1505606360350, u'activeListType': u'FIELD_BASED', u'localID': 103079215123, u'fieldSubTypes': [{u'@xsi.nil': u'true'}, {u'@xsi.nil': u'true'}, {u'@xsi.nil': u'true'}, u'Zone', u'Customer', {u'@xsi.nil': u'true'}, {u'@xsi.nil': u'true'}, u'IP', {u'@xsi.nil': u'true'}, {u'@xsi.nil': u'true'}], u'optimizeData': False, u'multiMap': False, u'name': u'Whitelisted Monitored Devices', u'deprecated': False, u'fieldTypes': [u'String', u'String', u'String', u'ResourceReference', u'ResourceReference', u'Long', u'Long', u'IPSubnet', u'String', u'Date'], u'contentVersionID': u'AAAAAu+yXVe2zGO0', u'versionID': u'AAAAAu+yTgW2zGOz', u'createdTime': {u'milliSecond': 350, u'timezoneID': u'Europe/London', u'hour': 0, u'month': 8, u'second': 20, u'year': 2017, u'day': 17, u'minute': 59}, u'keyFields': [True, True, True, True, True, False, False, False, False, False]}, {u'entryTimeToLive': 0, u'reference': {u'uri': u'/All Active Lists/BASEC/07 - Threat Intelligence/OpenSource ThreatIntel URLs', u'referenceString': u'<Resource URI="/All Active Lists/BASEC/07 - Threat Intelligence/OpenSource ThreatIntel URLs" ID="HMTCR0V4BABCJEZt2q2wY3w=="/>', u'isModifiable': True, u'referenceName': u'ActiveList', u'referenceType': 24, u'managerID': u'MQojjV4BABCAW-naM1oL1w==', u'id': u'HMTCR0V4BABCJEZt2q2wY3w=='}, u'disabled': False, u'typeName': u'ActiveList', u'inactive': False, u'inCache': True, u'initialized': True, u'timePartitioned': False, u'capacity': 10000, u'attributeInitializationInProgress': False, u'resourceid': u'HMTCR0V4BABCJEZt2q2wY3w==', u'modifierName': u'admin', u'isAdditionalLoaded': False, u'fieldNames': [u'URL', u'Rank'], u'modificationCount': 0, u'caseSensitiveType': u'CASE_SENSITIVE', u'state': 2, u'type': 24, u'partialCache': False, u'modifiedTime': {u'milliSecond': 35, u'timezoneID': u'Europe/London', u'hour': 7, u'month': 8, u'second': 7, u'year': 2017, u'day': 30, u'minute': 55}, u'creatorName': u'admin', u'URI': u'/All Active Lists/BASEC/07 - Threat Intelligence/OpenSource ThreatIntel URLs', u'createdTimestamp': 1506754507035, u'activeListType': u'FIELD_BASED', u'localID': 103079215141, u'fieldSubTypes': [{u'@xsi.nil': u'true'}, {u'@xsi.nil': u'true'}], u'optimizeData': False, u'multiMap': False, u'name': u'OpenSource ThreatIntel URLs', u'deprecated': False, u'fieldTypes': [u'String', u'String'], u'modifiedTimestamp': 1506754507035, u'createdTime': {u'milliSecond': 35, u'timezoneID': u'Europe/London', u'hour': 7, u'month': 8, u'second': 7, u'year': 2017, u'day': 30, u'minute': 55}, u'keyFields': [True, False]}, {u'entryTimeToLive': 0, u'reference': {u'uri': u'/All Active Lists/ArcSight Administration/Connectors/System Health/Custom/Black List - Connectors', u'referenceString': u'<Resource URI="/All Active Lists/ArcSight Administration/Connectors/System Health/Custom/Black List - Connectors" ID="HNsSQZB0BABCBD37GCqa7qw=="/>', u'isModifiable': True, u'referenceName': u'ActiveList', u'referenceType': 24, u'managerID': u'MQojjV4BABCAW-naM1oL1w==', u'id': u'HNsSQZB0BABCBD37GCqa7qw=='}, u'disabled': False, u'typeName': u'ActiveList', u'inactive': False, u'modifiedTimestamp': 1505606374419, u'inCache': True, u'initialized': True, u'timePartitioned': False, u'capacity': 1000, u'attributeInitializationInProgress': False, u'resourceid': u'HNsSQZB0BABCBD37GCqa7qw==', u'modifierName': u'admin', u'isAdditionalLoaded': False, u'fieldNames': [u'ConnectorURI', u'ConnectorAddress'], u'modificationCount': 1, u'caseSensitiveType': u'CASE_SENSITIVE', u'state': 2, u'type': 24, u'partialCache': False, u'description': u'This active list maintains a list of connectors that are not monitored by the Connector Monitoring rules.', u'modifiedTime': {u'milliSecond': 419, u'timezoneID': u'Europe/London', u'hour': 0, u'month': 8, u'second': 34, u'year': 2017, u'day': 17, u'minute': 59}, u'creatorName': u'admin', u'URI': u'/All Active Lists/ArcSight Administration/Connectors/System Health/Custom/Black List - Connectors', u'createdTimestamp': 1505606360351, u'activeListType': u'FIELD_BASED', u'localID': 103079215124, u'fieldSubTypes': [{u'@xsi.nil': u'true'}, u'IP'], u'optimizeData': False, u'multiMap': False, u'name': u'Black List - Connectors', u'deprecated': False, u'fieldTypes': [u'String', u'IPSubnet'], u'contentVersionID': u'AAAAAhiAsF5+BEi0', u'versionID': u'AAAAAhiArGZ+BEiz', u'createdTime': {u'milliSecond': 351, u'timezoneID': u'Europe/London', u'hour': 0, u'month': 8, u'second': 20, u'year': 2017, u'day': 17, u'minute': 59}, u'keyFields': [False, False]}, {u'entryTimeToLive': 0, u'reference': {u'uri': u'/All Active Lists/ArcSight Administration/Connectors/System Health/Connector Information', u'referenceString': u'<Resource URI="/All Active Lists/ArcSight Administration/Connectors/System Health/Connector Information" ID="HPPhtfi4BABCZpzyf0B-0Gg=="/>', u'isModifiable': True, u'referenceName': u'ActiveList', u'referenceType': 24, u'managerID': u'MQojjV4BABCAW-naM1oL1w==', u'id': u'HPPhtfi4BABCZpzyf0B-0Gg=='}, u'disabled': False, u'typeName':
 u'ActiveList', u'inactive': False, u'inCache': True, u'initialized': True, u'timePartitioned': False, u'capacity': 1000, u'localID': 103079215125, u'resourceid': u'HPPhtfi4BABCZpzyf0B-0Gg==', u'modifierName': u'admin', u'isAdditionalLoaded': False, u'fieldNames': [u'ConnectorID', u'ConnectorName', u'ConnectorType', u'ConnectorHostName', u'ConnectorZone', u'ConnectorAddress', u'LoggerHostName', u'SupportInformation', u'ConnectorURI'], u'modificationCount': 2, u'caseSensitiveType': u'CASE_SENSITIVE', u'state': 2, u'type': 24, u'partialCache': False, u'description': u'This active list maintains a list of the available information about connectors, whether they are directly connected to an ESM manager or indirectly through a Logger. Note: Information is derived from connector audit events and some information might be incomplete (blank) until the appropriate audit event arrives and is processed by the Connector Monitoring rules.', u'modifiedTime': {u'milliSecond': 484, u'timezoneID': u'Europe/London', u'hour': 1, u'month': 8, u'second': 31, u'year': 2017, u'day': 17, u'minute': 10}, u'creatorName': u'admin', u'URI': u'/All Active Lists/ArcSight Administration/Connectors/System Health/Connector Information', u'createdTimestamp': 1505606360352, u'activeListType': u'FIELD_BASED', u'attributeInitializationInProgress': False, u'fieldSubTypes': [{u'@xsi.nil': u'true'}, {u'@xsi.nil': u'true'}, {u'@xsi.nil': u'true'}, {u'@xsi.nil': u'true'}, u'Zone', u'IP', {u'@xsi.nil': u'true'}, {u'@xsi.nil': u'true'}, {u'@xsi.nil': u'true'}], u'optimizeData': False, u'multiMap': False, u'name': u'Connector Information', u'deprecated': False, u'fieldTypes': [u'String', u'String', u'String', u'String', u'ResourceReference', u'IPSubnet', u'String', u'String', u'String'], u'modifiedTimestamp': 1505607031484, u'createdTime': {u'milliSecond': 352, u'timezoneID': u'Europe/London', u'hour': 0, u'month': 8, u'second': 20, u'year': 2017, u'day': 17, u'minute': 59}, u'keyFields': [True, False, False, False, False, False, False, False, False]}, {u'entryTimeToLive': 604800000, u'reference': {u'uri': u'/All Active Lists/BASEC/00 - Operational/Case TTL', u'referenceString': u'<Resource URI="/All Active Lists/BASEC/00 - Operational/Case TTL" ID="HPfppzl4BABCRVJw6xd64Mw=="/>', u'isModifiable': True, u'referenceName': u'ActiveList', u'referenceType': 24, u'managerID': u'MQojjV4BABCAW-naM1oL1w==', u'id': u'HPfppzl4BABCRVJw6xd64Mw=='}, u'disabled': False, u'typeName': u'ActiveList', u'inactive': False, u'inCache': True, u'initialized': True, u'timePartitioned': False, u'capacity': 10000, u'attributeInitializationInProgress': False, u'resourceid': u'HPfppzl4BABCRVJw6xd64Mw==', u'modifierName': u'admin', u'isAdditionalLoaded': False, u'fieldNames': u'compositeKey', u'modificationCount': 0, u'caseSensitiveType': u'CASE_SENSITIVE', u'state': 2, u'type': 24, u'partialCache': False, u'modifiedTime': {u'milliSecond': 208, u'timezoneID': u'Europe/London', u'hour': 17, u'month': 8, u'second': 24, u'year': 2017, u'day': 29, u'minute': 13}, u'creatorName': u'admin', u'URI': u'/All Active Lists/BASEC/00 - Operational/Case TTL', u'createdTimestamp': 1506701604208, u'activeListType': u'FIELD_BASED', u'localID': 103079215143, u'fieldSubTypes': {u'@xsi.nil': u'true'}, u'optimizeData': False, u'multiMap': False, u'name': u'Case TTL', u'deprecated': False, u'fieldTypes': u'String', u'modifiedTimestamp': 1506701604208, u'createdTime': {u'milliSecond': 208, u'timezoneID': u'Europe/London', u'hour': 17, u'month': 8, u'second': 24, u'year': 2017, u'day': 29, u'minute': 13}, u'keyFields': False}, {u'entryTimeToLive': 604800000, u'reference': {u'uri': u'/All Active Lists/ArcSight Administration/ESM/System Health/Resources/Invalid Resources', u'referenceString': u'<Resource URI="/All Active Lists/ArcSight Administration/ESM/System Health/Resources/Invalid Resources" ID="HQsF2KR8BABCB-dHnQejEAg=="/>', u'isModifiable': True, u'referenceName': u'ActiveList', u'referenceType': 24, u'managerID': u'MQojjV4BABCAW-naM1oL1w==', u'id': u'HQsF2KR8BABCB-dHnQejEAg=='}, u'disabled': False, u'typeName': u'ActiveList', u'inactive': False, u'inCache': True, u'initialized': True, u'timePartitioned': False, u'capacity': 10000, u'localID': 103079215126, u'resourceid': u'HQsF2KR8BABCB-dHnQejEAg==', u'modifierName': u'admin', u'isAdditionalLoaded': False, u'fieldNames': [u'ResourceID', u'ResourceName', u'ResourceType', u'ResourceURI'], u'modificationCount': 2, u'caseSensitiveType': u'CASE_SENSITIVE', u'state': 2, u'type': 24, u'partialCache': False, u'description': u'This active list stores a list of resources that become invalid. The Resource Became Invalid rule adds an entry to the active list and the Resource Became Valid rule removes the corresponding entry from the active list.', u'modifiedTime': {u'milliSecond': 831, u'timezoneID': u'Europe/London', u'hour': 9, u'month': 8, u'second': 53, u'year': 2017, u'day': 29, u'minute': 42}, u'creatorName': u'admin', u'URI': u'/All Active Lists/ArcSight Administration/ESM/System Health/Resources/Invalid Resources', u'createdTimestamp': 1505606360354, u'activeListType': u'FIELD_BASED', u'attributeInitializationInProgress': False, u'fieldSubTypes': [{u'@xsi.nil': u'true'}, {u'@xsi.nil': u'true'}, {u'@xsi.nil': u'true'}, {u'@xsi.nil': u'true'}], u'optimizeData': False, u'multiMap': False, u'name': u'Invalid Resources', u'deprecated': False, u'fieldTypes': [u'String', u'String', u'String', u'String'], u'modifiedTimestamp': 1506674573831, u'createdTime': {u'milliSecond': 354, u'timezoneID': u'Europe/London', u'hour': 0, u'month': 8, u'second': 20, u'year': 2017, u'day': 17, u'minute': 59}, u'keyFields': [True, False, False, False]}, {u'entryTimeToLive': 1209600000, u'reference': {u'uri': u'/All Active Lists/BASEC/07 - Threat Intelligence/Nmap Scans', u'referenceString': u'<Resource URI="/All Active Lists/BASEC/07 - Threat Intelligence/Nmap Scans" ID="HRGaky2ABABCL9M8amUoLtg=="/>', u'isModifiable': True, u'referenceName': u'ActiveList', u'referenceType': 24, u'managerID': u'MQojjV4BABCAW-naM1oL1w==', u'id': u'HRGaky2ABABCL9M8amUoLtg=='}, u'disabled': False, u'typeName': u'ActiveList', u'inactive': False, u'inCache': True, u'initialized': True, u'timePartitioned': False, u'capacity': 10000, u'attributeInitializationInProgress': False, u'resourceid': u'HRGaky2ABABCL9M8amUoLtg==', u'modifierName': u'admin', u'isAdditionalLoaded': False, u'fieldNames': [u'IPAddress', u'Hostname', u'State', u'Ports'], u'modificationCount': 0, u'caseSensitiveType': u'CASE_SENSITIVE', u'state': 2, u'type': 24, u'partialCache': False, u'modifiedTime': {u'milliSecond': 35, u'timezoneID': u'Europe/London', u'hour': 13, u'month': 0, u'second': 2, u'year': 2018, u'day': 6, u'minute': 24}, u'creatorName': u'admin', u'URI': u'/All Active Lists/BASEC/07 - Threat Intelligence/Nmap Scans', u'createdTimestamp': 1515245042035, u'activeListType': u'FIELD_BASED', u'localID': 103079215149, u'fieldSubTypes': [{u'@xsi.nil': u'true'}, {u'@xsi.nil': u'true'}, {u'@xsi.nil': u'true'}, {u'@xsi.nil': u'true'}], u'optimizeData': False, u'multiMap': False, u'name': u'Nmap Scans', u'deprecated': False, u'fieldTypes': [u'String', u'String', u'String', u'String'], u'modifiedTimestamp': 1515245042035, u'createdTime': {u'milliSecond': 35, u'timezoneID': u'Europe/London', u'hour': 13, u'month': 0, u'second': 2, u'year': 2018, u'day': 6, u'minute': 24}, u'keyFields': [False, False, False, False]}, {u'entryTimeToLive': 0, u'reference': {u'uri': u'/All Active Lists/BASEC/04 - System Access/Sensitive Systems', u'referenceString': u'<Resource URI="/All Active Lists/BASEC/04 - System Access/Sensitive Systems" ID="HRfSKG18BABCAYyCQfdwC3A=="/>', u'isModifiable': True, u'referenceName': u'ActiveList', u'referenceType': 24, u'managerID': u'MQojjV4BABCAW-naM1oL1w==', u'id': u'HRfSKG18BABCAYyCQfdwC3A=='}, u'disabled': False, u'typeName': u'ActiveList', u'inactive': False, u'inCache': True, u'initialized': True, u'timePartitioned': False, u'capacity': 10000, u'attributeInitializationInProgress': False, u'resourceid': u'HRfSKG18BABCAYyCQfdwC3A==', u'modifierName': u'admin', u'isAdditionalLoaded': False, u'fieldNames': [u'IP', u'Description'], u'modificationCount': 2, u'caseSensitiveType': u'CASE_SENSITIVE', u'state': 2, u'type': 24, u'partialCache': False, u'modifiedTime': {u'milliSecond': 417, u'timezoneID': u'Europe/London', u'hour': 16, u'month': 9, u'second': 43, u'year': 2017, u'day': 14, u'minute': 40}, u'creatorName': u'admin', u'URI': u'/All Active Lists/BASEC/04 - System Access/Sensitive Systems', u'createdTimestamp': 1507995612334, u'activeListType': u'FIELD_BASED', u'localID': 103079215144, u'fieldSubTypes': [u'IP', {u'@xsi.nil': u'true'}], u'optimizeData': False, u'multiMap': False, u'name': u'Sensitive Systems', u'deprecated': False, u'fieldTypes': [u'IPSubnet', u'String'], u'modifiedTimestamp': 1507995643417, u'createdTime': {u'milliSecond': 334, u'timezoneID': u'Europe/London', u'hour': 16, u'month': 9, u'second': 12, u'year': 2017, u'day': 14, u'minute': 40}, u'keyFields': [True, False]}, {u'entryTimeToLive': 0, u'reference': {u'uri': u'/All Active Lists/ArcSight Administration/Connectors/System Health/Connectors - Still Caching', u'referenceString': u'<Resource URI="/All Active Lists/ArcSight Administration/Connectors/System Health/Connectors - Still Caching" ID="HRgrIpi4BABCQY591zH+Q8A=="/>', u'isModifiable': True, u'referenceName': u'ActiveList', u'referenceType': 24, u'managerID': u'MQojjV4BABCAW-naM1oL1w==', u'id': u'HRgrIpi4BABCQY591zH+Q8A=='}, u'disabled': False, u'typeName': u'ActiveList', u'inactive': False, u'inCache': False, u'initialized': True, u'timePartitioned': False, u'capacity': 1000, u'localID': 103079215127, u'resourceid': u'HRgrIpi4BABCQY591zH+Q8A==', u'modifierName': u'admin', u'isAdditionalLoaded': False, u'fieldNames': [u'ConnectorID', u'ConnectorName', u'ConnectorType', u'ConnectorHostName',
 u'ConnectorURI', u'ConnectorAddress', u'ConnectorZone', u'LoggerHostName', u'CacheSize', u'ThresholdSize'], u'modificationCount': 2, u'caseSensitiveType': u'CASE_SENSITIVE', u'state': 2, u'type': 24, u'partialCache': False, u'description': u'This active list stores available information about connectors that have been caching for over two hours (by default).', u'modifiedTime': {u'milliSecond': 941, u'timezoneID': u'Europe/London', u'hour': 17, u'month': 11, u'second': 36, u'year': 2017, u'day': 10, u'minute': 56}, u'creatorName': u'admin', u'URI': u'/All Active Lists/ArcSight Administration/Connectors/System Health/Connectors - Still Caching', u'createdTimestamp': 1505606360355, u'activeListType': u'FIELD_BASED', u'attributeInitializationInProgress': False, u'fieldSubTypes': [{u'@xsi.nil': u'true'}, {u'@xsi.nil': u'true'}, {u'@xsi.nil': u'true'}, {u'@xsi.nil': u'true'}, {u'@xsi.nil': u'true'}, u'IP', u'Zone', {u'@xsi.nil': u'true'}, {u'@xsi.nil': u'true'}, {u'@xsi.nil': u'true'}], u'optimizeData': False, u'multiMap': False, u'name': u'Connectors - Still Caching', u'deprecated': False, u'fieldTypes': [u'String', u'String', u'String', u'String', u'String', u'IPSubnet', u'ResourceReference', u'String', u'Long', u'Long'], u'modifiedTimestamp': 1512928596941, u'createdTime': {u'milliSecond': 355, u'timezoneID': u'Europe/London', u'hour': 0, u'month': 8, u'second': 20, u'year': 2017, u'day': 17, u'minute': 59}, u'keyFields': [True, False, False, False, False, False, False, False, False, False]}, {u'entryTimeToLive': 86400000, u'reference': {u'uri': u"/All Active Lists/Personal/admin's Active Lists/keyTest", u'referenceString': u'<Resource URI="/All Active Lists/Personal/admin\'s Active Lists/keyTest" ID="HSMcC9mABABCAC0OJOGsKCA=="/>', u'isModifiable': True, u'referenceName': u'ActiveList', u'referenceType': 24, u'managerID': u'MQojjV4BABCAW-naM1oL1w==', u'id': u'HSMcC9mABABCAC0OJOGsKCA=='}, u'disabled': False, u'typeName': u'ActiveList', u'inactive': False, u'inCache': True, u'initialized': True, u'timePartitioned': False, u'capacity': 10000, u'attributeInitializationInProgress': False, u'resourceid': u'HSMcC9mABABCAC0OJOGsKCA==', u'modifierName': u'admin', u'isAdditionalLoaded': False, u'fieldNames': [u'keyfield', u'nonkeyfield'], u'modificationCount': 0, u'caseSensitiveType': u'CASE_SENSITIVE', u'state': 2, u'type': 24, u'partialCache': False, u'modifiedTime': {u'milliSecond': 206, u'timezoneID': u'Europe/London', u'hour': 18, u'month': 0, u'second': 8, u'year': 2018, u'day': 14, u'minute': 51}, u'creatorName': u'admin', u'URI': u"/All Active Lists/Personal/admin's Active Lists/keyTest", u'createdTimestamp': 1515955868206, u'activeListType': u'FIELD_BASED', u'localID': 103079215151, u'fieldSubTypes': [{u'@xsi.nil': u'true'}, {u'@xsi.nil': u'true'}], u'optimizeData': False, u'multiMap': False, u'name': u'keyTest', u'deprecated': False, u'fieldTypes': [u'String', u'String'], u'modifiedTimestamp': 1515955868206, u'createdTime': {u'milliSecond': 206, u'timezoneID': u'Europe/London', u'hour': 18, u'month': 0, u'second': 8, u'year': 2018, u'day': 14, u'minute': 51}, u'keyFields': [True, False]}, {u'entryTimeToLive': 604800000, u'reference': {u'uri': u'/All Active Lists/ArcSight Administration/Connectors/System Health/EPS/Connector Average EPS - Last 7 Days', u'referenceString': u'<Resource URI="/All Active Lists/ArcSight Administration/Connectors/System Health/EPS/Connector Average EPS - Last 7 Days" ID="HUH5BoisBABCEObJYg6HiLQ=="/>', u'isModifiable': True, u'referenceName': u'ActiveList', u'referenceType': 24, u'managerID': u'MQojjV4BABCAW-naM1oL1w==', u'id': u'HUH5BoisBABCEObJYg6HiLQ=='}, u'disabled': False, u'typeName': u'ActiveList', u'inactive': False, u'inCache': True, u'initialized': True, u'timePartitioned': False, u'capacity': 10000, u'localID': 103079215128, u'resourceid': u'HUH5BoisBABCEObJYg6HiLQ==', u'modifierName': u'admin', u'isAdditionalLoaded': False, u'fieldNames': [u'ConnectorName', u'AverageEPS'], u'modificationCount': 2, u'caseSensitiveType': u'CASE_SENSITIVE', u'state': 2, u'type': 24, u'partialCache': False, u'description': u'This active list stores the average EPS for all connectors during the last seven days. The data is from a trend.', u'modifiedTime': {u'milliSecond': 390, u'timezoneID': u'Europe/London', u'hour': 11, u'month': 8, u'second': 20, u'year': 2017, u'day': 23, u'minute': 43}, u'creatorName': u'admin', u'URI': u'/All Active Lists/ArcSight Administration/Connectors/System Health/EPS/Connector Average EPS - Last 7 Days', u'createdTimestamp': 1505606360357, u'activeListType': u'FIELD_BASED', u'attributeInitializationInProgress': False, u'fieldSubTypes': [{u'@xsi.nil': u'true'}, {u'@xsi.nil': u'true'}], u'optimizeData': False, u'multiMap': False, u'name': u'Connector Average EPS - Last 7 Days', u'deprecated': False, u'fieldTypes': [u'String', u'Double'], u'modifiedTimestamp': 1506163400390, u'createdTime': {u'milliSecond': 357, u'timezoneID': u'Europe/London', u'hour': 0, u'month': 8, u'second': 20, u'year': 2017, u'day': 17, u'minute': 59}, u'keyFields': [True, False]}, {u'entryTimeToLive': 31536000000, u'reference': {u'uri': u'/All Active Lists/ArcSight Administration/Connectors/Configuration Changes/Connector Upgrades', u'referenceString': u'<Resource URI="/All Active Lists/ArcSight Administration/Connectors/Configuration Changes/Connector Upgrades" ID="HYNeKERgBABCAPXgkwT5NrQ=="/>', u'isModifiable': True, u'referenceName': u'ActiveList', u'referenceType': 24, u'managerID': u'MQojjV4BABCAW-naM1oL1w==', u'id': u'HYNeKERgBABCAPXgkwT5NrQ=='}, u'disabled': False, u'typeName': u'ActiveList', u'inactive': False, u'modifiedTimestamp': 1505606374419, u'inCache': True, u'initialized': True, u'timePartitioned': False, u'capacity': 10000, u'attributeInitializationInProgress': False, u'resourceid': u'HYNeKERgBABCAPXgkwT5NrQ==', u'modifierName': u'admin', u'isAdditionalLoaded': False, u'fieldNames': [u'UpgradeTime', u'ConnectorID', u'ConnectorName', u'ConnectorVersion', u'ConnectorType', u'ConnectorAddress', u'ConnectorZone', u'Outcome', u'Reason'], u'modificationCount': 1, u'caseSensitiveType': u'CASE_SENSITIVE', u'state': 2, u'type': 24, u'partialCache': False, u'description': u'This active list stores information related to successful and failed connector upgrades. When an upgrade is successful, the active list stores the Upgrade Time, Connector ID, Connector Name, Connector Version, Connector Type, Connector Address, and Connector Zone. When an upgrade fails, the active list also stores the reason for the failure. The active list is populated by the Connector Upgrade Failed and Connector Upgrade Successful rules.', u'modifiedTime': {u'milliSecond': 419, u'timezoneID': u'Europe/London', u'hour': 0, u'month': 8, u'second': 34, u'year': 2017, u'day': 17, u'minute': 59}, u'creatorName': u'admin', u'URI': u'/All Active Lists/ArcSight Administration/Connectors/Configuration Changes/Connector Upgrades', u'createdTimestamp': 1505606360358, u'activeListType': u'FIELD_BASED', u'localID': 103079215129, u'fieldSubTypes': [{u'@xsi.nil': u'true'}, {u'@xsi.nil': u'true'}, {u'@xsi.nil': u'true'}, {u'@xsi.nil': u'true'}, {u'@xsi.nil': u'true'}, u'IP', u'Zone', {u'@xsi.nil': u'true'}, {u'@xsi.nil': u'true'}], u'optimizeData': False, u'multiMap': False, u'name': u'Connector Upgrades', u'deprecated': False, u'fieldTypes': [u'Date', u'String', u'String', u'String', u'String', u'IPSubnet', u'ResourceReference', u'String', u'String'], u'contentVersionID': u'AAAAAhiAxtZ+BEif', u'versionID': u'AAAAAhiAwv5+BEie', u'createdTime': {u'milliSecond': 358, u'timezoneID': u'Europe/London', u'hour': 0, u'month': 8, u'second': 20, u'year': 2017, u'day': 17, u'minute': 59}, u'keyFields': [True, False, False, False, False, False, False, False, False]}, {u'entryTimeToLive': 0, u'reference': {u'uri': u'/All Active Lists/ArcSight Administration/Connectors/System Health/Connectors - Still Down', u'referenceString': u'<Resource URI="/All Active Lists/ArcSight Administration/Connectors/System Health/Connectors - Still Down" ID="HYT9c4CsBABCIkeRIllKOdA=="/>', u'isModifiable': True, u'referenceName': u'ActiveList', u'referenceType': 24, u'managerID': u'MQojjV4BABCAW-naM1oL1w==', u'id': u'HYT9c4CsBABCIkeRIllKOdA=='}, u'disabled': False, u'typeName': u'ActiveList', u'inactive': False, u'inCache': True, u'initialized': True, u'timePartitioned': False, u'capacity': 1000, u'localID': 103079215130, u'resourceid': u'HYT9c4CsBABCIkeRIllKOdA==', u'modifierName': u'admin', u'isAdditionalLoaded': False, u'fieldNames': [u'ConnectorID', u'ConnectorName'], u'modificationCount': 2, u'caseSensitiveType': u'CASE_SENSITIVE', u'state': 2, u'type': 24, u'partialCache': False, u'description': u'This active list stores the ID and the name of the connectors that are have been down for 20 minutes or more (either a connector shut down or a heartbeat timeout). After the TTL of the Connectors - Down active list expires, the connector information is added to this list and a notification is sent to the SOC Operators to inform them that the connector has been down for more than 20 minutes. The connector is removed from the active list when it restarts or reconnects.', u'modifiedTime': {u'milliSecond': 819, u'timezoneID': u'Europe/London', u'hour': 5, u'month': 8, u'second': 31, u'year': 2017, u'day': 17, u'minute': 18}, u'creatorName': u'admin', u'URI': u'/All Active Lists/ArcSight Administration/Connectors/System Health/Connectors - Still Down', u'createdTimestamp': 1505606360359, u'activeListType': u'FIELD_BASED', u'attributeInitializationInProgress': False, u'fieldSubTypes': [{u'@xsi.nil': u'true'}, {u'@xsi.nil': u'true'}], u'optimizeData': False, u'multiMap': False, u'name': u'Connectors - Still Down', u'deprecated': False, u'fieldTypes': [u'String', u'String'], u'modifiedTimestamp': 1505621911819, u'createdTime': {u'milliSecond': 359, u'timezoneID': u'Europe/London',
 u'hour': 0, u'month': 8, u'second': 20, u'year': 2017, u'day': 17, u'minute': 59}, u'keyFields': [True, False]}, {u'entryTimeToLive': 7200000, u'reference': {u'uri': u'/All Active Lists/ArcSight Administration/Connectors/System Health/Connectors - Caching', u'referenceString': u'<Resource URI="/All Active Lists/ArcSight Administration/Connectors/System Health/Connectors - Caching" ID="HZ4nCpi4BABCP+p91zH+Q8A=="/>', u'isModifiable': True, u'referenceName': u'ActiveList', u'referenceType': 24, u'managerID': u'MQojjV4BABCAW-naM1oL1w==', u'id': u'HZ4nCpi4BABCP+p91zH+Q8A=='}, u'disabled': False, u'typeName': u'ActiveList', u'inactive': False, u'inCache': True, u'initialized': True, u'timePartitioned': False, u'capacity': 1000, u'localID': 103079215131, u'resourceid': u'HZ4nCpi4BABCP+p91zH+Q8A==', u'modifierName': u'admin', u'isAdditionalLoaded': False, u'fieldNames': [u'ConnectorID', u'ConnectorName', u'ConnectorType', u'ConnectorHostName', u'ConnectorURI', u'ConnectorAddress', u'ConnectorZone', u'LoggerHostName', u'CacheSize', u'ThresholdSize'], u'modificationCount': 2, u'caseSensitiveType': u'CASE_SENSITIVE', u'state': 2, u'type': 24, u'partialCache': False, u'description': u'This active list stores information about the connectors that are currently caching events. A connector is removed from the active list when the cache is empty again or when it has been caching for more than two hours (by default).', u'modifiedTime': {u'milliSecond': 499, u'timezoneID': u'Europe/London', u'hour': 8, u'month': 8, u'second': 15, u'year': 2017, u'day': 30, u'minute': 32}, u'creatorName': u'admin', u'URI': u'/All Active Lists/ArcSight Administration/Connectors/System Health/Connectors - Caching', u'createdTimestamp': 1505606360361, u'activeListType': u'FIELD_BASED', u'attributeInitializationInProgress': False, u'fieldSubTypes': [{u'@xsi.nil': u'true'}, {u'@xsi.nil': u'true'}, {u'@xsi.nil': u'true'}, {u'@xsi.nil': u'true'}, {u'@xsi.nil': u'true'}, u'IP', u'Zone', {u'@xsi.nil': u'true'}, {u'@xsi.nil': u'true'}, {u'@xsi.nil': u'true'}], u'optimizeData': False, u'multiMap': False, u'name': u'Connectors - Caching', u'deprecated': False, u'fieldTypes': [u'String', u'String', u'String', u'String', u'String', u'IPSubnet', u'ResourceReference', u'String', u'Long', u'Long'], u'modifiedTimestamp': 1506756735499, u'createdTime': {u'milliSecond': 361, u'timezoneID': u'Europe/London', u'hour': 0, u'month': 8, u'second': 20, u'year': 2017, u'day': 17, u'minute': 59}, u'keyFields': [True, False, False, False, False, False, False, False, False, False]}, {u'entryTimeToLive': 0, u'reference': {u'uri': u'/All Active Lists/ArcSight Administration/Devices/Critical Devices', u'referenceString': u'<Resource URI="/All Active Lists/ArcSight Administration/Devices/Critical Devices" ID="HZoBh1EUBABCKGhabVkkDug=="/>', u'isModifiable': True, u'referenceName': u'ActiveList', u'referenceType': 24, u'managerID': u'MQojjV4BABCAW-naM1oL1w==', u'id': u'HZoBh1EUBABCKGhabVkkDug=='}, u'disabled': False, u'typeName': u'ActiveList', u'inactive': False, u'modifiedTimestamp': 1505606374419, u'inCache': True, u'initialized': True, u'timePartitioned': False, u'capacity': 100000, u'attributeInitializationInProgress': False, u'resourceid': u'HZoBh1EUBABCKGhabVkkDug==', u'modifierName': u'admin', u'isAdditionalLoaded': False, u'fieldNames': [u'DeviceHostName', u'DeviceAddress'], u'modificationCount': 1, u'caseSensitiveType': u'CASE_SENSITIVE', u'state': 2, u'type': 24, u'partialCache': False, u'description': u'This active list is populated manually and used by the Critical Monitored Devices rule first. If the rule finds a match, it updates the Critical Monitored Devices active list, which in turn is used by queries to retrieve critical device activity information by dashboards and reports.', u'modifiedTime': {u'milliSecond': 419, u'timezoneID': u'Europe/London', u'hour': 0, u'month': 8, u'second': 34, u'year': 2017, u'day': 17, u'minute': 59}, u'creatorName': u'admin', u'URI': u'/All Active Lists/ArcSight Administration/Devices/Critical Devices', u'createdTimestamp': 1505606360362, u'activeListType': u'FIELD_BASED', u'localID': 103079215132, u'fieldSubTypes': [{u'@xsi.nil': u'true'}, u'IP'], u'optimizeData': False, u'multiMap': False, u'name': u'Critical Devices', u'deprecated': False, u'fieldTypes': [u'String', u'IPSubnet'], u'contentVersionID': u'AAAAAu+1LMa2zGOo', u'versionID': u'AAAAAu+1H2e2zGOn', u'createdTime': {u'milliSecond': 362, u'timezoneID': u'Europe/London', u'hour': 0, u'month': 8, u'second': 20, u'year': 2017, u'day': 17, u'minute': 59}, u'keyFields': [False, False]}, {u'entryTimeToLive': 0, u'reference': {u'uri': u'/All Active Lists/ArcSight Administration/Devices/Critical Monitored Devices', u'referenceString': u'<Resource URI="/All Active Lists/ArcSight Administration/Devices/Critical Monitored Devices" ID="Hc6edcUUBABCwyN0Sez5rng=="/>', u'isModifiable': True, u'referenceName': u'ActiveList', u'referenceType': 24, u'managerID': u'MQojjV4BABCAW-naM1oL1w==', u'id': u'Hc6edcUUBABCwyN0Sez5rng=='}, u'disabled': False, u'typeName': u'ActiveList', u'inactive': False, u'modifiedTimestamp': 1505606374419, u'inCache': True, u'initialized': True, u'timePartitioned': False, u'capacity': 100000, u'attributeInitializationInProgress': False, u'resourceid': u'Hc6edcUUBABCwyN0Sez5rng==', u'modifierName': u'admin', u'isAdditionalLoaded': False, u'fieldNames': [u'DeviceHostName', u'DeviceVendor', u'DeviceProduct', u'DeviceZone', u'Customer', u'TotalEventCount', u'EventCountSLC', u'DeviceAddress', u'AgentName', u'LastEventReceived'], u'modificationCount': 1, u'caseSensitiveType': u'CASE_SENSITIVE', u'state': 2, u'type': 24, u'partialCache': False, u'description': u'This active list is populated manually at first and then updated by the Critical Monitored Devices rule. The entries in this active list never expire, and are used by queries to retrieve critical device activity information by dashboards and reports.', u'modifiedTime': {u'milliSecond': 419, u'timezoneID': u'Europe/London', u'hour': 0, u'month': 8, u'second': 34, u'year': 2017, u'day': 17, u'minute': 59}, u'creatorName': u'admin', u'URI': u'/All Active Lists/ArcSight Administration/Devices/Critical Monitored Devices', u'createdTimestamp': 1505606360363, u'activeListType': u'FIELD_BASED', u'localID': 103079215133, u'fieldSubTypes': [{u'@xsi.nil': u'true'}, {u'@xsi.nil': u'true'}, {u'@xsi.nil': u'true'}, u'Zone', u'Customer', {u'@xsi.nil': u'true'}, {u'@xsi.nil': u'true'}, u'IP', {u'@xsi.nil': u'true'}, {u'@xsi.nil': u'true'}], u'optimizeData': False, u'multiMap': False, u'name': u'Critical Monitored Devices', u'deprecated': False, u'fieldTypes': [u'String', u'String', u'String', u'ResourceReference', u'ResourceReference', u'Long', u'Long', u'IPSubnet', u'String', u'Date'], u'contentVersionID': u'AAAAAu+yeCu2zGO2', u'versionID': u'AAAAAu+ybNy2zGO1', u'createdTime': {u'milliSecond': 363, u'timezoneID': u'Europe/London', u'hour': 0, u'month': 8, u'second': 20, u'year': 2017, u'day': 17, u'minute': 59}, u'keyFields': [True, True, True, True, True, False, False, False, False, False]}, {u'entryTimeToLive': 0, u'reference': {u'uri': u'/All Active Lists/ArcSight System/Attackers/Trusted List', u'referenceString': u'<Resource URI="/All Active Lists/ArcSight System/Attackers/Trusted List" ID="HdgWkQfsAABCB-RHAUwsmgg=="/>', u'isModifiable': True, u'referenceName': u'ActiveList', u'referenceType': 24, u'managerID': u'MQojjV4BABCAW-naM1oL1w==', u'id': u'HdgWkQfsAABCB-RHAUwsmgg=='}, u'disabled': False, u'typeName': u'ActiveList', u'inactive': False, u'modifiedTimestamp': 1505606340859, u'inCache': True, u'initialized': True, u'timePartitioned': False, u'capacity': 10000, u'localID': 103079215111, u'resourceid': u'HdgWkQfsAABCB-RHAUwsmgg==', u'isAdditionalLoaded': False, u'fieldNames': [u'address', u'zone'], u'modificationCount': 1, u'caseSensitiveType': u'CASE_SENSITIVE', u'state': 2, u'type': 24, u'partialCache': False, u'description': u'This active list is to be manually populated with the addresses of trusted systems that are typically used for security scanning.', u'modifiedTime': {u'milliSecond': 859, u'timezoneID': u'Europe/London', u'hour': 0, u'month': 8, u'second': 0, u'year': 2017, u'day': 17, u'minute': 59}, u'URI': u'/All Active Lists/ArcSight System/Attackers/Trusted List', u'createdTimestamp': 1505606333408, u'activeListType': u'FIELD_BASED', u'attributeInitializationInProgress': False, u'fieldSubTypes': [u'IP', u'Zone'], u'optimizeData': False, u'multiMap': False, u'name': u'Trusted List', u'deprecated': False, u'fieldTypes': [u'IPSubnet', u'ResourceReference'], u'contentVersionID': u'AAAAAqw2neyR+4-1', u'versionID': u'AAAAAqw26aSR+4-0', u'createdTime': {u'milliSecond': 408, u'timezoneID': u'Europe/London', u'hour': 0, u'month': 8, u'second': 53, u'year': 2017, u'day': 17, u'minute': 58}, u'keyFields': [False, False]}, {u'entryTimeToLive': 0, u'reference': {u'uri': u'/All Active Lists/ArcSight System/Tuning/User-based Rule Exclusions', u'referenceString': u'<Resource URI="/All Active Lists/ArcSight System/Tuning/User-based Rule Exclusions" ID="He2zyZB0BABCCEH7GCqa7qw=="/>', u'isModifiable': True, u'referenceName': u'ActiveList', u'referenceType': 24, u'managerID': u'MQojjV4BABCAW-naM1oL1w==', u'id': u'He2zyZB0BABCCEH7GCqa7qw=='}, u'disabled': False, u'typeName': u'ActiveList', u'inactive': False, u'modifiedTimestamp': 1505606340859, u'inCache': True, u'initialized': True, u'timePartitioned': False, u'capacity': 10000, u'localID': 103079215112, u'resourceid': u'He2zyZB0BABCCEH7GCqa7qw==', u'isAdditionalLoaded': False, u'fieldNames': [u'targetNtDomain', u'targetUserId', u'targetUserName'], u'modificationCount': 1, u'caseSensitiveType': u'CASE_SENSITIVE', u'state': 2, u'type': 24, u'partialCache': False, u'description': u'This active list contains target user information of specific users to be excluded from certain rule
 conditions where the rule tracks user activity.', u'modifiedTime': {u'milliSecond': 859, u'timezoneID': u'Europe/London', u'hour': 0, u'month': 8, u'second': 0, u'year': 2017, u'day': 17, u'minute': 59}, u'URI': u'/All Active Lists/ArcSight System/Tuning/User-based Rule Exclusions', u'createdTimestamp': 1505606333410, u'activeListType': u'EVENT_BASED', u'attributeInitializationInProgress': False, u'fieldSubTypes': [{u'@xsi.nil': u'true'}, {u'@xsi.nil': u'true'}, {u'@xsi.nil': u'true'}], u'optimizeData': False, u'multiMap': False, u'name': u'User-based Rule Exclusions', u'deprecated': False, u'fieldTypes': [u'String', u'String', u'String'], u'contentVersionID': u'AAAAAHLb9Ce1vFm2', u'versionID': u'AAAAAHLb5ne1vFm1', u'createdTime': {u'milliSecond': 410, u'timezoneID': u'Europe/London', u'hour': 0, u'month': 8, u'second': 53, u'year': 2017, u'day': 17, u'minute': 58}, u'keyFields': [False, False, False]}, {u'entryTimeToLive': 1209600000, u'reference': {u'uri': u'/All Active Lists/ArcSight System/Threat Tracking/Reconnaissance List', u'referenceString': u'<Resource URI="/All Active Lists/ArcSight System/Threat Tracking/Reconnaissance List" ID="Hgl2RPe0AABCAAY+kzt4gbA=="/>', u'isModifiable': True, u'referenceName': u'ActiveList', u'referenceType': 24, u'managerID': u'MQojjV4BABCAW-naM1oL1w==', u'id': u'Hgl2RPe0AABCAAY+kzt4gbA=='}, u'disabled': False, u'typeName': u'ActiveList', u'inactive': False, u'modifiedTimestamp': 1505606340859, u'inCache': True, u'initialized': True, u'timePartitioned': False, u'capacity': 10000, u'localID': 103079215113, u'resourceid': u'Hgl2RPe0AABCAAY+kzt4gbA==', u'isAdditionalLoaded': False, u'fieldNames': [u'address', u'zone'], u'modificationCount': 1, u'caseSensitiveType': u'CASE_SENSITIVE', u'state': 2, u'type': 24, u'partialCache': False, u'description': u'This active list contains IP addresses of hosts which have performed reconaissance activity. ', u'modifiedTime': {u'milliSecond': 859, u'timezoneID': u'Europe/London', u'hour': 0, u'month': 8, u'second': 0, u'year': 2017, u'day': 17, u'minute': 59}, u'URI': u'/All Active Lists/ArcSight System/Threat Tracking/Reconnaissance List', u'createdTimestamp': 1505606333411, u'activeListType': u'FIELD_BASED', u'attributeInitializationInProgress': False, u'fieldSubTypes': [u'IP', u'Zone'], u'optimizeData': False, u'multiMap': False, u'name': u'Reconnaissance List', u'deprecated': False, u'fieldTypes': [u'IPSubnet', u'ResourceReference'], u'contentVersionID': u'AAAAAgDLuTgAF5um', u'versionID': u'AAAAAgDLvWMAF5ul', u'createdTime': {u'milliSecond': 411, u'timezoneID': u'Europe/London', u'hour': 0, u'month': 8, u'second': 53, u'year': 2017, u'day': 17, u'minute': 58}, u'keyFields': [False, False]}, {u'entryTimeToLive': 1209600000, u'reference': {u'uri': u'/All Active Lists/ArcSight System/Threat Tracking/Compromised List', u'referenceString': u'<Resource URI="/All Active Lists/ArcSight System/Threat Tracking/Compromised List" ID="HgllRPe0AABCAAY+kzt4gbA=="/>', u'isModifiable': True, u'referenceName': u'ActiveList', u'referenceType': 24, u'managerID': u'MQojjV4BABCAW-naM1oL1w==', u'id': u'HgllRPe0AABCAAY+kzt4gbA=='}, u'disabled': False, u'typeName': u'ActiveList', u'inactive': False, u'modifiedTimestamp': 1505606340859, u'inCache': True, u'initialized': True, u'timePartitioned': False, u'capacity': 10000, u'localID': 103079215114, u'resourceid': u'HgllRPe0AABCAAY+kzt4gbA==', u'isAdditionalLoaded': False, u'fieldNames': [u'address', u'zone', u'customer'], u'modificationCount': 1, u'caseSensitiveType': u'CASE_SENSITIVE', u'state': 2, u'type': 24, u'partialCache': False, u'description': u'This active list contains hosts that may have been compromised by an attack.', u'modifiedTime': {u'milliSecond': 859, u'timezoneID': u'Europe/London', u'hour': 0, u'month': 8, u'second': 0, u'year': 2017, u'day': 17, u'minute': 59}, u'URI': u'/All Active Lists/ArcSight System/Threat Tracking/Compromised List', u'createdTimestamp': 1505606333412, u'activeListType': u'FIELD_BASED', u'attributeInitializationInProgress': False, u'fieldSubTypes': [u'IP', u'Zone', u'Customer'], u'optimizeData': False, u'multiMap': False, u'name': u'Compromised List', u'deprecated': False, u'fieldTypes': [u'IPSubnet', u'ResourceReference', u'ResourceReference'], u'contentVersionID': u'AAAAAkLZbXqI0rY-', u'versionID': u'AAAAAkLZdxSI0rY+', u'createdTime': {u'milliSecond': 412, u'timezoneID': u'Europe/London', u'hour': 0, u'month': 8, u'second': 53, u'year': 2017, u'day': 17, u'minute': 58}, u'keyFields': [False, False, False]}, {u'entryTimeToLive': 0, u'reference': {u'uri': u'/All Active Lists/ArcSight System/Actor Data Support/Account Authenticators', u'referenceString': u'<Resource URI="/All Active Lists/ArcSight System/Actor Data Support/Account Authenticators" ID="HiFXLoicBABCA7XaJz9atdQ=="/>', u'isModifiable': True, u'referenceName': u'ActiveList', u'referenceType': 24, u'managerID': u'MQojjV4BABCAW-naM1oL1w==', u'id': u'HiFXLoicBABCA7XaJz9atdQ=='}, u'disabled': False, u'typeName': u'ActiveList', u'inactive': False, u'modifiedTimestamp': 1505606340859, u'inCache': True, u'initialized': True, u'timePartitioned': False, u'capacity': 10000, u'localID': 103079215115, u'resourceid': u'HiFXLoicBABCA7XaJz9atdQ==', u'isAdditionalLoaded': False, u'fieldNames': [u'DeviceVendor', u'DeviceProduct', u'AgentAddress', u'AgentZoneResource', u'Authenticator'], u'modificationCount': 1, u'caseSensitiveType': u'CASE_SENSITIVE', u'state': 2, u'type': 24, u'partialCache': False, u'description': u'This active list is used by the actor global variables to determine the Identity Management authenticator, based on the event, so that an actor can be determined from event information.', u'modifiedTime': {u'milliSecond': 859, u'timezoneID': u'Europe/London', u'hour': 0, u'month': 8, u'second': 0, u'year': 2017, u'day': 17, u'minute': 59}, u'URI': u'/All Active Lists/ArcSight System/Actor Data Support/Account Authenticators', u'createdTimestamp': 1505606333413, u'activeListType': u'FIELD_BASED', u'attributeInitializationInProgress': False, u'fieldSubTypes': [{u'@xsi.nil': u'true'}, {u'@xsi.nil': u'true'}, u'IP', u'Zone', {u'@xsi.nil': u'true'}], u'optimizeData': False, u'multiMap': False, u'name': u'Account Authenticators', u'deprecated': False, u'fieldTypes': [u'String', u'String', u'IPSubnet', u'ResourceReference', u'String'], u'contentVersionID': u'AAAAAiwNo+Y6txz+', u'versionID': u'AAAAAiwNoB46txz9', u'createdTime': {u'milliSecond': 413, u'timezoneID': u'Europe/London', u'hour': 0, u'month': 8, u'second': 53, u'year': 2017, u'day': 17, u'minute': 58}, u'keyFields': [True, True, True, True, False]}, {u'entryTimeToLive': 0, u'reference': {u'uri': u'/All Active Lists/ArcSight Administration/ESM/System Health/Storage/CORR-Engine/Archive Task Failures', u'referenceString': u'<Resource URI="/All Active Lists/ArcSight Administration/ESM/System Health/Storage/CORR-Engine/Archive Task Failures" ID="Hiz1vlDABABCCZh-AzO0hdw=="/>', u'isModifiable': True, u'referenceName': u'ActiveList', u'referenceType': 24, u'managerID': u'MQojjV4BABCAW-naM1oL1w==', u'id': u'Hiz1vlDABABCCZh-AzO0hdw=='}, u'disabled': False, u'typeName': u'ActiveList', u'inactive': False, u'modifiedTimestamp': 1505606374419, u'inCache': True, u'initialized': True, u'timePartitioned': False, u'capacity': 10000, u'attributeInitializationInProgress': False, u'resourceid': u'Hiz1vlDABABCCZh-AzO0hdw==', u'modifierName': u'admin', u'isAdditionalLoaded': False, u'fieldNames': [u'ArchiveName', u'ArchiveCategory', u'DeviceIP', u'DeviceZone', u'SignatureID', u'EventName', u'FailureReason', u'ArchiveTime'], u'modificationCount': 1, u'caseSensitiveType': u'CASE_SENSITIVE', u'state': 2, u'type': 24, u'partialCache': False, u'description': u'This active list stores archive task failure events, which include activation, deactivation, and scheduling.', u'modifiedTime': {u'milliSecond': 419, u'timezoneID': u'Europe/London', u'hour': 0, u'month': 8, u'second': 34, u'year': 2017, u'day': 17, u'minute': 59}, u'creatorName': u'admin', u'URI': u'/All Active Lists/ArcSight Administration/ESM/System Health/Storage/CORR-Engine/Archive Task Failures', u'createdTimestamp': 1505606361210, u'activeListType': u'FIELD_BASED', u'localID': 103079215140, u'fieldSubTypes': [{u'@xsi.nil': u'true'}, {u'@xsi.nil': u'true'}, u'IP', {u'@xsi.nil': u'true'}, {u'@xsi.nil': u'true'}, {u'@xsi.nil': u'true'}, {u'@xsi.nil': u'true'}, {u'@xsi.nil': u'true'}], u'optimizeData': False, u'multiMap': False, u'name': u'Archive Task Failures', u'deprecated': False, u'fieldTypes': [u'String', u'String', u'IPSubnet', u'String', u'String', u'String', u'String', u'Date'], u'contentVersionID': u'AAAAAu83fbXt1lL2', u'versionID': u'AAAAArmhAiTvE+Vm', u'createdTime': {u'milliSecond': 210, u'timezoneID': u'Europe/London', u'hour': 0, u'month': 8, u'second': 21, u'year': 2017, u'day': 17, u'minute': 59}, u'keyFields': [True, True, True, True, False, False, False, False]}, {u'entryTimeToLive': 0, u'reference': {u'uri': u'/All Active Lists/ArcSight System/Attackers/Untrusted List', u'referenceString': u'<Resource URI="/All Active Lists/ArcSight System/Attackers/Untrusted List" ID="HkJyjQfsAABCBv8WZ6-B1EQ=="/>', u'isModifiable': True, u'referenceName': u'ActiveList', u'referenceType': 24, u'managerID': u'MQojjV4BABCAW-naM1oL1w==', u'id': u'HkJyjQfsAABCBv8WZ6-B1EQ=='}, u'disabled': False, u'typeName': u'ActiveList', u'inactive': False, u'modifiedTimestamp': 1505606340859, u'inCache': True, u'initialized': True, u'timePartitioned': False, u'capacity': 10000, u'localID': 103079215116, u'resourceid': u'HkJyjQfsAABCBv8WZ6-B1EQ==', u'isAdditionalLoaded': False, u'fieldNames': [u'address', u'zone'], u'modificationCount': 1, u'caseSensitiveType': u'CASE_SENSITIVE', u'state': 2, u'type': 24, u'partialCache': False, u'description': u'This active list is to be manually populated with the addresses of known malicious systems.', u'modifiedTime':
 {u'milliSecond': 859, u'timezoneID': u'Europe/London', u'hour': 0, u'month': 8, u'second': 0, u'year': 2017, u'day': 17, u'minute': 59}, u'URI': u'/All Active Lists/ArcSight System/Attackers/Untrusted List', u'createdTimestamp': 1505606333415, u'activeListType': u'FIELD_BASED', u'attributeInitializationInProgress': False, u'fieldSubTypes': [u'IP', u'Zone'], u'optimizeData': False, u'multiMap': False, u'name': u'Untrusted List', u'deprecated': False, u'fieldTypes': [u'IPSubnet', u'ResourceReference'], u'contentVersionID': u'AAAAAqw2gJSR+4-9', u'versionID': u'AAAAAqw2gJSR+4-8', u'createdTime': {u'milliSecond': 415, u'timezoneID': u'Europe/London', u'hour': 0, u'month': 8, u'second': 53, u'year': 2017, u'day': 17, u'minute': 58}, u'keyFields': [False, False]}, {u'entryTimeToLive': 1200000, u'reference': {u'uri': u'/All Active Lists/ArcSight Administration/Connectors/System Health/Connectors - Down', u'referenceString': u'<Resource URI="/All Active Lists/ArcSight Administration/Connectors/System Health/Connectors - Down" ID="HnWoMcBkBABCBOMUyo9Ug3A=="/>', u'isModifiable': True, u'referenceName': u'ActiveList', u'referenceType': 24, u'managerID': u'MQojjV4BABCAW-naM1oL1w==', u'id': u'HnWoMcBkBABCBOMUyo9Ug3A=='}, u'disabled': False, u'typeName': u'ActiveList', u'inactive': False, u'inCache': True, u'initialized': True, u'timePartitioned': False, u'capacity': 10000, u'localID': 103079215134, u'resourceid': u'HnWoMcBkBABCBOMUyo9Ug3A==', u'modifierName': u'admin', u'isAdditionalLoaded': False, u'fieldNames': [u'ConnectorID', u'ConnectorName'], u'modificationCount': 2, u'caseSensitiveType': u'CASE_SENSITIVE', u'state': 2, u'type': 24, u'partialCache': False, u'description': u'This active list stores the IDs and names of connectors that are currently down (either a connector shut down or a heartbeat timeout). After the TTL of the active list expires, the connector information is added to the Connectors Still Down active list and a notification is sent to the SOC Operators to inform them that the connector has been down for 20 or more minutes. The connector is removed from the active list when it restarts or reconnects.', u'modifiedTime': {u'milliSecond': 493, u'timezoneID': u'Europe/London', u'hour': 1, u'month': 8, u'second': 31, u'year': 2017, u'day': 17, u'minute': 10}, u'creatorName': u'admin', u'URI': u'/All Active Lists/ArcSight Administration/Connectors/System Health/Connectors - Down', u'createdTimestamp': 1505606360364, u'activeListType': u'FIELD_BASED', u'attributeInitializationInProgress': False, u'fieldSubTypes': [{u'@xsi.nil': u'true'}, {u'@xsi.nil': u'true'}], u'optimizeData': False, u'multiMap': False, u'name': u'Connectors - Down', u'deprecated': False, u'fieldTypes': [u'String', u'String'], u'modifiedTimestamp': 1505607031493, u'createdTime': {u'milliSecond': 364, u'timezoneID': u'Europe/London', u'hour': 0, u'month': 8, u'second': 20, u'year': 2017, u'day': 17, u'minute': 59}, u'keyFields': [True, False]}, {u'entryTimeToLive': 86400000, u'reference': {u'uri': u'/All Active Lists/BASEC/07 - Threat Intelligence/OpenSource ThreatIntel IP Address', u'referenceString': u'<Resource URI="/All Active Lists/BASEC/07 - Threat Intelligence/OpenSource ThreatIntel IP Address" ID="HoJJyzV4BABCCwrWnx5elSQ=="/>', u'isModifiable': True, u'referenceName': u'ActiveList', u'referenceType': 24, u'managerID': u'MQojjV4BABCAW-naM1oL1w==', u'id': u'HoJJyzV4BABCCwrWnx5elSQ=='}, u'disabled': False, u'typeName': u'ActiveList', u'inactive': False, u'inCache': True, u'initialized': True, u'timePartitioned': False, u'capacity': 100000, u'attributeInitializationInProgress': False, u'resourceid': u'HoJJyzV4BABCCwrWnx5elSQ==', u'modifierName': u'admin', u'isAdditionalLoaded': False, u'fieldNames': [u'IP', u'ListName', u'Description'], u'modificationCount': 1, u'caseSensitiveType': u'CASE_SENSITIVE', u'state': 2, u'type': 24, u'partialCache': False, u'modifiedTime': {u'milliSecond': 855, u'timezoneID': u'Europe/London', u'hour': 8, u'month': 8, u'second': 55, u'year': 2017, u'day': 30, u'minute': 59}, u'creatorName': u'admin', u'URI': u'/All Active Lists/BASEC/07 - Threat Intelligence/OpenSource ThreatIntel IP Address', u'createdTimestamp': 1506685390676, u'activeListType': u'FIELD_BASED', u'localID': 103079215142, u'fieldSubTypes': [u'IP', {u'@xsi.nil': u'true'}, {u'@xsi.nil': u'true'}], u'optimizeData': False, u'multiMap': False, u'name': u'OpenSource ThreatIntel IP Address', u'deprecated': False, u'fieldTypes': [u'IPSubnet', u'String', u'String'], u'modifiedTimestamp': 1506758395855, u'createdTime': {u'milliSecond': 676, u'timezoneID': u'Europe/London', u'hour': 12, u'month': 8, u'second': 10, u'year': 2017, u'day': 29, u'minute': 43}, u'keyFields': [True, False, False]}, {u'entryTimeToLive': 0, u'reference': {u'uri': u'/All Active Lists/ArcSight Administration/Connectors/System Health/Custom/Black List - Reverse Look Up', u'referenceString': u'<Resource URI="/All Active Lists/ArcSight Administration/Connectors/System Health/Custom/Black List - Reverse Look Up" ID="HomDyvy4BABCEU5rDGdtA5g=="/>', u'isModifiable': True, u'referenceName': u'ActiveList', u'referenceType': 24, u'managerID': u'MQojjV4BABCAW-naM1oL1w==', u'id': u'HomDyvy4BABCEU5rDGdtA5g=='}, u'disabled': False, u'typeName': u'ActiveList', u'inactive': False, u'inCache': True, u'initialized': True, u'timePartitioned': False, u'capacity': 2000, u'localID': 103079215135, u'resourceid': u'HomDyvy4BABCEU5rDGdtA5g==', u'modifierName': u'admin', u'isAdditionalLoaded': False, u'fieldNames': [u'ConnectorURI', u'ConnectorID'], u'modificationCount': 2, u'caseSensitiveType': u'CASE_SENSITIVE', u'state': 2, u'type': 24, u'partialCache': False, u'description': u'This active list stores look-up data to enable the rules to update the connector connection and caching status displays when a connector is added to the Black List - Connectors active list. Note: This list should contain all the information that is also included in the Connector Information active list. This active list links the information in the Black List - Connectors active list to the information in the Connector Information active list. The connectors listed in the Black List - Connectors active list are the only ones not processed by the Connector Monitoring rules. Do not edit the entries in this list unless you are sure that an entry is no longer valid (and can be removed).', u'modifiedTime': {u'milliSecond': 498, u'timezoneID': u'Europe/London', u'hour': 1, u'month': 8, u'second': 31, u'year': 2017, u'day': 17, u'minute': 10}, u'creatorName': u'admin', u'URI': u'/All Active Lists/ArcSight Administration/Connectors/System Health/Custom/Black List - Reverse Look Up', u'createdTimestamp': 1505606360366, u'activeListType': u'FIELD_BASED', u'attributeInitializationInProgress': False, u'fieldSubTypes': [{u'@xsi.nil': u'true'}, {u'@xsi.nil': u'true'}], u'optimizeData': False, u'multiMap': False, u'name': u'Black List - Reverse Look Up', u'deprecated': False, u'fieldTypes': [u'String', u'String'], u'modifiedTimestamp': 1505607031498, u'createdTime': {u'milliSecond': 366, u'timezoneID': u'Europe/London', u'hour': 0, u'month': 8, u'second': 20, u'year': 2017, u'day': 17, u'minute': 59}, u'keyFields': [True, False]}, {u'entryTimeToLive': 0, u'reference': {u'uri': u'/All Active Lists/ArcSight Administration/Connectors/System Health/Connectors - Dropping Events', u'referenceString': u'<Resource URI="/All Active Lists/ArcSight Administration/Connectors/System Health/Connectors - Dropping Events" ID="Hr5nFpi4BABCQH591zH+Q8A=="/>', u'isModifiable': True, u'referenceName': u'ActiveList', u'referenceType': 24, u'managerID': u'MQojjV4BABCAW-naM1oL1w==', u'id': u'Hr5nFpi4BABCQH591zH+Q8A=='}, u'disabled': False, u'typeName': u'ActiveList', u'inactive': False, u'modifiedTimestamp': 1505606374419, u'inCache': True, u'initialized': True, u'timePartitioned': False, u'capacity': 1000, u'attributeInitializationInProgress': False, u'resourceid': u'Hr5nFpi4BABCQH591zH+Q8A==', u'modifierName': u'admin', u'isAdditionalLoaded': False, u'fieldNames': [u'ConnectorID', u'ConnectorName', u'ConnectorType', u'ConnectorHostName', u'ConnectorURI', u'ConnectorAddress', u'ConnectorZone', u'LoggerHostName', u'CacheSize', u'DroppedCount', u'CurrentDroppedCount'], u'modificationCount': 1, u'caseSensitiveType': u'CASE_SENSITIVE', u'state': 2, u'type': 24, u'partialCache': False, u'description': u'This active list stores the connectors that are currently dropping events (for example, when the cache is full). The connector is removed from the active list when the cache is empty again.', u'modifiedTime': {u'milliSecond': 419, u'timezoneID': u'Europe/London', u'hour': 0, u'month': 8, u'second': 34, u'year': 2017, u'day': 17, u'minute': 59}, u'creatorName': u'admin', u'URI': u'/All Active Lists/ArcSight Administration/Connectors/System Health/Connectors - Dropping Events', u'createdTimestamp': 1505606360367, u'activeListType': u'FIELD_BASED', u'localID': 103079215136, u'fieldSubTypes': [{u'@xsi.nil': u'true'}, {u'@xsi.nil': u'true'}, {u'@xsi.nil': u'true'}, {u'@xsi.nil': u'true'}, {u'@xsi.nil': u'true'}, u'IP', u'Zone', {u'@xsi.nil': u'true'}, {u'@xsi.nil': u'true'}, {u'@xsi.nil': u'true'}, {u'@xsi.nil': u'true'}], u'optimizeData': False, u'multiMap': False, u'name': u'Connectors - Dropping Events', u'deprecated': False, u'fieldTypes': [u'String', u'String', u'String', u'String', u'String', u'IPSubnet', u'ResourceReference', u'String', u'Long', u'Long', u'Long'], u'contentVersionID': u'AAAAAtmUdckYOkK6', u'versionID': u'AAAAAtmUcSwYOkK5', u'createdTime': {u'milliSecond': 367, u'timezoneID': u'Europe/London', u'hour': 0, u'month': 8, u'second': 20, u'year': 2017, u'day': 17, u'minute': 59}, u'keyFields': [True, False, False, False, False, False, False, False, False, False, False]}, {u'entryTimeToLive': 86400000, u'reference': {u'uri': u'/All Active Lists/BASEC/07 - Threat
 Intelligence/test', u'referenceString': u'<Resource URI="/All Active Lists/BASEC/07 - Threat Intelligence/test" ID="HyaXA8WABABCCfXzPBUgIjw=="/>', u'isModifiable': True, u'referenceName': u'ActiveList', u'referenceType': 24, u'managerID': u'MQojjV4BABCAW-naM1oL1w==', u'id': u'HyaXA8WABABCCfXzPBUgIjw=='}, u'disabled': False, u'typeName': u'ActiveList', u'inactive': False, u'inCache': True, u'initialized': True, u'timePartitioned': False, u'capacity': 1000000, u'attributeInitializationInProgress': False, u'resourceid': u'HyaXA8WABABCCfXzPBUgIjw==', u'modifierName': u'admin', u'isAdditionalLoaded': False, u'fieldNames': [u'f1', u'f2', u'f3', u'f4', u'f5', u'f6', u'f7'], u'modificationCount': 1, u'caseSensitiveType': u'CASE_SENSITIVE', u'state': 2, u'type': 24, u'partialCache': False, u'modifiedTime': {u'milliSecond': 241, u'timezoneID': u'Europe/London', u'hour': 23, u'month': 0, u'second': 34, u'year': 2018, u'day': 13, u'minute': 2}, u'creatorName': u'admin', u'URI': u'/All Active Lists/BASEC/07 - Threat Intelligence/test', u'createdTimestamp': 1515884423511, u'activeListType': u'FIELD_BASED', u'localID': 103079215150, u'fieldSubTypes': [{u'@xsi.nil': u'true'}, {u'@xsi.nil': u'true'}, {u'@xsi.nil': u'true'}, {u'@xsi.nil': u'true'}, {u'@xsi.nil': u'true'}, {u'@xsi.nil': u'true'}, {u'@xsi.nil': u'true'}], u'optimizeData': False, u'multiMap': False, u'name': u'test', u'deprecated': False, u'fieldTypes': [u'String', u'String', u'String', u'String', u'String', u'String', u'String'], u'modifiedTimestamp': 1515884554241, u'createdTime': {u'milliSecond': 511, u'timezoneID': u'Europe/London', u'hour': 23, u'month': 0, u'second': 23, u'year': 2018, u'day': 13, u'minute': 0}, u'keyFields': [False, False, False, False, False, False, False]}, {u'entryTimeToLive': 31536000000, u'reference': {u'uri': u'/All Active Lists/ArcSight Administration/Devices/All Monitored Devices', u'referenceString': u'<Resource URI="/All Active Lists/ArcSight Administration/Devices/All Monitored Devices" ID="HycbNbEUBABCBKGt8PZShUw=="/>', u'isModifiable': True, u'referenceName': u'ActiveList', u'referenceType': 24, u'managerID': u'MQojjV4BABCAW-naM1oL1w==', u'id': u'HycbNbEUBABCBKGt8PZShUw=='}, u'disabled': False, u'typeName': u'ActiveList', u'inactive': False, u'inCache': True, u'initialized': True, u'timePartitioned': False, u'capacity': 100000, u'localID': 103079215137, u'resourceid': u'HycbNbEUBABCBKGt8PZShUw==', u'modifierName': u'admin', u'isAdditionalLoaded': False, u'fieldNames': [u'DeviceHostName', u'DeviceVendor', u'DeviceProduct', u'DeviceZone', u'Customer', u'TotalEventCount', u'EventCountSLC', u'DeviceAddress', u'AgentName', u'LastEventReceived'], u'modificationCount': 2, u'caseSensitiveType': u'CASE_SENSITIVE', u'state': 2, u'type': 24, u'partialCache': False, u'description': u'This active list is populated by the All Monitored Devices rule. The active list stores entries for 365 days and is used by queries to retrieve device activity information by dashboards and reports.', u'modifiedTime': {u'milliSecond': 816, u'timezoneID': u'Europe/London', u'hour': 21, u'month': 9, u'second': 14, u'year': 2017, u'day': 26, u'minute': 17}, u'creatorName': u'admin', u'URI': u'/All Active Lists/ArcSight Administration/Devices/All Monitored Devices', u'createdTimestamp': 1505606360368, u'activeListType': u'FIELD_BASED', u'attributeInitializationInProgress': False, u'fieldSubTypes': [{u'@xsi.nil': u'true'}, {u'@xsi.nil': u'true'}, {u'@xsi.nil': u'true'}, u'Zone', u'Customer', {u'@xsi.nil': u'true'}, {u'@xsi.nil': u'true'}, u'IP', {u'@xsi.nil': u'true'}, {u'@xsi.nil': u'true'}], u'optimizeData': False, u'multiMap': False, u'name': u'All Monitored Devices', u'deprecated': False, u'fieldTypes': [u'String', u'String', u'String', u'ResourceReference', u'ResourceReference', u'Long', u'Long', u'IPSubnet', u'String', u'Date'], u'modifiedTimestamp': 1509049034816, u'createdTime': {u'milliSecond': 368, u'timezoneID': u'Europe/London', u'hour': 0, u'month': 8, u'second': 20, u'year': 2017, u'day': 17, u'minute': 59}, u'keyFields': [True, True, True, True, True, False, False, False, False, False]}, {u'entryTimeToLive': 0, u'reference': {u'uri': u'/All Active Lists/ArcSight Administration/Logger/System Health/Logger Sensor Type Status', u'referenceString': u'<Resource URI="/All Active Lists/ArcSight Administration/Logger/System Health/Logger Sensor Type Status" ID="HzBMVwCQBABCBZJiy2jXu3A=="/>', u'isModifiable': True, u'referenceName': u'ActiveList', u'referenceType': 24, u'managerID': u'MQojjV4BABCAW-naM1oL1w==', u'id': u'HzBMVwCQBABCBZJiy2jXu3A=='}, u'disabled': False, u'typeName': u'ActiveList', u'inactive': False, u'modifiedTimestamp': 1505606374419, u'inCache': True, u'initialized': True, u'timePartitioned': False, u'capacity': 10000, u'attributeInitializationInProgress': False, u'resourceid': u'HzBMVwCQBABCBZJiy2jXu3A==', u'modifierName': u'admin', u'isAdditionalLoaded': False, u'fieldNames': [u'LoggerAddress', u'SensorType', u'SensorName', u'SensorStatus'], u'modificationCount': 1, u'caseSensitiveType': u'CASE_SENSITIVE', u'state': 2, u'type': 24, u'partialCache': False, u'description': u'This active list stores the status of the various hardware sensors on the Loggers. The active list stores the Logger address, the sensor type, the sensor name, and the sensor status. The Logger address and the sensor type are the key fields. This active list is used by a set of rules to identify the status of a sensor type for a Logger.', u'modifiedTime': {u'milliSecond': 419, u'timezoneID': u'Europe/London', u'hour': 0, u'month': 8, u'second': 34, u'year': 2017, u'day': 17, u'minute': 59}, u'creatorName': u'admin', u'URI': u'/All Active Lists/ArcSight Administration/Logger/System Health/Logger Sensor Type Status', u'createdTimestamp': 1505606360369, u'activeListType': u'FIELD_BASED', u'localID': 103079215138, u'fieldSubTypes': [u'IP', {u'@xsi.nil': u'true'}, {u'@xsi.nil': u'true'}, {u'@xsi.nil': u'true'}], u'optimizeData': False, u'multiMap': True, u'name': u'Logger Sensor Type Status', u'deprecated': False, u'fieldTypes': [u'IPSubnet', u'String', u'String', u'String'], u'contentVersionID': u'AAAAAl-+2DL+-5pl', u'versionID': u'AAAAAl-+3z7+-5pk', u'createdTime': {u'milliSecond': 369, u'timezoneID': u'Europe/London', u'hour': 0, u'month': 8, u'second': 20, u'year': 2017, u'day': 17, u'minute': 59}, u'keyFields': [True, True, False, False]}]}}
  • logout
    A simple GET call to https://esm:8443/www/core-service/rest/LoginService/logout?authToken='+authToken+'&alt=json will logout of the system, no JSON object is returned.

Get Entries

Link to script - get.py

Output from script:

192.168.3.8,connectors,up,PORT   STATE SERVICE22/tcp open  ssh
192.168.3.9,esm,up,PORT     STATE SERVICE22/tcp   open  ssh8443/tcp open  https-alt9000/tcp open  cslistenerMAC Address: 00:0C:29:A7:D8:F6 (VMware)

Corresponding ActiveList:
img

Pseudocode:

authToken = authenticate() #Authenticates with the ESM and receives a token for use with future calls
entries = getEntries(authToken, "HRGaky2ABABCL9M8amUoLtg==") #Returns all of the entries in an activelist
logout(authToken) #Invalidates the authToken and logs out from the ESM

Call descriptions (over and above those described previously):

  • getEntries
    This is a POST request made to https://esm:8443/www/manager-service/rest/ActiveListService/getEntries with the following JSON object:
{
	"act.getEntries" : {
	"act.authToken" : 'Iyj4_u7_TeXauTQLQwfYXLG-2MZs-8BTmjybSmKqkys.',
	"act.resourceId" : 'HRGaky2ABABCL9M8amUoLtg=='
	}
	}

This will result in the following JSON response from the ESM which can be decoded in any way needed to present back to the user. In the provided script I have chosen to format in csv:

{u'act.getEntriesResponse': {u'act.return': {u'entryList': [{u'entry': [u'123.123.123.123', u'testhost', u'up', u'123/udp\t22/tcp\t80/tcp']}, {u'entry': [u'222.222.222.222', u'testhost2', u'down', u'21/tcp']}, {u'entry': [u'test1', u' test2', u' test3', u' test4']}, {u'entry': [123, 1232, 12313123, 4414214]}], u'columns': [u'IPAddress', u'Hostname', u'State', u'Ports']}}}

Writing Entries

Link to script - populate.py
Sample csv file for entries to add - toadd.csv

Output from script:

[+] Loading /home/bas/Documents/basecdev/assets/files/arcsight-api-activelists//toadd.csv
[+] 4 column(s) identified
[+] 2 row(s) identified
[+] Printing first 2 lines ... 
['68.68.68.68', 'newhosttoadd1', 'down', 'test entry']
['69.69.69.69', 'newhosttoadd2', 'down', 'test entry']
[+] Number of columns match!

Corresponding ActiveList:
img

Pseudocode:

authToken = authenticate() #Authenticates with the ESM and receives a token for use with future calls
al_col_count, json_values = getEntries(authToken, "HRGaky2ABABCL9M8amUoLtg==") #Retrieves the entries from the ActiveList which we wish to populate, checks field count, and extracts necessary JSON for following call
print addEntries(authToken, "HRGaky2ABABCL9M8amUoLtg==", json_values, csv_values) #Constructs the JSON required, and passes through the csv values to submit to the ESM
logout(authToken) #Invalidates the authToken and logs out from the ESM

Call descriptions (over and above those described previously):

  • addEntries
    This is a POST request made to https://esm:8443/www/manager-service/rest/ActiveListService/getEntries with the following JSON object:
{
	"act.addEntries" : {
	"act.authToken" : 'zNds1sTKJc04FB_O3bpa4hACX8xRGT6If5WU1dCjXAE.',
	"act.resourceId" : 'HRGaky2ABABCL9M8amUoLtg==',
	"act.entryList" :
        {
            "columns": [
    "IPAddress", 
    "Hostname", 
    "State", 
    "Ports"
],
            "entryList": [
                { "entry": ['68.68.68.68', 'newhosttoadd1', 'down', ' ']},
{ "entry": ['69.69.69.69', 'newhosttoadd2', 'down', ' ']},

            ]
	}
        }
       }

There is no response from the ESM following a successful call, however the ActiveList now has the following entries…

Delete Entries

Link to script - delete.py
Sample csv file for entries to delete - todel.csv

Output from script:

[+] Loading /home/bas/Documents/basecdev/assets/files/arcsight-api-activelists//todel.csv
[+] 4 column(s) identified
[+] 1 row(s) identified
[+] Printing first 1 lines ... 
['69.69.69.69', 'newhosttoadd2', 'down', 'test entry']
[+] Number of columns match!

Corresponding ActiveList:
img

Pseudocode:

authToken = authenticate() #Authenticates with the ESM and receives a token for use with future calls
al_col_count, json_values = getEntries(authToken, "HRGaky2ABABCL9M8amUoLtg==") #Retrieves the entries from the ActiveList which we wish to populate, checks field count, and extracts necessary JSON for following call
print deleteEntries(authToken, "HRGaky2ABABCL9M8amUoLtg==", json_values, csv_values)
logout(authToken) #Invalidates the authToken and logs out from the ESM

Call descriptions (over and above those described previously):

  • deleteEntries
    This is a POST request made to https://esm:8443/www/manager-service/rest/ActiveListService/deleteEntries with the following JSON object:
{
        "act.deleteEntries" : {
        "act.authToken" : 'G49BSwONGMlKGygtf7pj-gc02sBNsAsvDxo-l2mA1cg.',
        "act.resourceId" : 'HRGaky2ABABCL9M8amUoLtg==',
        "act.entryList" :
        {
            "columns": [
    "IPAddress", 
    "Hostname", 
    "State", 
    "Ports"
],
            "entryList": [
                { "entry": ['69.69.69.69', 'newhosttoadd2', 'down', ' ']},

            ]
        }
        }
       }

There is no response from the ESM following a successful call, however the ActiveList now has the following entries…