Auto ingest ArcSight saved searches

Hello All,


Given search parameters stored within an XML structure, how does one go about ingesting saved searches [Not events] into ArcSight ESM?


I am trying to help out a colleague of mine by making it simpler to automatically ingest the many potent saved searches / correlations that I have developed to guard over my enterprise environment.

I’d like to develop an XML parser to MySQL translator that can update the requisite database(s) accordingly.  My problem is that I don’t know ArcSight’s ‘insides’ well enough (e.g., which database(s), SQL statements or stored procedures to interface with)  If anyone can please tell me the pieces, I can write the software to make it work.  I am most happy to share the finished product with the group! Thanks in advance for sharing your expertise.

Kind Regards,


  • 1) ESM does not have saved searches, only Logger does. Well, of course, built-in logger in new ESM 6.x does, if you mean this. But saved searches are not (yet?) used in ESM anyway.

    2) Direct connections and modifications of database is not supported, it is not allowed

    3) ESM and Logger have standard procedures of importing content (filters, searches, rules, reports, etc.) and you should use those procedures. They are described in admin and user guides for each product.

  • Thanks for the response, Ivan.  I'll take a look through the admin guides and see if I can find anything useful.  I'd still like to develop a translator app though - part of my learning curve on most software tools usually entails developing custom, 'non-supported' add-on capabilities...I'm looking to do the same thing here.  It helps keep my interest and also looks good come performance time, if you know what I mean.  That said, if you're willing/able to help me delve into the inner workings of the database(s) and their manipulation, I would greatly appreciate it.  I understand the risk involved - thanks again for weighing in.

  • Verified Answer

    Here is a presentation (with video available) describing some inner structure of CORR Engine:

    Here is also some documents/topics which may help you to achieve your goal without dirty 'hacks':

    Also you could contact support and request more detailed/up-to-date documentation on API and other integration options.