diff --git a/content/response_integrations/google/cyber_x/resources/ai/actions_ai_description.yaml b/content/response_integrations/google/cyber_x/resources/ai/actions_ai_description.yaml index e4fdba9c6..9ca379498 100644 --- a/content/response_integrations/google/cyber_x/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/google/cyber_x/resources/ai/actions_ai_description.yaml @@ -1,54 +1,79 @@ -# Copyright 2026 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - Enrich Endpoints: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: true + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves device metadata (e.g., device details) from CyberX and + attaches it to the entity. This matches the 'Enrich Asset' category. It does + not perform threat intelligence lookups (Enrich IOC) or other operations. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - Enriches **Hostname** and **IP Address** entities with comprehensive device information - retrieved from the CyberX platform. This action helps security analysts gain visibility - into OT/IoT devices by providing context such as device type, vendor, and operating - system directly within the Google SecOps environment. + Enriches Hostname and Address entities using the CyberX platform. This action + retrieves detailed device information, such as device metadata, from CyberX to + provide context about endpoints within the network. It helps analysts understand + the nature of the devices involved in an alert by populating entity properties + and adding a data table to the entity. ### Parameters Description - There are no parameters for this action. - + | Parameter Name | Description | Type | Mandatory | - ### Additional Notes + | :--- | :--- | :--- | :--- | - The action enriches entities by adding custom properties prefixed with `CX_` and - attaching a detailed data table to each successfully matched entity. + | None | This action does not have any specific input parameters; it relies on + the integration's global configuration. | N/A | N/A | ### Flow Description - 1. **Initialization**: Establishes a connection to the CyberX API using the integration's - configuration (API Root and Access Token). + 1. **Authentication**: Initializes the CyberX manager using the API Root and Access + Token provided in the integration configuration. + + 2. **Entity Filtering**: Iterates through the `target_entities` and filters for + entities of type `ADDRESS` (IP) and `HOSTNAME`. - 2. **Entity Filtering**: Identifies all Hostname and IP Address entities within - the current alert context. + 3. **Data Retrieval**: For each valid entity, the action queries the CyberX API + to find a matching device record using either the IP address or the hostname. - 3. **Data Retrieval**: For each entity, it queries the CyberX API to find matching - device records based on the IP address or hostname. + 4. **Enrichment**: If a device record is found, the action: + * Adds a data table to the entity containing the raw device information. + * Updates the entity's `additional_properties` with the retrieved data, prefixed + with 'CX_'. + 5. **Completion**: Returns a success message indicating which entities were enriched. - 4. **Enrichment**: - - Updates the entity's `additional_properties` with the flattened device data. - - Adds a formatted data table to the entity for quick reference in the UI. - 5. **Reporting**: Summarizes the enrichment results and logs any errors encountered - during the process. + + ### Additional Notes + + * This action performs a lookup against all devices known to the CyberX instance. + If a large number of devices exist, performance may be impacted by the underlying + API call to fetch all devices. capabilities: can_create_case_comments: false can_create_insight: false @@ -59,10 +84,18 @@ Enrich Endpoints: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - The action updates entity additional properties with enriched device information - from CyberX and adds an entity data table to the entity's view. + Updates entity additional properties and adds an entity table with device information. + reasoning: >- + The action fetches device data from CyberX based on IP or Hostname. It updates + the entity's additional properties and adds a data table to the entity. It does + not mutate external systems. The internal mutation (updating entity properties) + is permitted for enrichment actions. categories: enrichment: true + reasoning: >- + The action fetches data from an external source (CyberX) and updates internal + entity properties. It does not mutate external systems. This fits the definition + of an enrichment action. entity_usage: entity_types: - ADDRESS @@ -80,25 +113,59 @@ Enrich Endpoints: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over `siemplify.target_entities` and filters for `ADDRESS` + and `HOSTNAME` types explicitly. Get Alerts: - ai_description: "### General Description\nThe **Get Alerts** action retrieves a\ - \ comprehensive list of all security alerts detected by the CyberX XSense platform.\ - \ This action is primarily used for visibility and reporting, allowing security\ - \ analysts to pull the current state of alerts from the CyberX environment into\ - \ Google SecOps for further review or documentation.\n\n### Parameters Description\n\ - There are no input parameters for this action.\n\n### Additional Notes\nThis action\ - \ does not operate on specific entities; it performs a global fetch of all alerts\ - \ available in the CyberX system. The results are presented both as a formatted\ - \ data table and as a raw JSON object.\n\n### Flow Description\n1. **Initialization**:\ - \ The action initializes the CyberX manager using the API Root, Access Token,\ - \ and SSL verification settings from the integration configuration.\n2. **API\ - \ Request**: It executes a GET request to the CyberX `/api/v1/alerts` endpoint\ - \ to retrieve the list of alerts.\n3. **Data Processing**: \n - If alerts are\ - \ retrieved, the action flattens the dictionary objects and constructs a CSV-formatted\ - \ data table titled \"Result ALerts\".\n - It calculates the total count of\ - \ alerts found for the output message.\n4. **Output**: The action returns the\ - \ count of alerts in the execution summary and provides the full list of alerts\ - \ in JSON format for use in downstream playbook steps." + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: true + reasoning: >- + The action fetches a list of alerts from the CyberX platform. This matches the + 'Get Alert Information' category as it retrieves alert data from the 3rd party + product. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: >- + ### General Description\nThe **Get Alerts** action retrieves a comprehensive list + of all security alerts currently detected by the CyberX XSense platform. This + action provides visibility into external security events by pulling them into + the Google SecOps environment for analysis and reporting.\n\n### Parameters Description\nThere + are no input parameters for this action. It utilizes the global integration configuration + (API Root and Access Token) to authenticate and communicate with the CyberX API.\n\n### + Flow Description\n1. **Initialization**: The action initializes the CyberX manager + using the provided API credentials and SSL settings.\n2. **Data Retrieval**: It + executes a GET request to the `/api/v1/alerts` endpoint to fetch the full list + of alerts from the CyberX instance.\n3. **Data Processing**: If alerts are found, + the action flattens the JSON response and formats it into a CSV-compatible structure.\n4. + **Output Generation**: \n * A data table titled 'Result ALerts' is added to + the action results for display in the SOAR UI.\n * The raw JSON data of all + alerts is returned as the script result.\n * An output message is generated + stating the total number of alerts retrieved.\n\n### Additional Notes\nThis is + a global retrieval action and does not operate on specific entities within a case. capabilities: can_create_case_comments: false can_create_insight: false @@ -109,8 +176,18 @@ Get Alerts: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to retrieve alerts from the CyberX API. It + does not modify any external systems or internal SOAR data (entities, insights, + or case comments). It simply returns the retrieved data as a table and JSON + result. categories: enrichment: false + reasoning: >- + The action is a global retrieval task that fetches a list of alerts. It does + not enrich specific entities or alerts, nor does it perform any allowed internal + mutations (like creating insights or adding comments). Therefore, it is not + classified as an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -126,60 +203,106 @@ Get Alerts: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over or filter any entities. It is a global retrieval + action. Get Connections for Endpoint: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: true + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves network connections for a device, which provides contextual + metadata about the asset, matching 'Enrich Asset'. It also performs a lookup + to find the device ID in CyberX, which matches 'Search Asset'. It does not perform + any IOC enrichment, alert updates, or containment actions. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: true + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - Retrieves a list of network connections for specific endpoints (IP addresses or - Hostnames) from the CyberX platform. This action helps security analysts understand - the network activity and communication patterns of a device by fetching its connection - history and displaying it directly within the Google SecOps entity context. - - - ### Parameters + The **Get Connections for Endpoint** action retrieves a comprehensive list of + network connections associated with specific devices from the CyberX platform. + This action is designed for visibility and forensic investigation, allowing analysts + to identify which other assets or external addresses a device has communicated + with. The retrieved connection data is presented as an entity table attached to + the respective entity within the Google SecOps case. - | Parameter | Type | Mandatory | Description | - | :--- | :--- | :--- | :--- | + ### Parameters Description - | N/A | N/A | N/A | This action does not require any input parameters. | + There are no input parameters for this action. ### Additional Notes - * The action requires a valid API Root and Access Token configured in the CyberX - integration settings. + * The action first resolves the entity to a CyberX Device ID before fetching connection + data. - * It supports both IP Address (ADDRESS) and Hostname (HOSTNAME) entity types. + * If a device is not found in CyberX for a given entity, an error will be logged + for that specific entity, but the action will continue to process others. ### Flow Description - 1. **Entity Filtering**: The action identifies all target entities in the current - context that are either IP Addresses or Hostnames. + 1. **Entity Filtering:** The action identifies all `ADDRESS` and `HOSTNAME` entities + in the current context. - 2. **Device Identification**: For each identified entity, the action queries the - CyberX API to find the corresponding internal Device ID based on the IP or Hostname. + 2. **Device Resolution:** For each entity, it queries the CyberX API to find the + internal `device_id` by matching the IP address or hostname. - 3. **Connection Retrieval**: Once the Device ID is obtained, the action fetches - the list of network connections associated with that device from CyberX. + 3. **Connection Retrieval:** Using the resolved `device_id`, it fetches all recorded + network connections from the CyberX `/api/v1/devices/{device_id}/connections` + endpoint. - 4. **Data Enrichment**: The retrieved connection data is flattened and attached - as a data table to the respective entity in Google SecOps for easy review. + 4. **Data Presentation:** The retrieved connection data is flattened and added + as an Entity Table to the respective entity in the Google SecOps case for analyst + review. capabilities: can_create_case_comments: false can_create_insight: false can_modify_alert_data: false can_mutate_external_data: false - can_mutate_internal_data: true - can_update_entities: false + can_mutate_internal_data: false + can_update_entities: true external_data_mutation_explanation: null fetches_data: true - internal_data_mutation_explanation: >- - Adds a data table to the entity in Google SecOps containing the network connection - information retrieved from CyberX. + internal_data_mutation_explanation: null + reasoning: >- + The action performs GET requests to the CyberX API to retrieve network connection + data for specific devices. It does not perform any POST, PUT, or DELETE operations + on external systems, so it does not mutate external data. It updates the entity + profile by adding an entity table, which is a standard enrichment operation + and not considered a destructive internal mutation. categories: enrichment: true + reasoning: >- + The action is designed to fetch contextual data (network connections) about + an asset (device) and present it within the SOAR platform. It does not mutate + external systems, nor does it perform unauthorized internal mutations. It fits + the criteria for an enrichment action. entity_usage: entity_types: - ADDRESS @@ -197,63 +320,98 @@ Get Connections for Endpoint: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over `siemplify.target_entities` and filters them using a + list comprehension that checks if `entity.entity_type` is either `ADDRESS` or + `HOSTNAME`. Therefore, it explicitly filters by entity type. Get Device Vulnerability Report: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: true + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves vulnerability reports for assets, which provides contextual + metadata about the device. This matches the 'Enrich Asset' category. It does + not perform IOC enrichment, alert updates, or containment actions. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description The **Get Device Vulnerability Report** action retrieves detailed vulnerability - information for specific endpoints from the CyberX platform. It allows security - analysts to see the security posture and known vulnerabilities of devices identified - as IP addresses or Hostnames within a case, providing critical context for incident - response and risk assessment. + information for specific endpoints (Hostnames or IP Addresses) from the CyberX + platform. This action provides security analysts with immediate context regarding + the security posture and known weaknesses of devices involved in an alert, helping + to prioritize response efforts based on the risk level of the affected assets. ### Parameters Description - There are no user-configurable parameters for this action. It relies on the global - CyberX integration configuration, specifically the **API Root**, **Access Token**, - and **Verify SSL** settings. + There are no parameters for this action. ### Flow Description - 1. **Authentication**: The action initializes a connection to the CyberX API using - the configured credentials. - - 2. **Entity Filtering**: It identifies and filters the target entities in the - current SOAR context, focusing exclusively on `ADDRESS` (IP) and `HOSTNAME` types. + 1. **Entity Filtering**: The action identifies all `HOSTNAME` and `ADDRESS` (IP) + entities within the current case scope. - 3. **Data Retrieval**: The action performs a single GET request to the CyberX - `/api/v1/reports/vulnerabilities/devices` endpoint to fetch the master list of - all device vulnerability reports. + 2. **Data Retrieval**: It performs a single API call to fetch the complete list + of device vulnerability reports from the CyberX platform. - 4. **Matching Logic**: It iterates through the filtered entities and attempts - to match each one against the retrieved reports. Matching is performed by IP address - for `ADDRESS` entities and by device name for `HOSTNAME` entities. + 3. **Matching Logic**: + * For **IP Address** entities, the action iterates through the reports to + find a match within the `ipAddresses` field. + * For **Hostname** entities, the action searches for a match against the `name` + field of the reports. + 4. **Enrichment**: If a matching report is found, the vulnerability data is flattened + and attached to the specific entity as an **Entity Table** within the Google SecOps + interface. - 5. **Enrichment**: For every matching device found, the action flattens the vulnerability - data and attaches it as a structured data table to the corresponding entity within - the Google SecOps platform. - - - ### Additional Notes - - If no matching reports are found for the provided entities, the action will complete - successfully but will report that no vulnerability data was found. + 5. **Reporting**: The action concludes by summarizing which entities were successfully + enriched and reporting any errors encountered during the process. capabilities: can_create_case_comments: false can_create_insight: false can_modify_alert_data: false can_mutate_external_data: false can_mutate_internal_data: true - can_update_entities: false + can_update_entities: true external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Adds a vulnerability report data table to the identified entities within the - Google SecOps case. + Adds an entity table containing vulnerability report data to the entity. + reasoning: >- + The action fetches data from an external API (CyberX) to retrieve vulnerability + reports. It does not mutate external systems. It modifies internal data by adding + an entity table to the relevant entities in the Google SecOps interface. categories: enrichment: true + reasoning: >- + The action fetches vulnerability data from an external source and enriches the + entity with this information via an entity table. It does not mutate external + systems and adheres to the constraints for enrichment actions. entity_usage: entity_types: - ADDRESS @@ -271,24 +429,81 @@ Get Device Vulnerability Report: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over `siemplify.target_entities` and filters them based on + `entity.entity_type` to include only `ADDRESS` and `HOSTNAME` types. Get Events: - ai_description: "### General Description\nThe **Get Events** action retrieves a\ - \ comprehensive list of events currently recorded in the CyberX event log. This\ - \ utility action is designed to provide visibility into system-level activities\ - \ and security events monitored by the CyberX platform, allowing analysts to review\ - \ historical or recent event data within the Google SecOps environment.\n\n###\ - \ Parameters Description\nThere are no parameters for this action.\n\n### Additional\ - \ Notes\nThis action does not require or process any entities. It performs a global\ - \ fetch of events from the CyberX instance.\n\n### Flow Description\n1. **Authentication**:\ - \ The action initializes the CyberX manager using the API Root, Access Token,\ - \ and SSL verification settings provided in the integration configuration.\n2.\ - \ **API Request**: It performs a GET request to the CyberX `/api/v1/events` endpoint\ - \ to retrieve the event log.\n3. **Data Transformation**: The retrieved list of\ - \ event objects is processed and flattened to ensure compatibility with tabular\ - \ displays.\n4. **Result Presentation**: \n * If events are found, they are\ - \ formatted into a CSV-style data table titled 'Result Events' and attached to\ - \ the action results.\n * The raw JSON response is returned as the script output.\n\ - \ * A summary message indicates the total number of events found." + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action fetches a list of events from the CyberX API. This directly aligns + with the 'Search Events' category, which is defined as returning a collection + of historical logs or telemetry data. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: true + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: >- + ### General Description + + The **Get Events** action retrieves a comprehensive list of events reported to + the CyberX event log. This action is designed to provide visibility into system + activities and historical logs within the CyberX platform, facilitating auditing + and monitoring workflows. + + + ### Parameters Description + + There are no parameters required for this action. + + + ### Additional Notes + + - This action is a global fetch operation and does not target specific entities + within a case. + + - The retrieved events are automatically flattened and presented in a data table + for easier analysis. + + + ### Flow Description + + 1. **Connection**: The action establishes a connection to the CyberX API using + the configured API Root and Access Token. + + 2. **Data Retrieval**: It performs a GET request to the `/api/v1/events` endpoint + to fetch all available event logs. + + 3. **Data Transformation**: The resulting event data is processed and flattened + using utility functions to ensure compatibility with tabular displays. + + 4. **Reporting**: If events are found, they are added to a data table titled 'Result + Events'. + + 5. **Completion**: The action concludes by providing a summary message of the + number of events found and returning the raw JSON data. capabilities: can_create_case_comments: false can_create_insight: false @@ -299,8 +514,17 @@ Get Events: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the CyberX API to retrieve event logs. + It does not modify any external systems (no POST/PUT/DELETE). It does not modify + internal SOAR case data (entities, insights, or comments), but rather outputs + the retrieved data into a result table for the analyst to review. categories: enrichment: false + reasoning: >- + The action is a data retrieval operation (Search Events) rather than an enrichment + action. It does not target specific entities or alerts to provide supplemental + context, which is the primary requirement for an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -316,59 +540,79 @@ Get Events: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over or process any target entities. It performs + a global fetch of events from the CyberX API. Ping: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action is a diagnostic connectivity test (Ping) and does not perform any + of the defined operational tasks such as enrichment, ticketing, containment, + or alert management. Therefore, it does not match any of the provided product + categories. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description The **Ping** action is a diagnostic tool used to verify the connectivity between - Google SecOps and the CyberX platform. It ensures that the integration is correctly - configured and that the service is reachable using the provided credentials. + Google SecOps and the CyberX instance. It ensures that the provided API Root and + Access Token are valid and that the network path is open by attempting a basic + data retrieval operation. ### Parameters Description - This action does not have any direct action parameters. It relies on the global - integration configuration: - - - | Parameter Name | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | + There are no parameters for this action. - | API Root | String | Yes | The base URL of the CyberX instance (e.g., `https://cyberx-server.com`). - | - | Access Token | String | Yes | The API token used to authenticate requests to - the CyberX API. | + ### Additional Notes - | Verify SSL | Boolean | No | Determines whether to verify the SSL certificate - of the CyberX server. Defaults to `false`. | + This action is typically used during the initial setup of the CyberX integration + or for troubleshooting communication issues. It performs a read-only operation + and does not impact any data within CyberX or Google SecOps. ### Flow Description - 1. **Configuration Retrieval:** The action fetches the API Root, Access Token, - and SSL verification settings from the CyberX integration configuration. - - 2. **Manager Initialization:** It initializes the `CyberXManager` with the retrieved - settings. + 1. **Configuration Retrieval**: The action retrieves the API Root, Access Token, + and SSL verification settings from the integration configuration. - 3. **Connectivity Test:** The action executes the `get_all_devices` method, which - performs a `GET` request to the `/api/v1/devices` endpoint. + 2. **Manager Initialization**: It initializes the `CyberXManager` with the retrieved + credentials. - 4. **Result Handling:** If the API call is successful, the action concludes with - a success status and a "Connection established" message. If the call fails (e.g., - due to invalid credentials or network issues), an exception is raised, indicating - a connection failure. - - - ### Additional Notes + 3. **Connectivity Test**: The action calls the `get_all_devices` method, which + sends a GET request to the `/api/v1/devices` endpoint of the CyberX API. - - This action does not process any entities and is strictly used for system health - checks. + 4. **Validation**: If the API responds with a success status code, the connection + is considered established. - - As per standard SOAR practices, this action is excluded from being categorized - as an enrichment action despite fetching data. + 5. **Completion**: The action ends with a success message 'Connection established.' capabilities: can_create_case_comments: false can_create_insight: false @@ -379,8 +623,15 @@ Ping: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the CyberX API to verify connectivity. + It does not mutate external or internal data, nor does it update entities or + create insights. It is a diagnostic tool. categories: enrichment: false + reasoning: >- + The action is named 'Ping'. According to the instructions, actions named 'Ping' + must not be categorized as enrichment actions, even if they fetch data. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -396,3 +647,6 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not reference `target_entities` or perform any operations on + entities. It is a global connectivity test. diff --git a/content/response_integrations/google/cyber_x/resources/ai/integration_ai_description.yaml b/content/response_integrations/google/cyber_x/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..2159d6ae3 --- /dev/null +++ b/content/response_integrations/google/cyber_x/resources/ai/integration_ai_description.yaml @@ -0,0 +1,23 @@ +product_categories: + asset_inventory: true + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: false + reasoning: >- + The 'cyber_x' integration is an OT/ICS security platform focused on asset discovery + and monitoring. It qualifies for the SIEM category because it retrieves alerts + and events from the CyberX platform, providing visibility into security activity. + It qualifies for the Asset Inventory category as it performs asset discovery and + enriches entities with device metadata. It qualifies for the Vulnerability Management + category because it includes an action to retrieve device vulnerability reports + and CVE information. It does not qualify for EDR (no process-level activity), + Network Security (no blocking or firewall log retrieval), Threat Intelligence + (no reputation lookups), Email Security, IAM, Cloud Security, ITSM, or Collaboration, + as it lacks the specific functional requirements for those domains. + siem: true + threat_intelligence: false + vulnerability_management: true diff --git a/content/response_integrations/google/juniper_vsrx/resources/ai/actions_ai_description.yaml b/content/response_integrations/google/juniper_vsrx/resources/ai/actions_ai_description.yaml index dcfd1d06c..1ee823e1f 100644 --- a/content/response_integrations/google/juniper_vsrx/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/google/juniper_vsrx/resources/ai/actions_ai_description.yaml @@ -1,67 +1,87 @@ -# Copyright 2026 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - Add IP To Address Set: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: true + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action modifies the configuration of an external Juniper VSRX device by + adding an IP address to a specific address set. This is a security control update, + which aligns with the 'Add IOC To Blocklist' category, as address sets are typically + used in firewall policies to control traffic. It does not fetch data, so it + is not enrichment. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - This action adds IP address entities to a specified address set on a Juniper VSRX - device. It is primarily used for network access control or blacklisting by grouping - IP addresses into manageable sets within the firewall's security configuration. + Adds IP address entities to a specified address set on a Juniper VSRX device. + This action facilitates network security policy management by grouping IP addresses + into sets, which can then be utilized in security policies. It supports adding + addresses to either a global address book or a specific security zone's address + book. ### Parameters Description - | Parameter | Type | Mandatory | Description | + | Parameter Name | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Address Set Name | String | Yes | The name of the target address set on the - Juniper VSRX where the IP addresses will be added. | + | Address Set Name | string | True | The name of the address set where the IP + addresses should be added. | - | Zone Name | String | No | The specific security zone where the address set and - address records should be created. If left empty, the action defaults to using - the global address book. | + | Zone Name | string | False | The name of the security zone. If provided, the + address record and set update will be scoped to this specific zone; otherwise, + the global address book is used. | - ### Flow Description + ### Additional Notes - 1. **Initialization**: Establishes a connection to the Juniper VSRX device using - the provided integration credentials. + - This action performs a configuration commit on the device, which may affect + other pending changes on the Juniper VSRX if not managed carefully. - 2. **Entity Filtering**: Identifies all `ADDRESS` entities within the current - Google SecOps context. - 3. **Configuration Loading**: For each identified IP address, the action generates - and loads configuration commands to create a unique address record and associate - it with the specified `Address Set Name`. If a `Zone Name` is provided, these - records are scoped to that specific security zone. + ### Flow Description - 4. **Commitment**: Executes a configuration commit on the Juniper VSRX device - to apply the changes permanently. + 1. **Configuration Retrieval:** Fetches connection details (Address, Port, Username, + Password) for the Juniper VSRX device. - 5. **Cleanup**: Closes the session with the device and reports the success or - failure for each processed entity. + 2. **Parameter Extraction:** Retrieves the target 'Address Set Name' and the optional + 'Zone Name' from the action parameters. + 3. **Entity Filtering:** Identifies all IP Address entities within the current + context. - ### Additional Notes + 4. **Address Record Creation:** For each identified IP, it creates a unique address + record on the Juniper device. - - This action performs a state-changing operation on the external firewall by - modifying its configuration. + 5. **Address Set Update:** Adds the newly created address record to the specified + address set. - - If the address record already exists, the behavior depends on the Juniper device's - handling of duplicate 'set' commands (typically idempotent). + 6. **Commit Changes:** Executes a configuration commit on the Juniper VSRX to + persist the changes. capabilities: can_create_case_comments: false can_create_insight: false @@ -70,12 +90,21 @@ Add IP To Address Set: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates new address records and modifies address set memberships on the Juniper - VSRX device, followed by a configuration commit to apply the changes. + Adds an IP address to a specified address set on the Juniper VSRX device and + commits the configuration changes. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action interacts with an external Juniper VSRX device to modify its configuration + (adding an IP to an address set). It does not fetch data from the device, nor + does it modify internal SOAR data (entities, insights, or case comments). Therefore, + it is a pure external mutation action. categories: enrichment: false + reasoning: >- + The action is not an enrichment action because it does not fetch data; instead, + it performs a state-changing operation (mutation) on an external system (Juniper + VSRX). entity_usage: entity_types: - ADDRESS @@ -92,51 +121,82 @@ Add IP To Address Set: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over `siemplify.target_entities` and filters using `entity.entity_type + == EntityTypes.ADDRESS`. This means it targets ADDRESS entities, filtering by + entity_type. Ping: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action is a connectivity check (Ping) and does not perform any of the defined + functional operations such as enrichment, containment, ticket management, or + alert modification. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - The **Ping** action is a diagnostic utility used to verify the connectivity between - Google SecOps and a **Juniper VSRX** instance. Its primary purpose is to validate - that the provided configuration details (Address, Port, Username, and Password) - are correct and that the network path to the device is open. + The **Ping** action is a utility designed to verify the connectivity between the + Google SecOps environment and the Juniper VSRX device. It ensures that the provided + configuration parameters (Address, Port, Username, and Password) are correct and + that the device is reachable over the network. ### Parameters Description - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | N/A | N/A | N/A | This action does not require any input parameters as it uses - the global integration configuration. | + There are no input parameters for this action. It relies entirely on the integration's + global configuration settings. - ### Additional Notes - - - This action is a standard health check and does not interact with any security - entities or alert data. + ### Flow Description - - It is recommended to run this action immediately after configuring the Juniper - VSRX integration to ensure the setup is functional. + 1. **Configuration Retrieval**: The action fetches the connection details (Address, + Port, Username, Password) from the integration's configuration. + 2. **Manager Initialization**: It initializes the `JuniperVSRXManager` using the + retrieved credentials. - ### Flow Description + 3. **Connectivity Probe**: The action calls the `ping` method, which uses the + `probe()` function from the underlying Junos library to check if the device is + responsive. - 1. **Retrieve Configuration**: The action fetches the connection parameters (Address, - Port, Username, and Password) from the integration's shared configuration. + 4. **Session Termination**: The connection session is closed to ensure no resources + are left hanging. - 2. **Initialize Manager**: It creates an instance of the `JuniperVSRXManager` - to handle the communication logic. + 5. **Result Reporting**: The action returns a success message ('Connection Established.') + and a boolean `True` if the probe succeeds, or a failure message ('Connection + Failed.') and `False` otherwise. - 3. **Connectivity Probe**: The action executes a `probe()` call to the Juniper - device to test the network connection and authentication. - 4. **Session Cleanup**: The connection session is explicitly closed to release - resources. + ### Additional Notes - 5. **Final Status**: The action reports whether the connection was successfully - established or if it failed. + This action does not interact with any entities or modify any data. It is strictly + used for health checks and troubleshooting integration connectivity. capabilities: can_create_case_comments: false can_create_insight: false @@ -147,8 +207,16 @@ Ping: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a connectivity probe (`device.probe()`) to verify the health + of the integration connection. It does not fetch data, mutate external systems, + or modify internal SOAR data. categories: enrichment: false + reasoning: >- + The action is a 'Ping' action. Per the instructions, 'Actions named Ping must + not be categorized as enrichment actions.' Therefore, it is not an enrichment + action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -164,47 +232,88 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not reference `target_entities` or any entity-specific identifiers. + It operates independently of any entities. Remove IP From Address Set: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action removes an IP address from an address set on a firewall/security + device. This aligns with the 'Remove IOC From Blocklist' category. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: true + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - Removes IP address entities from a specified address set on a Juniper VSRX device. - This action interacts with the Juniper Junos OS to identify the internal record - name associated with an IP address and then deletes that record from the target - address set and, optionally, a specific security zone. Finally, it commits the - configuration changes to the device to ensure the removal is persistent. + ### General Description + Removes an IP address from a specified address set on a Juniper VSRX device. This + action is typically used to reverse a previous blocking or containment action + by removing the IP from a restricted address group. - ### Parameters - | Parameter Name | Type | Mandatory | Description | + ### Flow Description - | :--- | :--- | :--- | :--- | + 1. **Parameter Retrieval:** The action extracts the 'Address Set Name' and the + optional 'Zone Name' from the input parameters. - | Address Set Name | String | Yes | The name of the address set from which the - IP address should be removed. | + 2. **Entity Filtering:** It identifies all entities of type 'ADDRESS' within the + current scope. - | Zone Name | String | No | The name of the security zone where the address set - is located. If not provided, the action defaults to the global address book. | + 3. **Record Identification:** For each IP address, it queries the Juniper VSRX + device to find the specific internal record name associated with that IP. + 4. **Configuration Staging:** It loads deletion commands into the device's configuration + buffer to remove the address record and its association with the specified address + set. - ### Flow Description + 5. **Commit Changes:** It executes a commit operation to apply the configuration + changes permanently to the Juniper VSRX device. - 1. **Initialization**: Connects to the Juniper VSRX device using provided credentials - and retrieves the action parameters. - 2. **Entity Filtering**: Identifies all 'ADDRESS' entities within the current - scope. + ### Parameters Description - 3. **Record Identification**: For each IP entity, it queries the device's configuration - to find the specific internal record name mapped to that IP. + | Parameter Name | Type | Mandatory | Description | - 4. **Staging Deletion**: Issues commands to delete the address record and its - association with the specified address set (and zone, if provided). + | :--- | :--- | :--- | :--- | + + | Address Set Name | String | True | The name of the address set (group) from + which the IP address should be removed. | + + | Zone Name | String | False | The specific security zone where the address set + is located. If omitted, the action targets the global address book. | + + + ### Additional Notes - 5. **Commitment**: Executes a configuration commit on the Juniper VSRX device - to apply the changes. + * This action requires the Juniper VSRX integration to be configured with valid + administrative credentials and network access. - 6. **Cleanup**: Closes the device session and reports the success or failure for - each processed entity. + * The action performs a configuration commit, which may affect other pending changes + on the device if not managed carefully. capabilities: can_create_case_comments: false can_create_insight: false @@ -213,12 +322,19 @@ Remove IP From Address Set: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Removes address records and address-set associations from the Juniper VSRX configuration - and performs a commit operation to apply the changes. + Removes an IP address from an address set on the Juniper VSRX device. fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action interacts with an external Juniper VSRX device to remove an IP address + from an address set. It performs a GET request to retrieve the configuration + (to find the record name) and then performs configuration changes (DELETE and + COMMIT). It does not modify internal SOAR data. categories: enrichment: false + reasoning: >- + The action mutates external data (removes an IP from a blocklist/address set), + therefore it is not an enrichment action. entity_usage: entity_types: - ADDRESS @@ -235,3 +351,6 @@ Remove IP From Address Set: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action iterates over `siemplify.target_entities` and filters for entities + of type `ADDRESS`. diff --git a/content/response_integrations/google/juniper_vsrx/resources/ai/integration_ai_description.yaml b/content/response_integrations/google/juniper_vsrx/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..e47c07516 --- /dev/null +++ b/content/response_integrations/google/juniper_vsrx/resources/ai/integration_ai_description.yaml @@ -0,0 +1,21 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: true + reasoning: >- + The Juniper vSRX integration is a Next-Generation Firewall (NGFW) appliance. Its + primary capabilities, as demonstrated by the 'Add IP To Address Set' and 'Remove + IP From Address Set' actions, involve managing network security policies by modifying + address sets on the firewall device. This directly aligns with the 'Network Security' + category, which is defined for integrations that allow agents to block malicious + IPs at the gateway. The integration does not perform SIEM log analysis, EDR host-level + containment, threat intelligence enrichment, or any of the other specialized functions + (IAM, ITSM, etc.) defined in the categories. + siem: false + threat_intelligence: false + vulnerability_management: false diff --git a/content/response_integrations/google/mc_afee_nsm/resources/actions_ai_description.yaml b/content/response_integrations/google/mc_afee_nsm/resources/actions_ai_description.yaml deleted file mode 100644 index 91b5b3057..000000000 --- a/content/response_integrations/google/mc_afee_nsm/resources/actions_ai_description.yaml +++ /dev/null @@ -1,431 +0,0 @@ -# Copyright 2026 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -Block IP: - ai_description: >- - ### General Description - - Blocks IP Address entities in McAfee Network Security Manager (NSM). This action - automates the process of blacklisting malicious IPs by managing firewall rule - objects and policies within the NSM environment. It ensures that the block is - enforced by deploying configuration changes to the relevant sensors. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | None | N/A | N/A | This action does not have any action-specific parameters. - It relies on the integration's configuration (API Root, Credentials, Domain ID, - Policy Name, and Sensor List). | - - - ### Additional Notes - - - The action specifically looks for a policy defined in the integration configuration - ('Siemplify Policy Name'). - - - It manages rule objects with a prefix 'Siemplify_Block' and adheres to NSM limits - (10 addresses per object, 10 objects per rule). - - - A 'Deploy Changes' command is issued to all sensors listed in the configuration - to make the block effective immediately. - - - ### Flow Description - - 1. **Authentication**: Establishes a session with the McAfee NSM API using provided - credentials. - - 2. **Entity Filtering**: Identifies all IP Address (ADDRESS) entities provided - in the action scope. - - 3. **Block Verification**: For each IP, it queries NSM to check if the address - is already blocked within the target policy. - - 4. **Policy Modification**: If the IP is not blocked, it searches for an existing - Siemplify rule object with available capacity. If an available object is found, - it updates it with the new IP. If no object is available, it creates a new rule - object and adds it to the firewall policy. - - 5. **Deployment**: Triggers a configuration push to all sensors specified in the - 'Sensors Names List Comma Separated' configuration. - - 6. **Cleanup**: Logs out of the NSM session and returns the execution status. - capabilities: - can_create_case_comments: false - can_create_insight: false - can_modify_alert_data: false - can_mutate_external_data: true - can_mutate_internal_data: false - can_update_entities: false - external_data_mutation_explanation: >- - Creates or updates firewall rule objects in McAfee NSM and updates the firewall - policy to block the specified IP addresses. It also triggers a configuration - push (deploy changes) to the sensors. - fetches_data: true - internal_data_mutation_explanation: null - categories: - enrichment: false - entity_usage: - entity_types: - - ADDRESS - filters_by_additional_properties: false - filters_by_alert_identifier: false - filters_by_case_identifier: false - filters_by_creation_time: false - filters_by_entity_type: true - filters_by_identifier: false - filters_by_is_artifact: false - filters_by_is_enriched: false - filters_by_is_internal: false - filters_by_is_pivot: false - filters_by_is_suspicious: false - filters_by_is_vulnerable: false - filters_by_modification_time: false -Get Alert Info Data: - ai_description: >- - ### General Description - - Retrieves detailed information for a specific alert from McAfee Network Security - Manager (NSM). This action is used to fetch the full context of an alert, including - signature details, attacker/target information, and malware metadata, which can - be used for further investigation or automated decision-making within a playbook. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Alert ID | String | Yes | The unique identifier of the alert in McAfee NSM. - | - - | Sensor Name | String | Yes | The name of the sensor that generated the alert. - This is required to locate the alert within the NSM architecture. | - - - ### Additional Notes - - This action does not run on entities. It requires a specific Alert ID and Sensor - Name as input parameters. The retrieved data is returned as a JSON object and - displayed in a formatted data table within the case wall. - - - ### Flow Description - - 1. **Initialization**: The action initializes the McAfee NSM manager using the - integration's configuration (API Root, credentials, and domain information). - - 2. **Parameter Retrieval**: The action extracts the `Alert ID` and `Sensor Name` - provided by the user or playbook. - - 3. **Sensor Resolution**: The manager resolves the provided `Sensor Name` to its - internal `Sensor ID` by querying the NSM API. - - 4. **Data Retrieval**: A GET request is sent to the NSM API to fetch the detailed - alert information using the `Alert ID` and the resolved `Sensor ID`. - - 5. **Output Generation**: If data is found, it is added to the action's results - as a raw JSON object and a formatted data table. The action then concludes with - a success message. - capabilities: - can_create_case_comments: false - can_create_insight: false - can_modify_alert_data: false - can_mutate_external_data: false - can_mutate_internal_data: false - can_update_entities: false - external_data_mutation_explanation: null - fetches_data: true - internal_data_mutation_explanation: null - categories: - enrichment: false - entity_usage: - entity_types: [] - filters_by_additional_properties: false - filters_by_alert_identifier: false - filters_by_case_identifier: false - filters_by_creation_time: false - filters_by_entity_type: false - filters_by_identifier: false - filters_by_is_artifact: false - filters_by_is_enriched: false - filters_by_is_internal: false - filters_by_is_pivot: false - filters_by_is_suspicious: false - filters_by_is_vulnerable: false - filters_by_modification_time: false -Is IP Blocked: - ai_description: >- - ### General Description - - The **Is IP Blocked** action checks whether specific IP Address entities are currently - blocked within the McAfee Network Security Manager (NSM). It queries the NSM to - see if the IP is part of a rule object associated with the configured Siemplify - firewall policy. This is primarily used for verifying the current enforcement - state of an IP before or after containment actions. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | N/A | N/A | N/A | This action does not take any input parameters. | - - - ### Additional Notes - - This action relies on the integration's global configuration, specifically the - 'Siemplify Policy Name' and 'Domain ID', to determine which firewall rules to - inspect. It only checks for blocks within the policy managed by the SOAR. - - - ### Flow Description - - 1. **Initialization**: Connects to the McAfee NSM API using the integration's - global configuration credentials. - - 2. **Entity Filtering**: Identifies all `ADDRESS` entities within the current - case scope. - - 3. **Status Check**: For each IP address, it queries the NSM to find rule objects - containing that IP that are also members of the designated Siemplify firewall - policy. - - 4. **Categorization**: Groups entities into 'Blocked' and 'Unblocked' lists based - on the API response. - - 5. **Cleanup**: Logs out of the NSM session to ensure security. - - 6. **Completion**: Returns a summary message and a boolean result (True if at - least one IP is blocked). - capabilities: - can_create_case_comments: false - can_create_insight: false - can_modify_alert_data: false - can_mutate_external_data: false - can_mutate_internal_data: false - can_update_entities: false - external_data_mutation_explanation: null - fetches_data: true - internal_data_mutation_explanation: null - categories: - enrichment: true - entity_usage: - entity_types: - - ADDRESS - filters_by_additional_properties: false - filters_by_alert_identifier: false - filters_by_case_identifier: false - filters_by_creation_time: false - filters_by_entity_type: true - filters_by_identifier: false - filters_by_is_artifact: false - filters_by_is_enriched: false - filters_by_is_internal: false - filters_by_is_pivot: false - filters_by_is_suspicious: false - filters_by_is_vulnerable: false - filters_by_modification_time: false -Ping: - ai_description: >- - Tests connectivity to the McAfee Network Security Manager (NSM) instance. This - action validates the provided credentials and network reachability by attempting - to establish an API session and immediately terminating it. - - - ### Parameters - - There are no parameters for this action. - - - ### Flow Description - - 1. **Configuration Retrieval**: The action fetches the integration configuration, - including API Root, credentials, and Domain ID. - - 2. **Authentication**: The `NsmManager` is initialized, which automatically attempts - to authenticate with the NSM API to retrieve a session token via a GET request - to the session endpoint. - - 3. **Session Termination**: The action explicitly calls the `logout` method to - close the established session using a DELETE request. - - 4. **Result Reporting**: If the authentication and logout cycle completes without - error, the action reports a successful connection. - capabilities: - can_create_case_comments: false - can_create_insight: false - can_modify_alert_data: false - can_mutate_external_data: false - can_mutate_internal_data: false - can_update_entities: false - external_data_mutation_explanation: null - fetches_data: false - internal_data_mutation_explanation: null - categories: - enrichment: false - entity_usage: - entity_types: [] - filters_by_additional_properties: false - filters_by_alert_identifier: false - filters_by_case_identifier: false - filters_by_creation_time: false - filters_by_entity_type: false - filters_by_identifier: false - filters_by_is_artifact: false - filters_by_is_enriched: false - filters_by_is_internal: false - filters_by_is_pivot: false - filters_by_is_suspicious: false - filters_by_is_vulnerable: false - filters_by_modification_time: false -Quarantine IP: - ai_description: >- - ### General Description - - Quarantines specific IP address entities on McAfee Network Security Manager (NSM) - sensors. This action is used for containment by isolating a potentially malicious - host from the network. The quarantine is applied with a duration of 'Until Explicitly - Released', meaning the isolation persists until a manual or automated release - action is triggered. - - - ### Parameters Description - - | Parameter Name | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | No Action Parameters | N/A | N/A | This action does not require specific input - parameters. It relies on the integration's global configuration for sensor lists - and credentials. | - - - ### Additional Notes - - * This action requires the **Sensors Names List Comma Separated** to be correctly - configured in the McAfee NSM integration settings. The action will attempt to - apply the quarantine on every sensor listed in that configuration. - - * The quarantine duration is hardcoded to `UNTIL_EXPLICITLY_RELEASED`. - - - ### Flow Description - - 1. **Initialization**: Connects to the McAfee NSM instance using credentials and - domain information from the integration configuration. - - 2. **Entity Filtering**: Identifies all `ADDRESS` (IP) entities provided in the - current context. - - 3. **Sensor Resolution**: For each configured sensor name, the action retrieves - the corresponding internal Sensor ID from NSM. - - 4. **Quarantine Execution**: Sends a POST request to the NSM API for each IP entity - on every resolved sensor to initiate the quarantine process. - - 5. **Result Tracking**: Tracks which IP addresses were successfully quarantined - across the sensors. - - 6. **Completion**: Logs out of the NSM session and returns a summary message of - the quarantined identifiers. - capabilities: - can_create_case_comments: false - can_create_insight: false - can_modify_alert_data: false - can_mutate_external_data: true - can_mutate_internal_data: false - can_update_entities: false - external_data_mutation_explanation: >- - Quarantines the specified IP address on the configured McAfee NSM sensors, which - changes the network access state for that host in the external system. - fetches_data: false - internal_data_mutation_explanation: null - categories: - enrichment: false - entity_usage: - entity_types: - - ADDRESS - filters_by_additional_properties: false - filters_by_alert_identifier: false - filters_by_case_identifier: false - filters_by_creation_time: false - filters_by_entity_type: true - filters_by_identifier: false - filters_by_is_artifact: false - filters_by_is_enriched: false - filters_by_is_internal: false - filters_by_is_pivot: false - filters_by_is_suspicious: false - filters_by_is_vulnerable: false - filters_by_modification_time: false -Unblock IP: - ai_description: "### General Description\nUnblocks specific IP address entities\ - \ within McAfee Network Security Manager (NSM). This action identifies the firewall\ - \ rule objects associated with the target IP addresses, removes the IPs from those\ - \ rules (or deletes the rule object if it contains only that IP), and then triggers\ - \ a configuration deployment to the relevant sensors to apply the changes.\n\n\ - ### Parameters Description\nThere are no parameters for this action.\n\n### Additional\ - \ Notes\n* This action requires a pre-configured 'Siemplify Policy Name' and a\ - \ list of 'Sensors' in the integration settings to know where to apply the unblocking\ - \ logic.\n* The action performs a 'Deploy Changes' operation at the end of the\ - \ process to ensure the firewall updates are active on the physical or virtual\ - \ sensors.\n\n### Flow Description\n1. **Initialization**: Connects to the McAfee\ - \ NSM API using provided credentials and configuration.\n2. **Entity Filtering**:\ - \ Identifies all `ADDRESS` entities within the current action scope.\n3. **Rule\ - \ Identification**: For each IP address, it searches for the corresponding rule\ - \ object within the specified Siemplify policy in NSM.\n4. **IP Removal**: \n\ - \ * If the rule object contains multiple IPs, it removes only the target IP.\n\ - \ * If the rule object contains only the target IP, it removes the rule object\ - \ from the policy and deletes the object entirely.\n5. **Deployment**: Triggers\ - \ a configuration update (`deploy_changes`) for all sensors defined in the integration\ - \ configuration to finalize the unblocking.\n6. **Cleanup**: Logs out of the NSM\ - \ session and reports the list of successfully unblocked entities." - capabilities: - can_create_case_comments: false - can_create_insight: false - can_modify_alert_data: false - can_mutate_external_data: true - can_mutate_internal_data: false - can_update_entities: false - external_data_mutation_explanation: >- - Removes IP addresses from firewall rule objects, deletes empty rule objects, - and updates sensor configurations to deploy changes in McAfee NSM. - fetches_data: true - internal_data_mutation_explanation: null - categories: - enrichment: false - entity_usage: - entity_types: - - ADDRESS - filters_by_additional_properties: false - filters_by_alert_identifier: false - filters_by_case_identifier: false - filters_by_creation_time: false - filters_by_entity_type: true - filters_by_identifier: false - filters_by_is_artifact: false - filters_by_is_enriched: false - filters_by_is_internal: false - filters_by_is_pivot: false - filters_by_is_suspicious: false - filters_by_is_vulnerable: false - filters_by_modification_time: false diff --git a/content/response_integrations/google/mc_afee_nsm/resources/ai/actions_ai_description.yaml b/content/response_integrations/google/mc_afee_nsm/resources/ai/actions_ai_description.yaml index 91b5b3057..70addd776 100644 --- a/content/response_integrations/google/mc_afee_nsm/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/google/mc_afee_nsm/resources/ai/actions_ai_description.yaml @@ -1,70 +1,87 @@ -# Copyright 2026 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - Block IP: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: true + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action blocks an IP address on a firewall (McAfee NSM). This directly aligns + with the 'Add IOC To Blocklist' category. It does not perform host containment + (EDR isolation), ticket management, or enrichment. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - Blocks IP Address entities in McAfee Network Security Manager (NSM). This action - automates the process of blacklisting malicious IPs by managing firewall rule - objects and policies within the NSM environment. It ensures that the block is - enforced by deploying configuration changes to the relevant sensors. + Blocks IP address entities in McAfee Network Security Manager (NSM). This action + interacts with the NSM API to manage firewall rule objects and policies, ensuring + that malicious or suspicious IP addresses are restricted. It automates the process + of checking existing block rules, creating new rule objects if necessary, and + pushing configuration changes to the specified sensors to enforce the block. - ### Parameters Description + ### Flow Description - | Parameter | Type | Mandatory | Description | + 1. **Authentication:** Establishes a session with McAfee NSM using the provided + credentials and retrieves a session token. - | :--- | :--- | :--- | :--- | + 2. **Entity Filtering:** Identifies all IP Address entities (ADDRESS) within the + action scope. - | None | N/A | N/A | This action does not have any action-specific parameters. - It relies on the integration's configuration (API Root, Credentials, Domain ID, - Policy Name, and Sensor List). | + 3. **Block Logic:** For each IP, the action checks if it is already part of the + configured firewall policy. If not, it attempts to find a rule object with available + space (max 10 IPs). If no space is available, it creates a new rule object and + attaches it to the policy. + 4. **Deployment:** Triggers a configuration push ('deploy changes') to the list + of sensors defined in the integration settings to ensure the new rules are active. - ### Additional Notes + 5. **Cleanup:** Logs out of the NSM session. - - The action specifically looks for a policy defined in the integration configuration - ('Siemplify Policy Name'). - - It manages rule objects with a prefix 'Siemplify_Block' and adheres to NSM limits - (10 addresses per object, 10 objects per rule). + ### Parameters Description - - A 'Deploy Changes' command is issued to all sensors listed in the configuration - to make the block effective immediately. + There are no direct input parameters for this action. It relies on the integration's + global configuration settings: - ### Flow Description + | Parameter Name | Type | Mandatory | Description | - 1. **Authentication**: Establishes a session with the McAfee NSM API using provided - credentials. + | :--- | :--- | :--- | :--- | - 2. **Entity Filtering**: Identifies all IP Address (ADDRESS) entities provided - in the action scope. + | N/A | N/A | N/A | This action does not take direct input parameters; it relies + on the integration's global configuration (API Root, Credentials, Policy Name, + and Sensor List). | - 3. **Block Verification**: For each IP, it queries NSM to check if the address - is already blocked within the target policy. - 4. **Policy Modification**: If the IP is not blocked, it searches for an existing - Siemplify rule object with available capacity. If an available object is found, - it updates it with the new IP. If no object is available, it creates a new rule - object and adds it to the firewall policy. + ### Additional Notes - 5. **Deployment**: Triggers a configuration push to all sensors specified in the - 'Sensors Names List Comma Separated' configuration. + * The action is designed to work with a dedicated firewall policy name specified + in the integration configuration. - 6. **Cleanup**: Logs out of the NSM session and returns the execution status. + * It manages rule objects with a specific prefix ('Siemplify_Block') to avoid + interfering with manual configurations. capabilities: can_create_case_comments: false can_create_insight: false @@ -73,13 +90,22 @@ Block IP: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates or updates firewall rule objects in McAfee NSM and updates the firewall - policy to block the specified IP addresses. It also triggers a configuration - push (deploy changes) to the sensors. + The action modifies firewall policies and rule objects in McAfee NSM to block + specific IP addresses. fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a check to see if an IP is already blocked (GET request), + which constitutes fetching data. It then performs POST/PUT requests to create + or update rule objects and update firewall policies in McAfee NSM, which constitutes + external data mutation. It does not modify internal SOAR case data, update entities, + create insights, or modify alert data. categories: enrichment: false + reasoning: >- + The action is a containment/blocking action, not an enrichment action. It does + not meet the criteria for enrichment as it primarily mutates external system + state and does not return contextual metadata for the entity. entity_usage: entity_types: - ADDRESS @@ -96,53 +122,86 @@ Block IP: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over `siemplify.target_entities` and filters using `entity.entity_type + == ADDRESS`. It does not apply any other filters. Get Alert Info Data: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: true + reasoning: >- + The action fetches alert details from the McAfee NSM product, which directly + matches the 'Get Alert Information' category. It does not perform any other + operations like blocking, ticketing, or updating alerts. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description Retrieves detailed information for a specific alert from McAfee Network Security - Manager (NSM). This action is used to fetch the full context of an alert, including - signature details, attacker/target information, and malware metadata, which can - be used for further investigation or automated decision-making within a playbook. + Manager (NSM) using the provided Alert ID and Sensor Name. This action is designed + to assist analysts in gathering full context for an alert recorded in NSM to support + investigation and response workflows within Google SecOps. ### Parameters Description + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Alert ID | String | Yes | The unique identifier of the alert in McAfee NSM. + | Alert ID | string | Yes | The unique identifier of the alert in McAfee NSM. | - | Sensor Name | String | Yes | The name of the sensor that generated the alert. - This is required to locate the alert within the NSM architecture. | - + | Sensor Name | string | Yes | The name of the sensor that generated the alert. + | - ### Additional Notes - This action does not run on entities. It requires a specific Alert ID and Sensor - Name as input parameters. The retrieved data is returned as a JSON object and - displayed in a formatted data table within the case wall. + ### Flow Description + 1. **Initialize Connection**: Establishes a session with the McAfee NSM manager + using the configured credentials. - ### Flow Description + 2. **Resolve Sensor ID**: Looks up the internal Sensor ID corresponding to the + provided `Sensor Name`. - 1. **Initialization**: The action initializes the McAfee NSM manager using the - integration's configuration (API Root, credentials, and domain information). + 3. **Fetch Alert Data**: Executes a GET request to the NSM API to retrieve the + full alert details using the `Alert ID` and the resolved `Sensor ID`. - 2. **Parameter Retrieval**: The action extracts the `Alert ID` and `Sensor Name` - provided by the user or playbook. + 4. **Process Results**: If data is found, it is formatted as a JSON table and + added to the action result. The raw JSON data is also attached to the action result + for further use. - 3. **Sensor Resolution**: The manager resolves the provided `Sensor Name` to its - internal `Sensor ID` by querying the NSM API. - 4. **Data Retrieval**: A GET request is sent to the NSM API to fetch the detailed - alert information using the `Alert ID` and the resolved `Sensor ID`. + ### Additional Notes - 5. **Output Generation**: If data is found, it is added to the action's results - as a raw JSON object and a formatted data table. The action then concludes with - a success message. + This action does not iterate over or process Google SecOps entities; it operates + strictly based on the provided string parameters. It is a read-only operation + that fetches data from the external McAfee NSM system. capabilities: can_create_case_comments: false can_create_insight: false @@ -153,8 +212,17 @@ Get Alert Info Data: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the McAfee NSM API to retrieve alert details. + It does not perform any write operations on external systems (can_mutate_external_data=false). + It does not modify internal SOAR case data, entities, or insights; it only outputs + the retrieved data as a result table (can_mutate_internal_data=false). categories: - enrichment: false + enrichment: true + reasoning: >- + The action fetches data from an external source (McAfee NSM) to provide context + for an investigation. It does not mutate external systems or internal SOAR data. + Therefore, it qualifies as an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -170,52 +238,80 @@ Get Alert Info Data: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with Google SecOps entities. It relies solely on + the 'Alert ID' and 'Sensor Name' parameters provided by the user. Is IP Blocked: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action checks the block status of an IP address in McAfee NSM. This provides + context about the indicator's reputation/status, which aligns with 'Enrich IOC'. + It does not modify the firewall, so it is not a block/unblock action. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - The **Is IP Blocked** action checks whether specific IP Address entities are currently - blocked within the McAfee Network Security Manager (NSM). It queries the NSM to - see if the IP is part of a rule object associated with the configured Siemplify - firewall policy. This is primarily used for verifying the current enforcement - state of an IP before or after containment actions. + The **Is IP Blocked** action verifies if specific IP Address entities are currently + blocked within the McAfee Network Security Manager (NSM). It checks if the IP + is part of a Siemplify-managed rule object associated with the configured firewall + policy. This action is useful for validating containment status during an investigation. ### Parameters Description - | Parameter | Type | Mandatory | Description | + This action does not require any input parameters. It uses the global integration + configuration to connect to the McAfee NSM instance. - | :--- | :--- | :--- | :--- | - - | N/A | N/A | N/A | This action does not take any input parameters. | - - - ### Additional Notes - This action relies on the integration's global configuration, specifically the - 'Siemplify Policy Name' and 'Domain ID', to determine which firewall rules to - inspect. It only checks for blocks within the policy managed by the SOAR. + ### Flow Description + 1. **Authentication**: Connects to the McAfee NSM API and establishes a session. - ### Flow Description + 2. **Entity Identification**: Filters the case entities to identify all `ADDRESS` + (IP) types. - 1. **Initialization**: Connects to the McAfee NSM API using the integration's - global configuration credentials. + 3. **Block Verification**: For each IP entity, the action queries the NSM to find + rule objects that start with the prefix `Siemplify_Block`, contain the specific + IP address, and are actively linked to the firewall policy defined in the integration + settings. - 2. **Entity Filtering**: Identifies all `ADDRESS` entities within the current - case scope. + 4. **Categorization**: Groups the entities into 'Blocked' and 'Unblocked' lists + based on the API response. - 3. **Status Check**: For each IP address, it queries the NSM to find rule objects - containing that IP that are also members of the designated Siemplify firewall - policy. + 5. **Completion**: Returns a summary message and a boolean result (`True` if at + least one IP is blocked, `False` otherwise). - 4. **Categorization**: Groups entities into 'Blocked' and 'Unblocked' lists based - on the API response. - 5. **Cleanup**: Logs out of the NSM session to ensure security. + ### Additional Notes - 6. **Completion**: Returns a summary message and a boolean result (True if at - least one IP is blocked). + This action is strictly diagnostic and does not perform any changes to the firewall + configuration or the entities within Google SecOps. capabilities: can_create_case_comments: false can_create_insight: false @@ -226,8 +322,16 @@ Is IP Blocked: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action queries the McAfee NSM API to determine if an IP address is currently + blocked. It does not modify any external firewall configurations or internal + SOAR data. It is a read-only diagnostic action. categories: enrichment: true + reasoning: >- + The action fetches data (block status) from an external system (McAfee NSM) + without modifying any external or internal state. This qualifies as an enrichment + action. entity_usage: entity_types: - ADDRESS @@ -244,44 +348,83 @@ Is IP Blocked: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over `siemplify.target_entities` and filters them using `entity.entity_type + == ADDRESS`. Ping: - ai_description: >- - Tests connectivity to the McAfee Network Security Manager (NSM) instance. This - action validates the provided credentials and network reachability by attempting - to establish an API session and immediately terminating it. - - - ### Parameters - - There are no parameters for this action. - - - ### Flow Description - - 1. **Configuration Retrieval**: The action fetches the integration configuration, - including API Root, credentials, and Domain ID. - - 2. **Authentication**: The `NsmManager` is initialized, which automatically attempts - to authenticate with the NSM API to retrieve a session token via a GET request - to the session endpoint. - - 3. **Session Termination**: The action explicitly calls the `logout` method to - close the established session using a DELETE request. - - 4. **Result Reporting**: If the authentication and logout cycle completes without - error, the action reports a successful connection. + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action is a diagnostic connectivity test and does not perform any of the + defined security operations such as enrichment, blocking, ticketing, or alert + management. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: "### General Description\nThe **Ping** action is a diagnostic utility\ + \ designed to verify the connectivity between Google SecOps and the McAfee Network\ + \ Security Manager (NSM) instance. Its primary purpose is to ensure that the integration's\ + \ configuration parameters\u2014such as the API Root, credentials, and Domain\ + \ ID\u2014are correct and that the NSM service is reachable over the network.\n\ + \n### Parameters Description\nThere are no parameters for this action. It relies\ + \ entirely on the global integration configuration.\n\n### Flow Description\n\ + 1. **Configuration Retrieval**: The action fetches the integration's configuration,\ + \ including the API Root, Username, Password, and Domain ID.\n2. **Authentication**:\ + \ It initializes the `NsmManager`, which triggers a login request to the NSM `session`\ + \ endpoint to obtain an authentication token.\n3. **Session Termination**: Immediately\ + \ after a successful login, the action calls the `logout` method to close the\ + \ session on the NSM server.\n4. **Result Reporting**: If the login and logout\ + \ sequence completes without exceptions, the action ends with a success message:\ + \ \"Connection Established.\"\n\n### Additional Notes\n* This action is strictly\ + \ for connectivity testing and does not perform any security operations or data\ + \ retrieval.\n* As per standard conventions, this action is not classified as\ + \ an enrichment action." capabilities: can_create_case_comments: false can_create_insight: false can_modify_alert_data: false - can_mutate_external_data: false + can_mutate_external_data: true can_mutate_internal_data: false can_update_entities: false - external_data_mutation_explanation: null - fetches_data: false + external_data_mutation_explanation: >- + Terminates the authentication session on the McAfee NSM server. + fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a connectivity test by initiating a session (GET request) + and immediately terminating it (DELETE request) with the McAfee NSM API. While + it interacts with the API, it does not fetch contextual data for entities or + perform security operations. The session termination is a mutation of the external + session state. categories: enrichment: false + reasoning: >- + The action is a diagnostic 'Ping' utility. Per the instructions, Ping actions + are explicitly excluded from being categorized as enrichment actions. It does + not perform any data retrieval or security operations. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -297,56 +440,89 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not process any entities. It is a global diagnostic tool. Quarantine IP: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: true + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action performs a quarantine operation on an IP address via McAfee NSM, + which is a form of network isolation. This aligns with the 'Contain Host' category, + as it restricts the network activity of the target host. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - Quarantines specific IP address entities on McAfee Network Security Manager (NSM) - sensors. This action is used for containment by isolating a potentially malicious - host from the network. The quarantine is applied with a duration of 'Until Explicitly - Released', meaning the isolation persists until a manual or automated release - action is triggered. + The **Quarantine IP** action is designed to isolate specific IP addresses across + one or more McAfee Network Security Manager (NSM) sensors. By communicating with + the NSM API, the action triggers a quarantine command that restricts the network + activity of the target host. This is a critical containment capability used during + security incidents to prevent lateral movement or data exfiltration from compromised + internal assets. ### Parameters Description - | Parameter Name | Type | Mandatory | Description | + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | No Action Parameters | N/A | N/A | This action does not require specific input - parameters. It relies on the integration's global configuration for sensor lists - and credentials. | + | None | N/A | N/A | This action does not have any action-specific parameters. + It uses the global integration configuration for connection details and sensor + selection. | ### Additional Notes - * This action requires the **Sensors Names List Comma Separated** to be correctly - configured in the McAfee NSM integration settings. The action will attempt to - apply the quarantine on every sensor listed in that configuration. + * The quarantine duration is fixed to **'until released'**, meaning the isolation + will remain in effect until a manual release is performed or a corresponding release + action is executed. - * The quarantine duration is hardcoded to `UNTIL_EXPLICITLY_RELEASED`. + * The action specifically targets the sensors listed in the integration's `Sensors + Names List Comma Separated` configuration field. ### Flow Description - 1. **Initialization**: Connects to the McAfee NSM instance using credentials and - domain information from the integration configuration. + 1. **Establish Session**: The action authenticates with the McAfee NSM API using + the provided credentials. - 2. **Entity Filtering**: Identifies all `ADDRESS` (IP) entities provided in the - current context. + 2. **Resolve Sensors**: It retrieves the list of sensors from the integration + configuration and fetches their corresponding internal IDs from the NSM manager. - 3. **Sensor Resolution**: For each configured sensor name, the action retrieves - the corresponding internal Sensor ID from NSM. + 3. **Filter Entities**: The action scans the case for **IP Address** entities. - 4. **Quarantine Execution**: Sends a POST request to the NSM API for each IP entity - on every resolved sensor to initiate the quarantine process. + 4. **Execute Quarantine**: For each valid IP address, it sends a POST request + to the NSM API to quarantine the host on every identified sensor. - 5. **Result Tracking**: Tracks which IP addresses were successfully quarantined - across the sensors. + 5. **Cleanup**: The action terminates the NSM session. - 6. **Completion**: Logs out of the NSM session and returns a summary message of - the quarantined identifiers. + 6. **Finalize**: It returns a success message listing the quarantined IP addresses. capabilities: can_create_case_comments: false can_create_insight: false @@ -355,12 +531,21 @@ Quarantine IP: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Quarantines the specified IP address on the configured McAfee NSM sensors, which - changes the network access state for that host in the external system. + Sends a POST request to the McAfee NSM API to quarantine the specified IP address + on the configured sensors. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a POST request to the McAfee NSM API to quarantine an IP + address, which constitutes an external data mutation. It does not fetch contextual + data about the entities, nor does it modify internal SOAR data (entities, insights, + or comments). categories: enrichment: false + reasoning: >- + The action is a containment/mutation action, not an enrichment action. It does + not fetch data to enrich the entity, but rather performs an action to isolate + it. entity_usage: entity_types: - ADDRESS @@ -377,28 +562,86 @@ Quarantine IP: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over `siemplify.target_entities` and explicitly filters for + entities where `entity.entity_type == ADDRESS`. Unblock IP: - ai_description: "### General Description\nUnblocks specific IP address entities\ - \ within McAfee Network Security Manager (NSM). This action identifies the firewall\ - \ rule objects associated with the target IP addresses, removes the IPs from those\ - \ rules (or deletes the rule object if it contains only that IP), and then triggers\ - \ a configuration deployment to the relevant sensors to apply the changes.\n\n\ - ### Parameters Description\nThere are no parameters for this action.\n\n### Additional\ - \ Notes\n* This action requires a pre-configured 'Siemplify Policy Name' and a\ - \ list of 'Sensors' in the integration settings to know where to apply the unblocking\ - \ logic.\n* The action performs a 'Deploy Changes' operation at the end of the\ - \ process to ensure the firewall updates are active on the physical or virtual\ - \ sensors.\n\n### Flow Description\n1. **Initialization**: Connects to the McAfee\ - \ NSM API using provided credentials and configuration.\n2. **Entity Filtering**:\ - \ Identifies all `ADDRESS` entities within the current action scope.\n3. **Rule\ - \ Identification**: For each IP address, it searches for the corresponding rule\ - \ object within the specified Siemplify policy in NSM.\n4. **IP Removal**: \n\ - \ * If the rule object contains multiple IPs, it removes only the target IP.\n\ - \ * If the rule object contains only the target IP, it removes the rule object\ - \ from the policy and deletes the object entirely.\n5. **Deployment**: Triggers\ - \ a configuration update (`deploy_changes`) for all sensors defined in the integration\ - \ configuration to finalize the unblocking.\n6. **Cleanup**: Logs out of the NSM\ - \ session and reports the list of successfully unblocked entities." + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action removes an IP address from a firewall policy in McAfee NSM, which + directly matches the 'Remove IOC From Blocklist' category. It does not perform + enrichment, containment, or other listed actions. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: true + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: >- + ### General Description + + Unblocks IP address entities in McAfee Network Security Manager (NSM). This action + identifies the firewall rule objects associated with the target IP addresses within + a specific policy, removes the IP entries, and then triggers a configuration deployment + to the managed sensors to enforce the changes. This action is used to restore + network connectivity for previously blocked IP addresses. + + + ### Parameters Description + + | Parameter Name | Description | Type | Mandatory | + + | --- | --- | --- | --- | + + | None | This action does not have any specific action parameters; it relies on + the integration's global configuration. | N/A | No | + + + ### Additional Notes + + - This action requires a pre-configured 'Siemplify Policy Name' and a list of + 'Sensors Names' in the integration settings to function correctly. + + - The action performs a state change on the external firewall system. + + + ### Flow Description + + 1. **Initialization**: Connects to the McAfee NSM instance using provided credentials + and configuration (API Root, Domain ID, Policy Name, and Sensor List). + + 2. **Entity Filtering**: Identifies all IP Address entities within the current + context. + + 3. **IP Release**: For each identified IP, the action searches for the corresponding + rule object in the NSM policy. If found, it either removes the IP from the rule + object or deletes the rule object entirely if it contains no other addresses. + + 4. **Deployment**: After processing all entities, it initiates a 'Deploy Changes' + command to push the updated firewall configuration to the specified sensors. + + 5. **Cleanup**: Logs out of the NSM session. capabilities: can_create_case_comments: false can_create_insight: false @@ -407,12 +650,21 @@ Unblock IP: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Removes IP addresses from firewall rule objects, deletes empty rule objects, - and updates sensor configurations to deploy changes in McAfee NSM. + Removes the IP address from the firewall policy rule object in McAfee NSM and + deploys the updated configuration to the sensors. fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action interacts with the McAfee NSM API to remove an IP address from a + firewall policy. It performs a PUT or DELETE operation on the external system + to modify firewall rules and then triggers a deployment, which constitutes external + data mutation. It fetches data to locate the rule object before modifying it. categories: enrichment: false + reasoning: >- + The action performs a mutation on an external system (McAfee NSM) to remove + an IP from a blocklist. It is not an enrichment action as it changes the state + of the external firewall. entity_usage: entity_types: - ADDRESS @@ -429,3 +681,6 @@ Unblock IP: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over `siemplify.target_entities` and filters for entities + of type `ADDRESS`. diff --git a/content/response_integrations/google/mc_afee_nsm/resources/ai/integration_ai_description.yaml b/content/response_integrations/google/mc_afee_nsm/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..88f48bdde --- /dev/null +++ b/content/response_integrations/google/mc_afee_nsm/resources/ai/integration_ai_description.yaml @@ -0,0 +1,21 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: true + reasoning: >- + The McAfee Network Security Platform (NSM) integration is primarily focused on + network security operations. It provides actions to block and unblock IP addresses + on the firewall/IPS and to retrieve alert information from the NSM system. These + capabilities align directly with the Network Security category, which involves + managing firewall/WAF rules and blocking malicious traffic at the gateway. The + integration does not provide general SIEM log searching, EDR host-level process + analysis, or external threat intelligence feeds, and therefore does not qualify + for those categories. + siem: false + threat_intelligence: false + vulnerability_management: false diff --git a/content/response_integrations/google/micro_focus_itsma/resources/ai/actions_ai_description.yaml b/content/response_integrations/google/micro_focus_itsma/resources/ai/actions_ai_description.yaml index fb1935406..c3ffb4e17 100644 --- a/content/response_integrations/google/micro_focus_itsma/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/google/micro_focus_itsma/resources/ai/actions_ai_description.yaml @@ -1,63 +1,90 @@ -# Copyright 2026 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - Create Incident: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: true + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action generates a new record in an external ITSM (MicroFocus ITSMA) and + returns the Ticket ID. This directly matches the 'Create Ticket' category. It + does not perform any other operations like enrichment, alert updates, or containment. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - Creates a new incident in Micro Focus ITSMA. This action allows users to programmatically - generate incident tickets by providing key details such as the display label, - description, impact scope, urgency, and service ID. It interacts with the Micro - Focus ITSMA API via a POST request to create the record and returns the unique - incident ID upon success. + ### General Description + Creates a new incident in the MicroFocus ITSMA system. This action allows users + to programmatically generate incident records by providing key details such as + the display label, description, impact scope, urgency, and service category. It + interacts with the MicroFocus ITSMA API via a POST request and returns the unique + identifier of the newly created incident. - ### Parameters + + ### Parameters Description | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Display Label | String | True | The display label or title of the incident. + | Display Label | string | True | The summary or title of the incident to be created. | - | Description | String | True | The detailed description of the incident. | + | Description | string | True | A detailed description of the incident. | - | Impact Scope | String | True | The impact scope of the incident (e.g., 'MultipleUsers'). - | + | Impact Scope | string | True | The scope of the impact (e.g., MultipleUsers, + SingleUser). | - | Urgency | String | True | The urgency of the incident (e.g., 'SevereDisruption'). + | Urgency | string | True | The urgency level of the incident (e.g., SevereDisruption). | - | Service ID | String | True | The ID of the category or service the incident - is registered for. | + | Service ID | string | True | The ID representing the category or service the + incident is registered for. | - ### Flow Description + ### Additional Notes - 1. **Initialization**: Retrieve configuration and initialize the Micro Focus ITSMA - manager with API credentials and tenant information. + - This action does not operate on entities; it relies entirely on the provided + input parameters. - 2. **Parameter Extraction**: Extract incident details (Display Label, Description, - Impact Scope, Urgency, and Service ID) from the action parameters. + - The 'External System' and 'External ID' used in the payload are derived from + the integration's configuration settings. - 3. **API Interaction**: Construct and send a POST request to the Micro Focus ITSMA - 'ces' endpoint with the incident payload. - 4. **Response Processing**: Parse the API response to extract the unique ID of - the newly created incident. + ### Flow Description + + 1. **Initialization**: The action initializes the MicroFocus ITSMA manager using + the provided integration configuration (API Root, Credentials, Tenant ID, etc.). - 5. **Completion**: Return the incident ID and a success message to the Google - SecOps platform. + 2. **Parameter Extraction**: It retrieves the mandatory input parameters: Display + Label, Description, Impact Scope, Urgency, and Service ID. + + 3. **API Interaction**: The action sends a POST request to the MicroFocus ITSMA + 'ces' endpoint with a payload containing the incident properties and external + system metadata. + + 4. **Result Handling**: If successful, the action extracts the Incident ID from + the API response and returns it as the script result. capabilities: can_create_case_comments: false can_create_insight: false @@ -66,11 +93,19 @@ Create Incident: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates a new incident record in the Micro Focus ITSMA platform. + Creates a new incident record in the MicroFocus ITSMA system. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a POST request to an external API (MicroFocus ITSMA) to + create a new incident record. It does not fetch data, nor does it modify internal + Google SecOps data (entities, insights, or case comments). categories: enrichment: false + reasoning: >- + The action is a creation/mutation action, not an enrichment action. It does + not fetch data or perform any of the allowed internal mutations (insights, comments, + entity updates). entity_usage: entity_types: [] filters_by_additional_properties: false @@ -86,38 +121,78 @@ Create Incident: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with entities. It relies solely on input parameters + provided by the user. Ping: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action is a connectivity test (Ping) and does not perform any of the defined + functional operations like enriching IOCs, updating tickets, or modifying alerts. + Therefore, no product categories are applicable. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - Tests the connectivity between Google SecOps and the Micro Focus ITSMA instance. - This action is used to verify that the integration configuration parameters, such - as API Root, Username, Password, and Tenant ID, are correctly configured and that - the external system is reachable. + The **Ping** action is a diagnostic tool designed to verify the connectivity between + the Google SecOps platform and the MicroFocus ITSMA instance. Its primary purpose + is to ensure that the integration configuration (such as API credentials and network + access) is correct and that the remote service is reachable. - ### Parameters + ### Parameters Description There are no parameters for this action. - ### Flow Description + ### Additional Notes + + This action is typically used during the initial setup of the integration or for + troubleshooting connectivity issues. It does not interact with any entities or + modify any data. - 1. **Configuration Retrieval**: The action retrieves the integration's global - configuration settings, including the API Root, credentials, and Tenant ID. - 2. **Manager Initialization**: Initializes the `MicroFocusITSMAManager` using - the retrieved configuration. + ### Flow Description + + 1. **Configuration Retrieval**: The action starts by fetching the integration's + configuration settings, including the API Root, Username, Password, and Tenant + ID. - 3. **Authentication Check**: Executes the `get_token` method, which sends a POST - request to the Micro Focus ITSMA authentication endpoint to retrieve a session - token. + 2. **Manager Initialization**: It initializes the `MicroFocusITSMAManager` with + the retrieved settings. - 4. **Connection Validation**: Evaluates whether a token was successfully returned - by the external service. + 3. **Authentication Attempt**: The action calls the `get_token` method, which + performs a POST request to the MicroFocus ITSMA authentication endpoint. - 5. **Action Completion**: Reports 'Connection Established' if the token retrieval - was successful, or 'Connection Failed' otherwise. + 4. **Result Evaluation**: If the authentication is successful and a token is returned, + the action reports a successful connection. Otherwise, it reports a connection + failure. capabilities: can_create_case_comments: false can_create_insight: false @@ -126,10 +201,18 @@ Ping: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null - fetches_data: true + fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a connectivity test by attempting to authenticate with the + MicroFocus ITSMA API. It does not fetch contextual data about alerts or entities, + nor does it mutate any external or internal data. It is a diagnostic tool. categories: enrichment: false + reasoning: >- + The action is a 'Ping' diagnostic tool. According to the enrichment action rules, + actions named 'Ping' must not be categorized as enrichment actions. It does + not fetch data for entities or alerts. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -145,62 +228,97 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with any entities. The `SimulationDataJson` explicitly + defines an empty list of entities, and the code does not reference `target_entities`. Update Incident: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action updates an existing incident in an external ITSM system (MicroFocus + ITSMA), which matches the 'Update Ticket' category. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: true ai_description: >- - Updates an existing incident in MicroFocus ITSMA. This action allows users to - modify specific attributes of a ticket, such as its title, description, impact, - urgency, and associated service ID. It interacts with the ITSMA API via a POST - request to apply the changes to the specified incident ID. + ### General Description + Updates an existing incident in MicroFocus ITSMA. This action allows for the modification + of various incident attributes such as the display label, description, impact + scope, urgency, and service ID based on the provided Incident ID. - ### Parameters + + ### Parameters Description | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Incident ID | String | Yes | The unique identifier of the incident to be updated. + | Incident ID | string | True | The unique identifier of the incident to be updated. | - | Display Label | String | No | The updated display label (title) of the incident. + | Display Label | string | False | The updated display label (title) of the incident. | - | Description | String | No | The updated description text for the incident. | + | Description | string | False | The updated detailed description of the incident. + | - | Impact Scope | String | No | The updated impact score/scope of the incident. + | Impact Scope | string | False | The updated impact score/scope of the incident. | - | Urgency | String | No | The updated urgency level of the incident. | + | Urgency | string | False | The updated urgency level of the incident. | - | Service ID | String | No | The updated ID of the category or service associated + | Service ID | string | False | The updated ID of the category or service associated with the incident. | ### Additional Notes - - At least one optional parameter should be provided alongside the mandatory 'Incident - ID' for the action to perform a meaningful update. - - - The action uses the 'External System' and 'External ID' configured in the integration - settings to identify the source of the update. + At least one optional parameter (Display Label, Description, Impact Scope, Urgency, + or Service ID) should be provided alongside the mandatory Incident ID for the + update to have an effect. ### Flow Description - 1. **Authentication**: Connects to the MicroFocus ITSMA instance using the provided - credentials and Tenant ID to obtain a session token. + 1. **Initialization**: The action initializes the MicroFocus ITSMA manager using + the provided integration configuration (API Root, Credentials, Tenant ID, etc.). - 2. **Parameter Retrieval**: Collects the mandatory Incident ID and any optional - update fields (Display Label, Description, etc.) from the action input. + 2. **Parameter Retrieval**: The action retrieves the Incident ID and the optional + update fields from the user input. - 3. **Payload Construction**: Builds a JSON payload containing the incident ID - and the specific properties that need to be updated. + 3. **API Interaction**: The action calls the `update_incident` method in the manager, + which constructs a JSON payload and sends a POST request to the MicroFocus ITSMA + API. - 4. **API Interaction**: Sends a POST request to the ITSMA 'ces' endpoint to apply - the updates. + 4. **Result Processing**: If the API call is successful, the action identifies + which parameters were updated and constructs a success message. - 5. **Result Handling**: Validates the API response and returns a success message - listing the parameters that were successfully updated. + 5. **Completion**: The action ends, returning the success status and the summary + message to the Google SecOps platform. capabilities: can_create_case_comments: false can_create_insight: false @@ -209,13 +327,18 @@ Update Incident: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates the properties of an existing incident record in the MicroFocus ITSMA - platform, including fields like Display Label, Description, Impact Scope, Urgency, - and Service ID. + Updates an existing incident in the MicroFocus ITSMA system. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a POST request to update an incident in an external ITSM + system (MicroFocus ITSMA). It does not fetch data from external sources, nor + does it modify internal SOAR entities, insights, or alert data. categories: enrichment: false + reasoning: >- + The action is not an enrichment action because it does not fetch data and it + mutates an external system. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -231,45 +354,76 @@ Update Incident: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with entities. It operates on a specific Incident + ID provided as a parameter. Update Incident External Status: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action updates the status of an existing incident in an external ITSM system. + This matches the definition of 'Update Ticket'. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: true ai_description: >- - ### General Description - - Updates the external status of a specific incident within the Micro Focus ITSMA - platform. This action is designed to synchronize incident states between Google - SecOps and the external ITSM system by modifying the 'ExternalStatus' property - of a target ticket. + Updates the external status of a specific incident in Micro Focus ITSMA. This + action allows analysts to synchronize the status of an incident between Google + SecOps and the Micro Focus ITSMA platform by providing the incident's unique identifier + and the desired status value. - ### Parameters Description + ### Flow Description - | Parameter | Description | Type | Mandatory | + 1. **Initialization**: The action initializes the Micro Focus ITSMA manager using + the provided integration configuration (API Root, credentials, Tenant ID, etc.). - | :--- | :--- | :--- | :--- | + 2. **Parameter Retrieval**: It retrieves the mandatory 'Incident ID' and 'Status' + parameters from the action input. - | Incident ID | The unique identifier of the incident in Micro Focus ITSMA that - needs to be updated. | String | Yes | + 3. **API Interaction**: The action constructs a payload containing the incident + ID and the new external status, then sends a POST request to the Micro Focus ITSMA + API endpoint. - | Status | The new external status value to be assigned to the incident (e.g., - 'Pending Vendor', 'Resolved'). | String | Yes | + 4. **Outcome Reporting**: Based on the API response, the action returns a success + message indicating the incident was updated or a failure message if no ticket + was modified. - ### Flow Description + ### Parameters Description - 1. **Initialization**: The action initializes the Micro Focus ITSMA manager using - the integration's configuration settings, including API Root, credentials, and - Tenant ID. + | Parameter Name | Type | Mandatory | Description | - 2. **Parameter Retrieval**: It retrieves the `Incident ID` and the target `Status` - from the action's input parameters. + | :--- | :--- | :--- | :--- | - 3. **API Request**: The action constructs a payload targeting the specific incident - ID and updates its external status properties. It then sends a POST request to - the Micro Focus ITSMA 'ces' (Common Entity Service) endpoint. + | Incident ID | string | True | The unique identifier of the incident in Micro + Focus ITSMA that needs to be updated. | - 4. **Completion**: Upon a successful response from the API, the action returns - a success message confirming the status change. If the update fails or no ticket - is found, it reports the failure accordingly. + | Status | string | True | The new external status value to be applied to the + incident. | capabilities: can_create_case_comments: false can_create_insight: false @@ -278,12 +432,19 @@ Update Incident External Status: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates the 'ExternalStatus' property of a specific incident in the Micro Focus - ITSMA system via a POST request to the entity service endpoint. + Updates the status of an incident in the Micro Focus ITSMA platform. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a POST request to update an incident's status in an external + system (Micro Focus ITSMA). It does not fetch data, nor does it modify internal + SecOps data or entities. categories: enrichment: false + reasoning: >- + The action performs a mutation on an external system (updating an incident status) + and does not retrieve data for enrichment. Therefore, it is not an enrichment + action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -299,3 +460,6 @@ Update Incident External Status: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not use or iterate over `target_entities`. It operates independently + of entities, using only the provided input parameters. diff --git a/content/response_integrations/google/micro_focus_itsma/resources/ai/integration_ai_description.yaml b/content/response_integrations/google/micro_focus_itsma/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..279708291 --- /dev/null +++ b/content/response_integrations/google/micro_focus_itsma/resources/ai/integration_ai_description.yaml @@ -0,0 +1,19 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: true + network_security: false + reasoning: >- + The integration 'micro_focus_itsma' is designed for IT Service Management (ITSM). + Its primary actions include creating and updating incidents within the MicroFocus + ITSMA platform. This aligns directly with the ITSM category, which is used to + document investigations and assign tasks via ticket management. It does not perform + SIEM, EDR, Network Security, Threat Intelligence, Email Security, IAM, Cloud Security, + Vulnerability Management, Asset Inventory, or Collaboration functions. + siem: false + threat_intelligence: false + vulnerability_management: false diff --git a/content/response_integrations/google/mobile_iron/resources/ai/actions_ai_description.yaml b/content/response_integrations/google/mobile_iron/resources/ai/actions_ai_description.yaml index 156dcf62a..fe0bd3c7a 100644 --- a/content/response_integrations/google/mobile_iron/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/google/mobile_iron/resources/ai/actions_ai_description.yaml @@ -1,25 +1,43 @@ -# Copyright 2026 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - Fetch System Information: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: true + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves contextual metadata (OS version, owner, etc.) for a device + based on an IP address. This aligns with the 'Enrich Asset' category. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - The **Fetch System Information** action retrieves detailed device metadata from - MobileIron for a given IP address. It is primarily used to gain visibility into - the state, ownership, and configuration of mobile devices or endpoints managed - by MobileIron. + The **Fetch System Information** action retrieves detailed technical and ownership + metadata for mobile devices managed by MobileIron, using the device's IP address + as the primary identifier. This action is primarily used for asset enrichment + during investigations to correlate network activity with specific managed devices + and users. ### Parameters Description @@ -28,47 +46,57 @@ Fetch System Information: | :--- | :--- | :--- | :--- | - | Fields To Fetch | String | No | A comma-separated list of specific MobileIron - fields to retrieve (e.g., `ios.DeviceName,user.email_address`). If left empty, - the action fetches a comprehensive default set of fields including OS version, - battery level, and compliance status. | + | **Fields To Fetch** | String | No | A comma-separated list of specific MobileIron + fields to retrieve (e.g., `ios.DeviceName,user.display_name,user.email_address`). + If left empty, the action retrieves a comprehensive set of default fields including + OS version, IMEI, and compliance status. | - ### Flow Description + ### Additional Notes - 1. **Entity Filtering**: The action identifies all `ADDRESS` entities within the - current context. + - The action specifically targets **ADDRESS** (IP Address) entities. - 2. **API Query**: For each IP address, it queries the MobileIron API (`/api/v2/devices`) - using a filter for the `common.ip_address` field. + - If multiple devices are associated with the same IP, the action typically returns + the first match found in the MobileIron registry. - 3. **Data Extraction**: It extracts the device information, applying the field - filters specified in the "Fields To Fetch" parameter. + - The results are presented as an entity-linked data table within the Google SecOps + case wall. - 4. **Enrichment**: The retrieved data is flattened and attached to the entity - as a data table for analyst review. + ### Flow Description - ### Additional Notes + 1. **Entity Filtering:** The action identifies all IP Address entities within + the current context. - - This action requires the MobileIron integration to be configured with valid - API credentials and Root URL. + 2. **API Query:** For each IP address, it queries the MobileIron API (`api/v2/devices`) + using a search filter for the `common.ip_address` field. - - If multiple devices share the same IP, the action retrieves the first match. + 3. **Data Retrieval:** It requests either the user-specified fields or a predefined + set of default system and user attributes. + + 4. **Internal Enrichment:** The retrieved device information is flattened and + attached to the corresponding entity as a data table for analyst review. capabilities: can_create_case_comments: false can_create_insight: false can_modify_alert_data: false can_mutate_external_data: false - can_mutate_internal_data: true + can_mutate_internal_data: false can_update_entities: true external_data_mutation_explanation: null fetches_data: true - internal_data_mutation_explanation: >- - Adds a data table to the IP address entity containing system information retrieved - from MobileIron. + internal_data_mutation_explanation: null + reasoning: >- + The action fetches device information from MobileIron using an IP address. It + does not modify external systems. It adds a data table to the entity in the + SOAR platform, which is an enrichment operation and does not constitute a state-changing + internal mutation. categories: enrichment: true + reasoning: >- + The action fetches data from an external system (MobileIron) and enriches the + entity with a data table. It does not mutate external systems or perform unauthorized + internal mutations. It fits the definition of an enrichment action. entity_usage: entity_types: - ADDRESS @@ -85,52 +113,77 @@ Fetch System Information: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over `siemplify.target_entities` and filters for `EntityTypes.ADDRESS` + to perform the lookup. Fetch System Information By UUID: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: true + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves contextual metadata (OS version, model, etc.) for a mobile + device, which aligns with the 'Enrich Asset' category. It does not perform IOC + enrichment, alert updates, or containment actions. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - The **Fetch System Information By UUID** action retrieves detailed system and - hardware information for a specific mobile device managed by MobileIron. It uses - the device's unique identifier (UUID) to query the MobileIron API and returns - a comprehensive set of data points, including battery levels, OS versions, compliance - status, and network identifiers. + Fetches detailed system information for a specific mobile device using its Unique + Universal Identifier (UUID) via the MobileIron API. This action retrieves technical + metadata about a device, such as OS version, model, and ownership details, and + presents it in a structured data table within the case results. - ### Parameters Description + ### Parameters | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Device UUID | String | Yes | The unique identifier (UUID) of the target mobile - device in the MobileIron system. | - - - ### Additional Notes - - * This action does not automatically iterate over entities in the Google SecOps - case. It relies strictly on the provided `Device UUID` parameter. - - * The action is useful for deep-dive investigations into a specific mobile asset - once its UUID has been identified by other discovery actions. + | Device UUID | string | Yes | The unique identifier (UUID) of the target device + in the MobileIron system. | ### Flow Description - 1. **Initialization**: The action initializes the MobileIron manager using the - integration's configuration settings (API Root, credentials, and SSL preferences). + 1. **Parameter Extraction:** The action retrieves the mandatory `Device UUID` + from the user input. - 2. **Parameter Retrieval**: It extracts the `Device UUID` from the action input - parameters. + 2. **API Initialization:** It initializes the MobileIron manager using the integration's + configuration settings (API Root, credentials, etc.). - 3. **Data Retrieval**: The action calls the MobileIron API's device details endpoint - specifically for the provided UUID. + 3. **Data Retrieval:** The action performs a GET request to the MobileIron API + endpoint `api/v2/devices/{device_uuid}/details` to fetch the system information. - 4. **Data Processing**: If information is found, the manager reformats the raw - key-value pairs into a structured dictionary. + 4. **Data Transformation:** If data is found, the raw response is processed and + rearranged into a key-value format suitable for display. - 5. **Output**: The processed system information is added to the action results - as a data table, and the action completes successfully. + 5. **Output Generation:** The formatted data is added to the action's results + as an entity table, and the action completes successfully. capabilities: can_create_case_comments: false can_create_insight: false @@ -141,8 +194,16 @@ Fetch System Information By UUID: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to retrieve device details from MobileIron. + It does not modify external systems or internal case data (other than adding + a result table, which is standard for reporting). categories: - enrichment: false + enrichment: true + reasoning: >- + The action fetches data (system information) and does not mutate external systems + or modify internal data (beyond adding a result table). It fits the definition + of an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -158,14 +219,51 @@ Fetch System Information By UUID: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action uses a parameter 'Device UUID' to fetch information. It does not + iterate over 'siemplify.target_entities' or use entity-specific identifiers + to perform its task. Therefore, it does not run on entities. List Devices: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves a global inventory list of devices. It does not match the + expected outcomes for enrichment (which requires targeting specific entities), + alert updates, ticketing, or containment. It is a general information retrieval + action that does not fit into the provided specific product categories. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description Retrieves a comprehensive list of all devices managed within the MobileIron system. - This action is primarily used for administrative overview and asset discovery, - allowing users to specify exactly which data points (fields) should be returned - for each device. + This action provides visibility into the mobile asset inventory, allowing analysts + to see device metadata, ownership, and compliance status. The results are presented + as a data table within the case and as a raw JSON object for further processing. ### Parameters Description @@ -174,48 +272,51 @@ List Devices: | :--- | :--- | :--- | :--- | - | Fields To Fetch | String | No | A comma-separated string of specific device - fields to retrieve (e.g., `ios.DeviceName,user.display_name,user.email_address`). - If left empty, the integration uses a predefined set of default fields including - hardware identifiers, status, and user information. | - - - ### Additional Notes - - - This action does not target specific entities in the case; it performs a global - fetch of devices from the MobileIron instance. - - - The results are presented both as a formatted data table for human review and - as a raw JSON object for downstream automation. + | Fields To Fetch | String | No | A comma-separated list of specific device attributes + to retrieve (e.g., `ios.DeviceName,user.display_name,user.email_address`). If + left empty, the action retrieves a default set of common fields including UUID, + IMEI, IP address, and OS version. | ### Flow Description - 1. **Authentication**: Connects to the MobileIron API using the configured API - Root, Username, and Password. + 1. **Initialization**: The action initializes the MobileIron manager using the + integration's configuration settings (API Root, Credentials, SSL settings). - 2. **Data Retrieval**: Executes a GET request to the `/api/v2/devices` endpoint, - passing the `Fields To Fetch` parameter to filter the returned attributes. + 2. **Parameter Processing**: It retrieves the optional 'Fields To Fetch' parameter + to define the scope of data returned for each device. - 3. **Data Processing**: Flattens the resulting JSON structures into a tabular - format. + 3. **API Request**: The action executes a GET request to the MobileIron `/api/v2/devices` + endpoint. - 4. **Output Generation**: Constructs a CSV-formatted data table named "Devices" - and attaches it to the action results in Google SecOps. + 4. **Data Transformation**: The retrieved device list is flattened into a simplified + structure and converted into a CSV format. + + 5. **Result Reporting**: The action adds a data table named 'Devices' to the SOAR + case and returns the full device list as a JSON result. capabilities: can_create_case_comments: false can_create_insight: false can_modify_alert_data: false can_mutate_external_data: false - can_mutate_internal_data: true + can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null fetches_data: true - internal_data_mutation_explanation: >- - The action adds a data table named 'Devices' to the action results, which is - stored within the Google SecOps case data. + internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to retrieve a list of devices from the MobileIron + API. It does not modify any external systems (no POST/PUT/DELETE). It reports + results by adding a data table to the SOAR case, which is a standard result + reporting mechanism and does not constitute a mutation of internal case data + (entities, insights, or comments). categories: enrichment: false + reasoning: >- + The action fetches a global list of devices from the MobileIron system. It does + not target specific entities within the case to gather supplemental context, + nor does it update entity profiles or create insights. Therefore, it does not + meet the criteria for an Enrichment Action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -231,69 +332,72 @@ List Devices: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over or reference `target_entities`. It fetches + a global list of devices from the MobileIron environment regardless of the entities + present in the case. Ping: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action is a diagnostic connectivity test ('Ping'). It does not perform any + of the listed operational tasks such as enrichment, containment, ticketing, + or alert management. Therefore, it does not match any of the defined categories. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description The **Ping** action is a diagnostic tool used to verify the connectivity between - Google SecOps and a MobileIron instance. It ensures that the provided credentials - (Username and Password) and the API Root URL are correct and that the MobileIron - service is reachable over the network. + Google SecOps and the MobileIron instance. It ensures that the provided configuration + parameters (API Root, Credentials, etc.) are correct and that the MobileIron API + is reachable. ### Parameters Description - This action does not have any input parameters. It relies entirely on the integration's - configuration settings: - - - | Parameter Name | Description | Type | Mandatory | Notes | - - | :--- | :--- | :--- | :--- | :--- | - - | API Root | The base URL of the MobileIron instance. | String | Yes | Used to - construct the API endpoint. | - - | Username | The API username for authentication. | String | Yes | Used for Basic - Auth. | - - | Password | The API password for authentication. | String | Yes | Used for Basic - Auth. | - - | Admin Device ID | The device space ID of the administrator. | Integer | No | - Defaults to 1 if not provided. | - - | Cloud Instance | Whether the instance is a cloud-based MobileIron instance. - | Boolean | No | If true, appends 'rest/' to the API root. | - - | Verify SSL | Whether to verify the SSL certificate of the connection. | Boolean - | No | Defaults to false. | - - - ### Additional Notes - - - This action is typically used during the initial setup of the integration or - for troubleshooting communication issues. - - - It performs a simple GET request to the `api/V2/ping` endpoint. + There are no parameters for this action. ### Flow Description - 1. **Configuration Retrieval:** The action fetches the integration configuration, - including the API Root, credentials, and connection settings. + 1. **Configuration Retrieval**: The action retrieves the integration configuration, + including the API Root, Username, Password, and SSL settings. - 2. **Manager Initialization:** It initializes the `MobileIronManager` with the - retrieved settings, handling URL formatting for cloud or on-premise instances. + 2. **Manager Initialization**: It initializes the `MobileIronManager` with the + retrieved settings. - 3. **Connectivity Test:** The action calls the `ping()` method of the manager, - which sends a GET request to the MobileIron ping API. + 3. **Connectivity Test**: The action calls the `ping` method in the manager, which + sends a GET request to the MobileIron ping endpoint (`api/V2/ping`). - 4. **Response Validation:** The manager validates the HTTP response. If the status - code is successful, it returns `True`. + 4. **Validation**: It validates the HTTP response from the server. - 5. **Final Result:** The action ends by providing a success message ("Connection - Established.") or a failure message based on the API response. + 5. **Final Result**: If the request is successful, it returns a 'Connection Established' + message; otherwise, it reports a failure. capabilities: can_create_case_comments: false can_create_insight: false @@ -302,10 +406,17 @@ Ping: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null - fetches_data: true + fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a simple connectivity check (GET request) to verify the + API is reachable. It does not retrieve entity context, modify external systems, + or update internal SOAR data. categories: enrichment: false + reasoning: >- + The action is a 'Ping' action. Per the instructions, Ping actions are explicitly + excluded from being enrichment actions. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -321,42 +432,71 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over `target_entities` or use entity-specific identifiers. + It is a global connectivity test, so the `entity_types` list is empty. Unlock Device: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action performs a device management operation (unlocking) on an external + system. It does not match the specific categories provided (e.g., it is not + network isolation, identity management, or ticket creation). + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - Unlocks a mobile device managed by MobileIron using its IP address. This action - is primarily used to restore user access to a device after a security lock has - been applied or as part of a remediation workflow. + The **Unlock Device** action allows analysts to remotely unlock a mobile device + managed by MobileIron using its IP address. This action is primarily used during + incident response to restore access to a device or to facilitate forensic investigation + on a locked endpoint. - ### Parameters + ### Parameters Description - There are no specific action parameters required for this action. It relies on - the global integration configuration (API Root, Username, Password, etc.) and - the IP address entities provided in the context. + There are no input parameters for this action. It relies on the IP address entities + provided in the context and the integration's global configuration. ### Flow Description - 1. **Entity Filtering**: The action identifies all IP Address (ADDRESS) entities - within the current alert or case context. - - 2. **Device Resolution**: For each identified IP address, the action queries the - MobileIron API to find a matching device and retrieve its unique identifier (UUID). + 1. **Entity Filtering**: The action identifies all entities of type `ADDRESS` + within the current SOAR context. - 3. **Unlock Command**: Once the UUID is obtained, the action sends a POST request - to the MobileIron 'action' endpoint with the `UNLOCK_DEVICE_ONLY` command type. + 2. **Device Identification**: For each identified IP address, the action queries + the MobileIron API to find the corresponding unique Device UUID. - 4. **Execution Reporting**: The action logs the outcome of the unlock attempt - for each entity and provides a summary message to the user. - - - ### Additional Notes + 3. **Unlock Command**: Once the UUID is retrieved, the action sends a POST request + to the MobileIron `Action` endpoint with the `UNLOCK_DEVICE_ONLY` command to trigger + the physical unlocking of the device. - This action requires the MobileIron 'Cloud Instance' and 'Admin Device ID' settings - to be correctly configured in the integration parameters to resolve device information - accurately. + 4. **Result Reporting**: The action logs the outcome of the operation and reports + whether the unlock command was successfully dispatched for the processed entities. capabilities: can_create_case_comments: false can_create_insight: false @@ -365,12 +505,19 @@ Unlock Device: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Sends a POST request to the MobileIron API to trigger a remote 'Unlock' command - on the physical mobile device associated with the target IP address. + Sends a POST request to the MobileIron API to unlock the specified mobile device. fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action fetches device information (UUID) from MobileIron (fetches_data=true) + and performs a POST request to unlock the device (can_mutate_external_data=true). + It does not modify internal SOAR data or entities. categories: enrichment: false + reasoning: >- + The action performs a mutation on an external system (unlocking a device) and + does not meet the criteria for an enrichment action, which must be read-only + regarding external systems. entity_usage: entity_types: - ADDRESS @@ -387,14 +534,49 @@ Unlock Device: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over `siemplify.target_entities` and filters them by `entity.entity_type + == EntityTypes.ADDRESS`. It does not apply other filters. Unlock Device by UUID: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: true + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action performs a POST request to unlock a device in MobileIron. This is + a remediation action that restores access to a device. This aligns with the + 'Enable Identity' category, which is defined as restoring authentication capabilities + and system access for a previously disabled account. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - Unlocks a mobile device managed by MobileIron using its unique Universal Unique - Identifier (UUID). This action is designed to remotely trigger an unlock command - on a specific device, facilitating administrative access or troubleshooting for - managed mobile assets. + Unlocks a mobile device managed by MobileIron using its unique identifier (UUID). + This action sends a command to the MobileIron server to remove the lock screen + or restriction on the specified device, allowing the user to regain access. ### Parameters Description @@ -403,28 +585,30 @@ Unlock Device by UUID: | :--- | :--- | :--- | :--- | - | Device UUID | String | Yes | The unique identifier (UUID) of the target device - to be unlocked. This value is used to target the specific device in the MobileIron - inventory. | + | Device UUID | String | Yes | The unique identifier (UUID) of the target mobile + device to be unlocked. | - ### Flow Description + ### Additional Notes - 1. **Initialization**: The action initializes the MobileIron manager using the - integration's configuration settings (API Root, Credentials, etc.). + This action requires a valid MobileIron integration configuration to be set up + in the Google SecOps environment. It performs a direct mutation on the external + MobileIron system. + + + ### Flow Description - 2. **Parameter Extraction**: The action retrieves the mandatory `Device UUID` - from the input parameters. + 1. **Initialization**: Retrieves connection settings (API Root, Credentials, SSL + settings) from the MobileIron integration configuration. - 3. **Validation**: It checks if the `Device UUID` is provided; if not, it raises - an exception. + 2. **Parameter Extraction**: Retrieves the mandatory `Device UUID` from the action + input. - 4. **API Interaction**: The action calls the `unlock_device_by_uuid` method in - the manager, which sends a POST request to the MobileIron API (`api/v2/devices/action`) - with the `actionType` set to `UNLOCK_DEVICE_ONLY`. + 3. **Execution**: Calls the MobileIron API's action endpoint with the `UNLOCK_DEVICE_ONLY` + command specifically for the provided UUID. - 5. **Completion**: Upon a successful API response, the action concludes with a - success message indicating the unlock command was sent for the specified UUID. + 4. **Completion**: Validates the API response and terminates the action with a + success message if the command was successfully issued. capabilities: can_create_case_comments: false can_create_insight: false @@ -433,12 +617,18 @@ Unlock Device by UUID: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Triggers a remote 'UNLOCK_DEVICE_ONLY' command on the target mobile device via - the MobileIron platform, changing the device's lock state. + Sends a command to the MobileIron API to unlock the specified mobile device. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a POST request to the MobileIron API to unlock a device. + It does not fetch data, nor does it modify internal SOAR data (entities, insights, + etc.). categories: enrichment: false + reasoning: >- + The action is a mutation action (unlocking a device) and does not fetch data + for enrichment. Therefore, it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -454,3 +644,6 @@ Unlock Device by UUID: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action uses a parameter `Device UUID` provided by the user, not the `target_entities` + list from the SOAR platform. Therefore, it does not operate on entities. diff --git a/content/response_integrations/google/mobile_iron/resources/ai/integration_ai_description.yaml b/content/response_integrations/google/mobile_iron/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..763138e9d --- /dev/null +++ b/content/response_integrations/google/mobile_iron/resources/ai/integration_ai_description.yaml @@ -0,0 +1,22 @@ +product_categories: + asset_inventory: true + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: false + reasoning: >- + The MobileIron integration provides Mobile Device Management (MDM) capabilities. + Its primary function is to provide visibility into mobile assets, including retrieving + device metadata (OS version, owner, compliance status) and listing managed devices, + which directly aligns with the 'Asset Inventory' category. While the integration + includes 'Unlock Device' actions, these are device-level remediation tasks rather + than user identity management (IAM) or host-level containment (EDR). It does not + perform log analysis (SIEM), network traffic blocking (Network Security), threat + intelligence enrichment, email security, cloud security, ITSM ticketing, vulnerability + management, or collaboration/notification tasks. + siem: false + threat_intelligence: false + vulnerability_management: false diff --git a/content/response_integrations/google/portnox/resources/ai/actions_ai_description.yaml b/content/response_integrations/google/portnox/resources/ai/actions_ai_description.yaml index fc922a76d..53405d9ac 100644 --- a/content/response_integrations/google/portnox/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/google/portnox/resources/ai/actions_ai_description.yaml @@ -1,39 +1,78 @@ -# Copyright 2026 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - Enrich Device: - ai_description: "### General Description\nEnriches IP Address and MacAddress entities\ - \ with comprehensive device information retrieved from Portnox. This action helps\ - \ analysts gain visibility into device details such as security status, location,\ - \ and history directly within the Google SecOps platform by mapping Portnox device\ - \ data to entity attributes.\n\n### Parameters Description\nThere are no parameters\ - \ for this action.\n\n### Flow Description\n1. **Initialization**: The action\ - \ establishes a connection to the Portnox API using the integration's configuration\ - \ (API Root, Username, Password, and SSL verification settings).\n2. **Entity\ - \ Processing**: The action iterates through the target entities provided in the\ - \ context.\n3. **Device Search**: \n - For **IP Address** entities, it searches\ - \ Portnox for a device matching the IP.\n - For **MacAddress** entities, it\ - \ searches Portnox for a device matching the MAC address.\n4. **Data Transformation**:\ - \ If a device is found, the action flattens the resulting JSON data and adds a\ - \ 'Portnox' prefix to all keys to ensure clear data provenance.\n5. **Internal\ - \ Enrichment**: The action updates the entity's `additional_properties` with the\ - \ flattened device data and sets the `is_enriched` flag to `True`.\n6. **Final\ - \ Update**: The action commits the enriched data back to Google SecOps using the\ - \ `update_entities` method and provides a summary message of the enriched entities.\n\ - \n### Additional Notes\n- While the action uses a `POST` request to the `/devices`\ - \ endpoint for searching, this is a read-only query operation and does not modify\ - \ the state of the device in Portnox." + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: true + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves contextual metadata (security status, location, hardware + info) for a device (IP/MAC). This matches the 'Enrich Asset' category. It does + not provide threat intelligence (reputation/prevalence) for an IOC, so it is + not 'Enrich IOC'. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: >- + ### General Description + + Enriches IP Address and MAC Address entities with comprehensive device metadata + from Portnox. This action queries the Portnox API to retrieve details such as + security status, location, and hardware information for the specified network + identifiers. The retrieved data is then mapped to the entity's additional properties + within Google SecOps, providing analysts with immediate context regarding the + device's posture and identity. + + + ### Parameters Description + + There are no parameters for this action. + + + ### Additional Notes + + - The action uses a POST request to the `/devices` endpoint for searching, but + this is a read-only query operation and does not modify data in Portnox. + + - If multiple devices match a search query, the action selects the first result + returned by the API. + + + ### Flow Description + + 1. **Authentication**: Connects to the Portnox API using the configured API Root, + Username, and Password. + + 2. **Entity Filtering**: Identifies supported entities (IP Addresses and MAC Addresses) + from the target entities list. + + 3. **Data Retrieval**: For each supported entity, it executes a search query in + Portnox using the entity's identifier (IP or MAC address). + + 4. **Data Transformation**: If a device is found, the resulting JSON object is + flattened and prefixed with 'Portnox' to ensure clear attribution in the SOAR. + + 5. **Internal Update**: Updates the entity's additional properties with the enriched + data and marks the entity as 'enriched' within Google SecOps. capabilities: can_create_case_comments: false can_create_insight: false @@ -44,10 +83,18 @@ Enrich Device: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates the 'additional_properties' of the entities with device information - retrieved from Portnox and sets the 'is_enriched' flag to true. + Updates entity `additional_properties` and `is_enriched` status. + reasoning: >- + The action queries the Portnox API to retrieve device information based on IP + or MAC address. It does not modify external systems (the POST request is a search + query). It updates internal entity properties (`additional_properties`) and + marks them as enriched in Google SecOps. categories: enrichment: true + reasoning: >- + The action fetches data from an external system (Portnox) to enrich entities. + It does not mutate external systems. It performs allowed internal mutations + (updating entity properties). Therefore, it is an enrichment action. entity_usage: entity_types: - ADDRESS @@ -65,14 +112,50 @@ Enrich Device: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over `siemplify.target_entities` and explicitly checks for + `EntityTypes.ADDRESS` and `EntityTypes.MACADDRESS` to perform the enrichment. Get Device History: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: true + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves historical activity logs for a device, which provides contextual + metadata about the asset. This aligns with the 'Enrich Asset' category. It does + not provide threat intelligence for an IOC (not 'Enrich IOC'), nor does it perform + any containment or ticket management actions. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - Retrieves historical authentication and connection data for devices associated - with IP or MAC address entities from Portnox. This action is used to understand - the historical context of a device's activity within the network over a specified - period. + The **Get Device History** action retrieves historical activity logs for network + devices managed by Portnox NAC. It allows analysts to see the connection and authentication + history of specific endpoints within a defined timeframe, providing context for + investigations involving potentially compromised or unauthorized devices. ### Parameters Description @@ -81,33 +164,36 @@ Get Device History: | :--- | :--- | :--- | :--- | - | Days Backwards | Integer | Yes | Specifies how many days into the past the action - should look to retrieve device history. Defaults to 1. | + | Days Backwards | String | Yes | Specifies the number of days prior to the current + time to fetch history for. For example, entering "1" retrieves history from the + last 24 hours. | - ### Flow Description + ### Additional Notes - 1. **Initialization**: Connects to the Portnox API using provided credentials. + - This action supports **IP Address** and **MAC Address** entities. - 2. **Timeframe Calculation**: Determines the start and end timestamps based on - the 'Days Backwards' parameter. + - The results are presented as a CSV-formatted table attached to the entity. - 3. **Device Lookup**: For each IP (ADDRESS) or MAC address entity, it searches - Portnox to find the corresponding internal device ID. - 4. **History Retrieval**: Fetches the detailed history for the identified device - within the calculated timeframe. + ### Flow Description - 5. **Data Presentation**: Converts the history data into a CSV format and attaches - it as a table to the specific entity in Google SecOps. + 1. **Time Range Calculation:** The action calculates the start and end timestamps + based on the `Days Backwards` parameter and the current UTC time. - 6. **Entity Update**: Marks the entities as updated/enriched in the system. + 2. **Entity Identification:** It filters the target entities to find IP Addresses + and MAC Addresses. + 3. **Device Search:** For each valid entity, it queries Portnox to find the internal + `deviceId` using a POST request to the search endpoint. - ### Additional Notes + 4. **History Retrieval:** Using the `deviceId`, it fetches the device's history + logs for the calculated time range via a GET request. + + 5. **Data Presentation:** If history is found, it is converted to a CSV format + and added as an entity-specific data table in Google SecOps. - - If no device is found for an entity, or no history exists for the timeframe, - the action will skip that entity and report the results at the end. + 6. **Entity Update:** The action updates the entities to indicate successful enrichment. capabilities: can_create_case_comments: false can_create_insight: false @@ -115,13 +201,23 @@ Get Device History: can_mutate_external_data: false can_mutate_internal_data: true can_update_entities: true - external_data_mutation_explanation: 'null' + external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates entity fields and adds a device history table to the entity in Google - SecOps. + The action updates entity objects and adds entity-specific data tables to the + case. + reasoning: >- + The action fetches device history data from the Portnox API (GET requests) and + performs a search (POST request) to identify the device ID. It does not mutate + external systems. It performs internal mutations by adding data tables to entities + and updating the entities themselves using the SOAR SDK. categories: enrichment: true + reasoning: >- + The action fetches data from an external source (Portnox) to provide context + for an investigation. It does not mutate external systems. It performs allowed + internal mutations (updating entities and adding data tables). Therefore, it + qualifies as an enrichment action. entity_usage: entity_types: - ADDRESS @@ -139,41 +235,86 @@ Get Device History: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over `siemplify.target_entities` and explicitly filters for + entities where the type is `ADDRESS` or `MACADDRESS`. Get Device Locations: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: true + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves contextual location metadata for a device (asset), which + matches 'Enrich Asset'. It also performs a search for the device in the Portnox + platform, matching 'Search Asset'. It does not provide threat intelligence (Enrich + IOC) or perform containment/blocking. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: true + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - This action retrieves physical or network location information for devices associated - with IP Address or MAC Address entities from the Portnox NAC platform. It is used - to identify where a specific device is connected within the network infrastructure, - providing visibility into the device's current or last known location. + The **Get Device Locations** action retrieves physical or logical location information + for devices associated with IP Address or MAC Address entities from the Portnox + NAC platform. It helps analysts understand where a specific device is connected + within the network infrastructure by providing details such as switch names, ports, + or site locations. - ### Parameters + ### Parameters Description - There are no parameters for this action. + There are no user-configurable parameters for this action. It relies on the integration's + global configuration (API Root, Username, Password) and the entities present in + the current context. ### Flow Description - 1. **Entity Filtering**: The action iterates through the target entities in the - current context, specifically looking for entities of type `ADDRESS` (IP) or `MacAddress`. + 1. **Entity Identification**: The action iterates through the target entities + in the case, specifically looking for `ADDRESS` (IP) and `MacAddress` types. - 2. **Device Search**: For each supported entity, the action queries Portnox to - find a matching device record using the IP address or MAC address as the search - key. + 2. **Device Search**: For each supported entity, it queries Portnox to find a + matching device record using the IP or MAC address as the search key. - 3. **Location Retrieval**: If a device is found, the action uses the internal - Portnox device ID to fetch all associated location records. + 3. **Location Retrieval**: If a device is found, the action retrieves its current + location data from the Portnox API. - 4. **Data Sanitization**: The retrieved location data is processed to remove internal - technical details (like `portIds`) to ensure the output is clean and readable. + 4. **Data Sanitization**: The retrieved location data is cleaned by removing internal + or irrelevant fields (e.g., `portIds`). - 5. **Result Attachment**: The location data is formatted into a CSV table and - attached directly to the entity as an 'Entity Table' in the Google SecOps UI. + 5. **Enrichment**: The location details are formatted into a CSV table and attached + to the entity within Google SecOps. The entity is then updated to reflect the + enrichment. - 6. **Entity Update**: Successfully enriched entities are updated within the system - to reflect the new information. + + ### Additional Notes + + - This action is strictly read-only regarding the Portnox system; it does not + change device status or network access policies. + + - If no device is found for a specific entity, that entity is skipped without + failing the entire action. capabilities: can_create_case_comments: false can_create_insight: false @@ -184,10 +325,18 @@ Get Device Locations: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - The action updates entities in Google SecOps to mark them as enriched and attaches - a data table containing the retrieved location information to the entity's profile. + Updates entity data in Google SecOps and adds a data table to the entity. + reasoning: >- + The action queries the Portnox API to retrieve location information for devices + identified by IP or MAC address. It does not modify external system state (the + POST request is a search query). It updates internal entity data in Google SecOps + and adds a data table to the entity. categories: enrichment: true + reasoning: >- + The action fetches data (location) from an external system (Portnox) and updates + internal entities without modifying external state. This fits the definition + of an enrichment action. entity_usage: entity_types: - ADDRESS @@ -205,20 +354,56 @@ Get Device Locations: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over `siemplify.target_entities` and checks `entity.entity_type` + against `EntityTypes.ADDRESS` and `EntityTypes.MACADDRESS`. It filters entities + based on their type. Get Installed Applications: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: true + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action searches for a device (asset) in Portnox and retrieves its installed + applications, which is contextual metadata for an asset. This matches 'Enrich + Asset' and 'Search Asset'. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: true + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - The **Get Installed Applications** action retrieves a comprehensive list of all - software applications installed on a specific device managed by Portnox. This - action provides visibility into the software inventory of endpoints, which is - essential for security audits and compliance monitoring. It supports both IP Address - and MAC Address entities. + This action retrieves a comprehensive list of all installed applications on a + specific device by interfacing with Portnox. It is designed to provide security + analysts with visibility into the software inventory of endpoints identified by + their IP Address or MAC Address. The retrieved data is presented as a CSV table + attached to the entity within the Google SecOps platform. - ### Parameters + ### Parameters Description - | Parameter Name | Type | Mandatory | Description | + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | @@ -227,44 +412,56 @@ Get Installed Applications: ### Additional Notes - - The action identifies devices in Portnox using either their IP Address or MAC - Address. + - The action relies on the Portnox integration configuration (API Root, Username, + Password) to authenticate. - - The retrieved application list is attached to the entity as a data table in - CSV format. + - It specifically targets entities of type **ADDRESS** (IP) and **MacAddress**. + + - If multiple devices match a search criterion in Portnox, the action processes + the first match returned by the API. ### Flow Description - 1. **Authentication**: Establishes a connection to the Portnox API using the configured - credentials. + 1. **Initialization**: The action initializes the Portnox manager using the provided + integration credentials. + + 2. **Entity Filtering**: It iterates through the target entities in the current + context, filtering for IP Addresses and MAC Addresses. - 2. **Entity Filtering**: Iterates through the target entities, focusing on IP - Address and MAC Address types. + 3. **Device Search**: For each valid entity, it performs a search in Portnox (using + the IP or MAC Address as the key) to find the unique device ID. - 3. **Device Search**: Queries Portnox to find a device record matching the entity's - identifier. + 4. **Data Retrieval**: Once a device is identified, the action calls the Portnox + API to fetch the list of installed applications associated with that device ID. - 4. **Inventory Retrieval**: If a match is found, the action fetches the list of - installed applications for that device. + 5. **Data Formatting**: The list of applications is converted into a CSV format. - 5. **Data Enrichment**: Formats the application list as a CSV and attaches it - to the entity as a data table. + 6. **Internal Update**: The CSV data is added as an entity-specific table in the + SOAR, and the entities are updated to reflect the enrichment process. - 6. **Entity Update**: Updates the entities within the Google SecOps case to include - the new information. + 7. **Completion**: The action concludes by providing a summary message of which + entities were successfully enriched. capabilities: can_create_case_comments: false can_create_insight: false can_modify_alert_data: false can_mutate_external_data: false - can_mutate_internal_data: false + can_mutate_internal_data: true can_update_entities: true external_data_mutation_explanation: null fetches_data: true - internal_data_mutation_explanation: null + internal_data_mutation_explanation: >- + Updates entities and adds entity tables with the retrieved application list. + reasoning: >- + The action fetches device application data from Portnox using IP or MAC address. + It does not change external system state. It updates internal SOAR entities + with the retrieved data using `add_entity_table` and `update_entities`. categories: enrichment: true + reasoning: >- + The action fetches data (enrichment) and adds it to the entity without modifying + external systems. It fits the definition of an enrichment action. entity_usage: entity_types: - ADDRESS @@ -282,53 +479,79 @@ Get Installed Applications: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over `siemplify.target_entities` and filters for `ADDRESS` + and `MacAddress` types to perform the lookup. Get Open Ports: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: true + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves open ports for a device, which is contextual metadata for + an asset, matching 'Enrich Asset'. It also performs a search for the device + in the product, matching 'Search Asset'. It does not match other categories + like IOC enrichment, ticket creation, or containment. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: true + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description - - The **Get Open Ports** action retrieves a comprehensive list of open network ports - for a specific device managed by Portnox. It supports both IP Address and MAC - Address entities. By querying the Portnox NAC (Network Access Control) system, - security analysts can gain visibility into the services exposed on a device, which - is crucial for vulnerability assessment and incident response. + Retrieves a list of all open ports for a specific device from the Portnox NAC + platform. This action supports IP Address and MAC Address entities. It first searches + for the device within Portnox to obtain its internal ID and then fetches the current + open port details. The results are presented as an entity-specific data table + within the case. - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | N/A | N/A | N/A | This action does not require any input parameters. | - + ### Flow Description - ### Additional Notes + 1. **Initialization**: Connects to the Portnox API using the provided credentials + and configuration. - - The action uses the device's IP or MAC address to first locate the device ID - within Portnox before fetching the port details. + 2. **Device Search**: For each IP Address or MAC Address entity, the action queries + Portnox to find a matching device record. - - Results are presented as a CSV-formatted table attached to the entity. + 3. **Port Retrieval**: If a device is found, the action requests the list of open + ports associated with that device's ID. + 4. **Data Presentation**: Converts the retrieved port data into a CSV format and + attaches it as an entity table to the specific entity in the case. - ### Flow Description + 5. **Entity Update**: Marks the entities as enriched and updates their status + within the Google SecOps platform. - 1. **Initialization**: The action connects to the Portnox API using the configured - credentials and SSL settings. - 2. **Entity Filtering**: It identifies all `ADDRESS` (IP) and `MacAddress` entities - within the current context. + ### Parameters Description - 3. **Device Lookup**: For each valid entity, it performs a search in Portnox to - retrieve the internal `deviceId`. + There are no additional parameters for this action; it relies on the target entities + (IP Address or MAC Address) and the integration's global configuration. - 4. **Port Retrieval**: Using the `deviceId`, it fetches the list of open ports - from the Portnox details endpoint. - 5. **Enrichment**: If ports are found, it generates a CSV table and attaches it - to the entity in the SOAR UI. + ### Additional Notes - 6. **Final Update**: The action updates the entities in the case to reflect the - new information and provides a summary message. + This action is designed to enrich asset information by querying the Portnox NAC. + It does not perform any destructive actions or state changes on the external system. capabilities: can_create_case_comments: false can_create_insight: false @@ -339,10 +562,20 @@ Get Open Ports: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - The action updates entity records and attaches data tables to entities within - the Google SecOps platform. + Updates entity status and adds an entity table to the case. + reasoning: >- + The action fetches data from the Portnox API (fetches_data=true) to retrieve + open ports for a device. It does not mutate external data (can_mutate_external_data=false) + as it only performs search and GET requests. It performs internal mutations + by updating entities and adding an entity table (can_mutate_internal_data=true, + can_update_entities=true). It does not create insights, modify alert data, or + create case comments. categories: enrichment: true + reasoning: >- + The action is an enrichment action because it fetches contextual data (open + ports) about an asset from an external system (Portnox) and updates the entity + within the SOAR platform without modifying any external system state. entity_usage: entity_types: - ADDRESS @@ -360,50 +593,75 @@ Get Open Ports: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action iterates over `siemplify.target_entities` and filters them based + on their type, specifically supporting 'ADDRESS' and 'MacAddress' entities. Get Services: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: true + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action searches for a device (asset) in the Portnox system and retrieves + its services, which constitutes contextual metadata. This matches the 'Enrich + Asset' and 'Search Asset' categories. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: true + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - The **Get Services** action retrieves a list of all services running on a specific - device by querying the Portnox NAC platform. It supports both IP Address and MAC - Address entities. The results are attached to the entity as a data table for easy - review within the case. + Retrieves a list of all services running on a device associated with an IP Address + or MAC Address entity via Portnox. This action helps analysts understand the software + footprint and active services on a network asset by fetching real-time service + data from the Portnox NAC solution. ### Parameters Description - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | None | N/A | N/A | This action does not require any input parameters beyond - the entities themselves. | - - - ### Additional Notes - - This action is primarily used for host enrichment during an investigation to understand - the software profile of a connected device. + There are no parameters for this action. ### Flow Description - 1. **Connect to Portnox**: Initializes the connection using integration configuration. - - 2. **Identify Entities**: Iterates through the target entities, specifically looking - for IP Addresses and MAC Addresses. + 1. **Identify Entities**: The action iterates through the target entities in the + current context, specifically looking for IP Address (`ADDRESS`) and MAC Address + (`MacAddress`) types. - 3. **Search Device**: For each entity, it performs a search in Portnox to find - the corresponding device record. + 2. **Device Search**: For each valid entity, it queries the Portnox API to find + a matching device record using the IP or MAC address as the search key. - 4. **Fetch Services**: If a device is found, it retrieves the list of services - associated with that device. + 3. **Service Retrieval**: If a device is successfully identified, the action makes + a follow-up request to Portnox to retrieve the full list of services associated + with that specific device ID. - 5. **Enrich SOAR**: Converts the service list into a CSV format and adds it as - a data table to the entity. + 4. **Data Presentation**: The retrieved service list is converted into a CSV format + and attached to the entity as an 'Entity Table' for easy review within the Google + SecOps interface. - 6. **Update Entities**: Updates the entities in the SOAR to reflect the new enrichment - data. + 5. **Entity Update**: The action updates the entities in the platform to reflect + that enrichment has occurred. capabilities: can_create_case_comments: false can_create_insight: false @@ -414,10 +672,19 @@ Get Services: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Adds a data table containing service information to the entity and updates the - entity's status in the SOAR. + The action updates the entity within Google SecOps and adds an entity table + containing the retrieved service information. + reasoning: >- + The action fetches device service information from Portnox by searching for + devices via IP or MAC address. It then attaches this information to the entity + as a table and updates the entity. It does not modify external systems, making + it a read-only operation regarding external state. categories: enrichment: true + reasoning: >- + The action fetches data (services) to enrich the entity's context. It does not + mutate external systems and only performs allowed internal mutations (updating + entities and adding an entity table). This fits the enrichment criteria. entity_usage: entity_types: - ADDRESS @@ -435,58 +702,83 @@ Get Services: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over `siemplify.target_entities` and explicitly filters by + `EntityTypes.ADDRESS` and `EntityTypes.MACADDRESS` to perform the device search. Get User History: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: true + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves contextual metadata (user history) for a resource (device), + which matches 'Enrich Asset'. It also performs a search for the asset within + the product, matching 'Search Asset'. It does not perform IOC enrichment, alert + updates, or containment actions. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: true + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - This action retrieves the user authentication history for specific devices from - Portnox. It targets entities of type IP Address or MAC Address, searches for the - corresponding device in the Portnox system, and fetches a detailed log of users - who have authenticated on that device. The results are presented as a CSV-formatted - data table attached to the entity within Google SecOps. + Retrieves the user authentication history for specific device entities from Portnox. + This action allows analysts to see which users have authenticated to a device + (identified by IP or MAC address) over time, providing critical context for investigations + involving shared assets or compromised credentials. ### Parameters Description - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | None | N/A | N/A | This action does not require any input parameters beyond - the integration configuration. | + There are no parameters for this action. ### Additional Notes - * The action relies on the integration's global configuration for API credentials - and connectivity. - - * If multiple devices match a search criteria in Portnox, the action defaults - to the first device returned by the API. + This action performs a two-step process: first, it searches for the device in + Portnox to obtain an internal device ID, and then it fetches the user history + associated with that ID. The results are attached directly to the entity as a + data table. ### Flow Description - 1. **Initialization**: The action establishes a connection to the Portnox API - using the configured API Root, Username, and Password. - - 2. **Entity Filtering**: It iterates through the target entities, specifically - looking for `ADDRESS` (IP) and `MacAddress` types. + 1. **Identify Entities**: The action filters the target entities to find those + of type `ADDRESS` (IP) or `MacAddress`. - 3. **Device Search**: For each supported entity, it queries Portnox to find a - matching device ID based on the IP or MAC address. + 2. **Device Search**: For each valid entity, it queries the Portnox API to find + a matching device record. - 4. **History Retrieval**: If a device is found, the action calls the Portnox API - to fetch the `userHistory` for that specific device ID. + 3. **Fetch History**: If a device is found, the action retrieves its user authentication + history using the Portnox device ID. - 5. **Data Transformation**: The retrieved JSON history data is converted into - a CSV format. + 4. **Data Formatting**: The retrieved history is converted into a CSV format. - 6. **Internal Enrichment**: The CSV data is added as an entity-specific data table - in Google SecOps, and the entity is marked as updated. + 5. **Enrichment**: The CSV data is attached to the entity as a data table named + "[Identifier] - User History". - 7. **Completion**: The action returns a summary message listing all entities for - which authentication history was successfully retrieved. + 6. **Update**: The action updates the entities in Google SecOps to save the newly + attached data tables. capabilities: can_create_case_comments: false can_create_insight: false @@ -497,10 +789,21 @@ Get User History: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - The action updates entities in Google SecOps and attaches a data table containing - the retrieved authentication history to the entity's context. + The action updates entities in Google SecOps by attaching a data table containing + the retrieved user history. + reasoning: >- + The action fetches user authentication history from the Portnox API (fetches_data=true). + It does not mutate external systems (search_device is a read-only query). It + performs internal mutations by updating entities with new data tables (can_mutate_internal_data=true, + can_update_entities=true). It does not create insights, modify alert data, or + create case comments. categories: enrichment: true + reasoning: >- + The action is designed to gather supplemental context (user history) about entities + (devices). It does not mutate external systems and only performs allowed internal + mutations (updating entities). Therefore, it is classified as an enrichment + action. entity_usage: entity_types: - ADDRESS @@ -518,44 +821,73 @@ Get User History: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over `siemplify.target_entities` and explicitly checks for + `EntityTypes.ADDRESS` and `EntityTypes.MACADDRESS`. It does not apply any other + filters. Ping: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action is a diagnostic test to verify connectivity. It does not perform + any of the listed functional outcomes (enrichment, containment, ticketing, etc.). + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - Tests the connectivity between Google SecOps and the Portnox instance. This action - verifies that the provided credentials (Username, Password) and the API Root URL - are correct and that the service is reachable. It serves as a health check to - ensure the integration is properly configured and functional. + The **Ping** action is a diagnostic tool designed to verify the connectivity between + Google SecOps and the Portnox instance. It validates the integration configuration + by attempting to authenticate with the provided credentials (API Root, Username, + and Password) and checking the server's responsiveness. ### Parameters Description - There are no parameters for this action. - - - ### Additional Notes - - This action is typically used during the initial setup of the integration or for - troubleshooting connection issues. It does not interact with any entities or modify - any data. + There are no input parameters for this action. It relies entirely on the integration's + global configuration settings. ### Flow Description 1. **Configuration Retrieval**: The action retrieves the API Root, Username, Password, - and SSL verification settings from the integration configuration. + and SSL verification settings from the Portnox integration configuration. - 2. **Manager Initialization**: A `PortnoxManager` instance is initialized with - the retrieved configuration. + 2. **Manager Initialization**: It initializes the `PortnoxManager` with the retrieved + settings. - 3. **Connectivity Test**: The action calls the `test_conectivity` method, which - performs a GET request to the `/auth/user` endpoint of the Portnox API. + 3. **Connectivity Test**: The action calls the `test_connectivity` method, which + executes a GET request to the `/auth/user` endpoint of the Portnox API. - 4. **Response Validation**: The manager validates the API response to ensure successful - authentication and connectivity. + 4. **Response Validation**: The manager validates the HTTP response. If the request + is successful (HTTP 200), the connection is considered established. - 5. **Action Completion**: If the connection is successful, the action ends with - a success message and a result value of `true`. + 5. **Completion**: The action ends with a success message 'Connection Established' + and a result value of 'true'. capabilities: can_create_case_comments: false can_create_insight: false @@ -566,8 +898,16 @@ Ping: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to verify connectivity to the Portnox API. + It does not modify external or internal data, nor does it update entities or + create insights. categories: enrichment: false + reasoning: >- + The action is a 'Ping' action. Per the instructions, 'Actions named Ping must + not be categorized as enrichment actions.' Therefore, it is not an enrichment + action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -583,19 +923,56 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not use any entities, as indicated by the empty `SimulationDataJson` + and the lack of entity processing in the code. Revalidate Device: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action triggers a policy revalidation on a device in the Portnox NAC system. + This is a remediation/management action. It does not fit the specific categories + provided (e.g., it is not 'Contain Host' as it does not isolate the device, + nor is it an 'Update Identity' or 'Enrich' action). Therefore, no specific category + is selected. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - Revalidates a device's policy within the Portnox Network Access Control (NAC) - system. This action is used to force a security posture check or policy re-evaluation - for a specific device managed by Portnox, ensuring it complies with current network - security requirements. + The **Revalidate Device** action triggers a policy revalidation for a specific + device within the Portnox Network Access Control (NAC) system. This action is + used to force a device to undergo a fresh security posture check or authentication + cycle to ensure it complies with current network policies. ### Parameters Description - | Parameter | Type | Mandatory | Description | + | Parameter | Expected Type | Mandatory | Description | | :--- | :--- | :--- | :--- | @@ -603,28 +980,29 @@ Revalidate Device: needs to be revalidated. | - ### Additional Notes + ### Flow Description - This action does not run on SecOps entities automatically; it requires a specific - `DeviceId` provided as an input parameter. The action includes a polling mechanism - that waits for the external system to confirm the revalidation is complete before - finishing. + 1. **Initialization**: The action connects to the Portnox API using the provided + credentials and configuration. + 2. **Trigger Revalidation**: It sends a POST request to the Portnox endpoint to + initiate the revalidation process for the specified `DeviceId`. - ### Flow Description + 3. **Status Polling**: The action enters a polling loop, calling the device information + endpoint to monitor the `securityStatus` of the device. - 1. **Initialization**: Retrieves Portnox API credentials and the `DeviceId` from - the action parameters. + 4. **Completion**: It waits until the device status reaches 'AuthorizationPassed' + or a timeout occurs. Once the status is confirmed, the action completes with a + success message. - 2. **Trigger Revalidation**: Sends a POST request to the Portnox API to initiate - the revalidation process for the specified device. - 3. **Status Polling**: Enters a loop that periodically fetches the device's information - from Portnox to monitor its `securityStatus`. + ### Additional Notes + + - This action does not run on SOAR entities; it requires a specific `DeviceId` + provided as a parameter. - 4. **Completion**: The action concludes successfully once the device status changes - to 'AuthorizationPassed'. If the status does not update within the timeout period, - an error is raised. + - The action includes a built-in waiting mechanism to ensure the revalidation + process finishes before the action returns a result. capabilities: can_create_case_comments: false can_create_insight: false @@ -633,12 +1011,20 @@ Revalidate Device: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Triggers a device policy revalidation process in Portnox NAC, which initiates - a state change/security check on the target device. + Triggers a policy revalidation for a device in the Portnox NAC system. fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a POST request to trigger a revalidation process in the + external Portnox NAC system (external mutation). It also performs GET requests + to poll the device status (fetches data). It does not interact with internal + SOAR entities or modify internal case data. categories: enrichment: false + reasoning: >- + The action performs a mutation on an external system (Portnox NAC) and does + not meet the criteria for an enrichment action, which must be read-only regarding + external systems. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -654,41 +1040,85 @@ Revalidate Device: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not operate on SOAR entities. It accepts a `DeviceId` as a direct + input parameter and does not iterate over `target_entities`. Revalidate Device By Address: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action triggers a revalidation of a device's NAC policy in Portnox. This + does not fit the specific categories provided (e.g., it is not blocking, isolating, + or updating an alert). It is a control action on a NAC system. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - The **Revalidate Device By Address** action triggers a revalidation of the authentication - policy for devices connected to the Portnox NAC (Network Access Control) system. - It identifies devices using their IP address or MAC address and forces the system - to re-evaluate their security posture or authorization status. This is typically - used to ensure a device still complies with network policies after a change in - its behavior or environment. + The **Revalidate Device By Address** action forces a re-evaluation of the network + access control (NAC) policy for specific devices within the Portnox environment. + This action is used to ensure that a device is compliant with current organizational + security policies by triggering a fresh authentication and validation cycle. It + supports both IP address and MAC address entities. ### Parameters Description - There are no action-specific parameters for this action. It relies on the global - Portnox integration configuration (API Root, Username, Password, and SSL verification). + There are no parameters for this action. It operates directly on the entities + provided in the context. ### Flow Description - 1. **Entity Filtering**: The action iterates through the target entities in the - current scope, specifically looking for `ADDRESS` (IP) and `MacAddress` types. + 1. **Entity Identification**: The action iterates through the target entities, + specifically looking for `ADDRESS` (IP) and `MacAddress` types. - 2. **Device Search**: For each valid entity, it queries the Portnox API to find - a matching device record using the identifier. + 2. **Device Search**: For each identified entity, it queries the Portnox API to + find the corresponding device record using the IP or MAC address. - 3. **Trigger Revalidation**: If a device is found, the action sends a POST request - to Portnox to initiate the revalidation process for that specific device ID. + 3. **Trigger Revalidation**: If a matching device is found, the action sends a + request to Portnox to initiate a revalidation of that device's authentication + policy. + + 4. **Status Polling**: The action enters a wait state, polling the Portnox API + to monitor the device's security status until the revalidation process is confirmed + as complete (e.g., status becomes 'AuthorizationPassed'). + + 5. **Final Reporting**: The action concludes by listing all entities for which + the device revalidation was successfully triggered and verified. + + + ### Additional Notes - 4. **Status Polling**: The action then waits for the revalidation to complete - by polling the device's security status until it reaches the 'AuthorizationPassed' - state or times out. + - If no device is found for a given entity, that entity is skipped without affecting + the overall action execution. - 5. **Reporting**: Finally, it provides a summary message listing all entities - whose associated devices were successfully revalidated. + - The action includes a built-in timeout mechanism during the polling phase to + prevent the script from running indefinitely if the NAC system does not respond. capabilities: can_create_case_comments: false can_create_insight: false @@ -697,13 +1127,21 @@ Revalidate Device By Address: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Triggers a revalidation action in Portnox NAC, which forces a device to undergo - authentication and authorization checks again, potentially changing its access - status on the network. + Triggers a re-evaluation of the network access control (NAC) policy for the + device in the Portnox system. fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action interacts with the Portnox API to search for devices and trigger + a revalidation process. This involves both GET requests (searching/polling) + and POST requests (triggering revalidation). Triggering revalidation is a state + change in the external Portnox system. It does not modify internal SOAR data + (entities, insights, etc.). categories: enrichment: false + reasoning: >- + The action mutates external data (triggers revalidation), so it is not an enrichment + action. entity_usage: entity_types: - ADDRESS @@ -721,3 +1159,6 @@ Revalidate Device By Address: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over `siemplify.target_entities` and explicitly checks `entity.entity_type` + for `ADDRESS` and `MACADDRESS` types. diff --git a/content/response_integrations/google/portnox/resources/ai/integration_ai_description.yaml b/content/response_integrations/google/portnox/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..9bf2b0fdf --- /dev/null +++ b/content/response_integrations/google/portnox/resources/ai/integration_ai_description.yaml @@ -0,0 +1,25 @@ +product_categories: + asset_inventory: true + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: false + reasoning: >- + The Portnox integration is a Network Access Control (NAC) solution that provides + visibility into network-connected devices. Its primary capabilities, as demonstrated + by the actions, are to provide deep contextual metadata about internal assets. + Actions such as 'Enrich Device', 'Get Device Locations', 'Get Installed Applications', + 'Get Services', and 'Get Open Ports' provide detailed information about assets, + which directly aligns with the 'Asset Inventory' category. Additionally, the 'Get + Device History' and 'Get User History' actions allow analysts to investigate activity + related to assets and users, which aligns with the 'SIEM' category's purpose of + investigating activity. The integration does not perform EDR functions (process-level + visibility), threat intelligence (reputation), or firewall/WAF management (Network + Security). While it performs NAC policy revalidation, this does not equate to + the firewall/WAF blocking capabilities defined in the Network Security category. + siem: true + threat_intelligence: false + vulnerability_management: false diff --git a/content/response_integrations/google/reversinglabs_a1000/resources/actions_ai_description.yaml b/content/response_integrations/google/reversinglabs_a1000/resources/actions_ai_description.yaml deleted file mode 100644 index 88240d4cf..000000000 --- a/content/response_integrations/google/reversinglabs_a1000/resources/actions_ai_description.yaml +++ /dev/null @@ -1,345 +0,0 @@ -# Copyright 2026 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -Delete Sample: - ai_description: >- - ### General Description - - The **Delete Sample** action allows security analysts to remove specific file - samples from a Reversinglabs A1000 appliance. This operation is destructive, as - it deletes the sample file itself along with all related metadata and extracted - data associated with that file hash on the appliance. - - - ### Parameters Description - - There are no user-configurable parameters for this action. It operates directly - on the entities provided in the context. - - - ### Flow Description - - 1. **Authentication**: The action initializes a connection to the Reversinglabs - A1000 appliance using the API Root, Username, and Password provided in the integration - configuration. - - 2. **Entity Filtering**: The script iterates through the target entities in the - current scope and identifies those of type `FILEHASH`. - - 3. **Deletion Request**: For each identified file hash, the action sends a `DELETE` - request to the A1000 API endpoint (`/api/samples/{hash}/`). - - 4. **Result Tracking**: The action monitors the API response. If the status code - is 200, the hash is added to a list of successfully deleted items. - - 5. **Final Output**: The action concludes by providing a summary message of the - deleted hashes and sets the action's result value to `True` if at least one deletion - was successful, or `False` otherwise. - - - ### Additional Notes - - * This action is irreversible. Once a sample is deleted from the A1000 appliance, - its analysis data cannot be recovered unless the file is re-uploaded. - - * The action converts all hash identifiers to lowercase before sending the request - to ensure compatibility with the A1000 API. - capabilities: - can_create_case_comments: false - can_create_insight: false - can_modify_alert_data: false - can_mutate_external_data: true - can_mutate_internal_data: false - can_update_entities: false - external_data_mutation_explanation: >- - Deletes file samples, extracted data, and associated metadata from the Reversinglabs - A1000 appliance via a DELETE API request. - fetches_data: false - internal_data_mutation_explanation: null - categories: - enrichment: false - entity_usage: - entity_types: - - FILEHASH - filters_by_additional_properties: false - filters_by_alert_identifier: false - filters_by_case_identifier: false - filters_by_creation_time: false - filters_by_entity_type: true - filters_by_identifier: false - filters_by_is_artifact: false - filters_by_is_enriched: false - filters_by_is_internal: false - filters_by_is_pivot: false - filters_by_is_suspicious: false - filters_by_is_vulnerable: false - filters_by_modification_time: false -Get Report: - ai_description: >- - ### General Description - - The **Get Report** action retrieves a comprehensive classification summary and - detailed analysis for file samples from a ReversingLabs A1000 Malware Analysis - appliance using their hash values. This action is designed to enrich file hash - entities with threat intelligence, providing critical data points such as threat - status, malware names, threat levels, and trust factors. - - - ### Parameters Description - - There are no parameters for this action. - - - ### Flow Description - - 1. **Entity Filtering**: The action iterates through all entities in the current - context and filters for those of type `FILEHASH`. - - 2. **API Authentication**: It initializes the ReversingLabs A1000 client using - the integration's configured API Root, Username, and Password to obtain an authorization - token. - - 3. **Data Retrieval**: The action sends a batch request to the A1000 `/api/samples/list/` - endpoint, passing the collected hash values and requesting specific fields including - `threat_status`, `threat_level`, `threat_name`, and `trust_factor`. - - 4. **Result Processing**: For each hash that returns a report, the action flattens - the dictionary and generates a dedicated data table on the case wall for that - specific hash. - - 5. **Output**: The action concludes by attaching the complete raw JSON response - to the execution results, allowing for further automated analysis or logic in - the playbook. - - - ### Additional Notes - - This action is strictly read-only regarding the external ReversingLabs system. - It queries existing reports and does not trigger new file uploads or analysis - tasks. - capabilities: - can_create_case_comments: false - can_create_insight: false - can_modify_alert_data: false - can_mutate_external_data: false - can_mutate_internal_data: true - can_update_entities: false - external_data_mutation_explanation: null - fetches_data: true - internal_data_mutation_explanation: >- - The action adds detailed classification data tables to the case wall for each - processed file hash and attaches the raw JSON results to the action output. - categories: - enrichment: true - entity_usage: - entity_types: - - FILEHASH - filters_by_additional_properties: false - filters_by_alert_identifier: false - filters_by_case_identifier: false - filters_by_creation_time: false - filters_by_entity_type: true - filters_by_identifier: false - filters_by_is_artifact: false - filters_by_is_enriched: false - filters_by_is_internal: false - filters_by_is_pivot: false - filters_by_is_suspicious: false - filters_by_is_vulnerable: false - filters_by_modification_time: false -Get Scan Status: - ai_description: "### General Description\nThe **Get Scan Status** action retrieves\ - \ the current processing status for a list of file hash entities from the ReversingLabs\ - \ A1000 Malware Analysis Appliance. This action is primarily used to check if\ - \ a previously submitted sample has finished analysis or to verify if the system\ - \ already has a record of the hash.\n\n### Parameters Description\nThere are no\ - \ parameters for this action.\n\n### Additional Notes\n* This action specifically\ - \ targets **FILEHASH** entities.\n* Although the underlying API call uses a POST\ - \ method, it is a read-only operation intended for batch status retrieval and\ - \ does not modify the state of the A1000 system.\n\n### Flow Description\n1. **Entity\ - \ Filtering:** The action identifies all `FILEHASH` entities within the current\ - \ alert context.\n2. **Data Collection:** It extracts the identifiers (hashes)\ - \ of these entities and converts them to lowercase for consistency.\n3. **API\ - \ Query:** The action sends a batch request to the ReversingLabs A1000 `api/samples/status/`\ - \ endpoint to fetch the processing status for all collected hashes.\n4. **Result\ - \ Processing:** \n * If statuses are found, it generates a mapping of hashes\ - \ to their respective statuses (e.g., 'processed').\n * It creates a data table\ - \ named \"Scan Status:\" to display these results in the case wall.\n * It\ - \ attaches the raw status data as a JSON result for use in downstream playbook\ - \ logic.\n5. **Completion:** The action concludes with a success message if data\ - \ was retrieved, or a failure message if the status could not be obtained." - capabilities: - can_create_case_comments: false - can_create_insight: false - can_modify_alert_data: false - can_mutate_external_data: false - can_mutate_internal_data: false - can_update_entities: false - external_data_mutation_explanation: null - fetches_data: true - internal_data_mutation_explanation: null - categories: - enrichment: true - entity_usage: - entity_types: - - FILEHASH - filters_by_additional_properties: false - filters_by_alert_identifier: false - filters_by_case_identifier: false - filters_by_creation_time: false - filters_by_entity_type: true - filters_by_identifier: false - filters_by_is_artifact: false - filters_by_is_enriched: false - filters_by_is_internal: false - filters_by_is_pivot: false - filters_by_is_suspicious: false - filters_by_is_vulnerable: false - filters_by_modification_time: false -Ping: - ai_description: >- - ### General Description - - The **Ping** action is a diagnostic tool used to verify the connectivity between - Google SecOps and the Reversinglabs A1000 Malware Analysis Appliance. Its primary - purpose is to ensure that the integration configuration (API Root, Username, and - Password) is valid and that the external service is reachable and responding to - requests. - - - ### Parameters Description - - There are no input parameters for this action. - - - ### Additional Notes - - This action performs a functional test by attempting to retrieve the processing - status of a hardcoded test hash. It does not interact with any entities present - in the current case or alert. - - - ### Flow Description - - 1. **Configuration Retrieval**: The action extracts the API Root, Username, and - Password from the integration's shared configuration. - - 2. **Authentication**: It initializes the A1000 client, which performs a POST - request to the `/api-token-auth/` endpoint to obtain an authorization token. - - 3. **Connectivity Validation**: The action calls the `test_connectivity` method, - which sends a POST request to the `/api/samples/status/` endpoint using a predefined - test hash. - - 4. **Completion**: If the API responds successfully, the action concludes with - a success message and a boolean result indicating connectivity. - capabilities: - can_create_case_comments: false - can_create_insight: false - can_modify_alert_data: false - can_mutate_external_data: false - can_mutate_internal_data: false - can_update_entities: false - external_data_mutation_explanation: null - fetches_data: false - internal_data_mutation_explanation: null - categories: - enrichment: false - entity_usage: - entity_types: [] - filters_by_additional_properties: false - filters_by_alert_identifier: false - filters_by_case_identifier: false - filters_by_creation_time: false - filters_by_entity_type: false - filters_by_identifier: false - filters_by_is_artifact: false - filters_by_is_enriched: false - filters_by_is_internal: false - filters_by_is_pivot: false - filters_by_is_suspicious: false - filters_by_is_vulnerable: false - filters_by_modification_time: false -Upload File: - ai_description: >- - ### General Description - - Uploads a file from a specified local path to the ReversingLabs A1000 appliance - for automated malware analysis. This action is used to submit samples that are - not yet present in the A1000 environment to retrieve detailed threat intelligence, - including classification, threat level, and trust factors. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | File Path | String | Yes | The full local path to the file on the system where - the agent is running that should be uploaded for analysis. | - - - ### Flow Description - - 1. **Authentication**: Connects to the ReversingLabs A1000 appliance using the - configured API credentials. - - 2. **File Upload**: Submits the file located at the provided 'File Path' to the - A1000 `/api/uploads/` endpoint. - - 3. **Processing Wait**: Enters a polling loop, checking the processing status - of the uploaded file's SHA1 hash until the status is marked as 'processed'. - - 4. **Report Retrieval**: Fetches the summary classification report for the file - once processing is complete. - - 5. **Data Output**: Formats the analysis results into a data table ('File Details:') - and attaches the full JSON response to the action results. - - - ### Additional Notes - - This action does not run on SecOps entities; it requires a direct file path as - input. It is a synchronous action that will wait (block) until the A1000 appliance - finishes analyzing the file. - capabilities: - can_create_case_comments: false - can_create_insight: false - can_modify_alert_data: false - can_mutate_external_data: true - can_mutate_internal_data: false - can_update_entities: false - external_data_mutation_explanation: >- - Uploads a new file sample to the ReversingLabs A1000 appliance, which creates - a new analysis record in the external system. - fetches_data: true - internal_data_mutation_explanation: null - categories: - enrichment: false - entity_usage: - entity_types: [] - filters_by_additional_properties: false - filters_by_alert_identifier: false - filters_by_case_identifier: false - filters_by_creation_time: false - filters_by_entity_type: false - filters_by_identifier: false - filters_by_is_artifact: false - filters_by_is_enriched: false - filters_by_is_internal: false - filters_by_is_pivot: false - filters_by_is_suspicious: false - filters_by_is_vulnerable: false - filters_by_modification_time: false diff --git a/content/response_integrations/google/reversinglabs_a1000/resources/ai/actions_ai_description.yaml b/content/response_integrations/google/reversinglabs_a1000/resources/ai/actions_ai_description.yaml index 88240d4cf..c5fa1e708 100644 --- a/content/response_integrations/google/reversinglabs_a1000/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/google/reversinglabs_a1000/resources/ai/actions_ai_description.yaml @@ -1,60 +1,51 @@ -# Copyright 2026 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - Delete Sample: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action deletes samples from the A1000 appliance. This is a destructive mutation + of external data. It does not match any of the predefined categories like Enrichment, + Ticket management, Alert management, or Host containment. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description - - The **Delete Sample** action allows security analysts to remove specific file - samples from a Reversinglabs A1000 appliance. This operation is destructive, as - it deletes the sample file itself along with all related metadata and extracted - data associated with that file hash on the appliance. - - - ### Parameters Description - - There are no user-configurable parameters for this action. It operates directly - on the entities provided in the context. - - - ### Flow Description - - 1. **Authentication**: The action initializes a connection to the Reversinglabs - A1000 appliance using the API Root, Username, and Password provided in the integration - configuration. - - 2. **Entity Filtering**: The script iterates through the target entities in the - current scope and identifies those of type `FILEHASH`. - - 3. **Deletion Request**: For each identified file hash, the action sends a `DELETE` - request to the A1000 API endpoint (`/api/samples/{hash}/`). - - 4. **Result Tracking**: The action monitors the API response. If the status code - is 200, the hash is added to a list of successfully deleted items. - - 5. **Final Output**: The action concludes by providing a summary message of the - deleted hashes and sets the action's result value to `True` if at least one deletion - was successful, or `False` otherwise. - - - ### Additional Notes - - * This action is irreversible. Once a sample is deleted from the A1000 appliance, - its analysis data cannot be recovered unless the file is re-uploaded. - - * The action converts all hash identifiers to lowercase before sending the request - to ensure compatibility with the A1000 API. + ### General Description\nThe **Delete Sample** action removes specific file samples + and their associated metadata from the ReversingLabs A1000 appliance. This action + is primarily used for data management, privacy compliance, or clearing out unwanted + analysis data from the appliance.\n\n### Parameters Description\nThere are no + user-configurable parameters for this action. It automatically processes all `FILEHASH` + entities identified in the current context.\n\n### Flow Description\n1. **Authentication**: + The action establishes a connection to the ReversingLabs A1000 appliance using + the API Root, Username, and Password provided in the integration configuration.\n2. + **Entity Identification**: The script iterates through the target entities in + the SOAR case, specifically filtering for those of type `FILEHASH`.\n3. **Deletion + Execution**: For each identified file hash, the action sends a `DELETE` request + to the A1000 API endpoint (`/api/samples/{hash}/`).\n4. **Status Reporting**: + The action tracks successful deletions (based on HTTP 200 responses) and returns + a summary message listing the hashes that were successfully removed from the appliance. capabilities: can_create_case_comments: false can_create_insight: false @@ -63,12 +54,18 @@ Delete Sample: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Deletes file samples, extracted data, and associated metadata from the Reversinglabs - A1000 appliance via a DELETE API request. + Deletes file samples and associated metadata from the ReversingLabs A1000 appliance. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a `DELETE` request to an external system (A1000 appliance) + to remove data. It does not fetch data, nor does it modify internal SOAR case + data (entities, insights, or comments). categories: enrichment: false + reasoning: >- + The action does not fetch data (it performs a deletion), so it is not an enrichment + action. entity_usage: entity_types: - FILEHASH @@ -85,63 +82,83 @@ Delete Sample: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action iterates over `siemplify.target_entities` and filters specifically + for `FILEHASH` entities using `if entity.entity_type == FILEHASH`. Get Report: - ai_description: >- - ### General Description - - The **Get Report** action retrieves a comprehensive classification summary and - detailed analysis for file samples from a ReversingLabs A1000 Malware Analysis - appliance using their hash values. This action is designed to enrich file hash - entities with threat intelligence, providing critical data points such as threat - status, malware names, threat levels, and trust factors. - - - ### Parameters Description - - There are no parameters for this action. - - - ### Flow Description - - 1. **Entity Filtering**: The action iterates through all entities in the current - context and filters for those of type `FILEHASH`. - - 2. **API Authentication**: It initializes the ReversingLabs A1000 client using - the integration's configured API Root, Username, and Password to obtain an authorization - token. - - 3. **Data Retrieval**: The action sends a batch request to the A1000 `/api/samples/list/` - endpoint, passing the collected hash values and requesting specific fields including - `threat_status`, `threat_level`, `threat_name`, and `trust_factor`. - - 4. **Result Processing**: For each hash that returns a report, the action flattens - the dictionary and generates a dedicated data table on the case wall for that - specific hash. - - 5. **Output**: The action concludes by attaching the complete raw JSON response - to the execution results, allowing for further automated analysis or logic in - the playbook. - - - ### Additional Notes - - This action is strictly read-only regarding the external ReversingLabs system. - It queries existing reports and does not trigger new file uploads or analysis - tasks. + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves threat intelligence (reputation, threat level, status) + for file hashes, which directly matches the 'Enrich IOC' category. It does not + perform any other actions like blocking, ticketing, or alert management. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: "### General Description\nThe **Get Report** action retrieves summary\ + \ classification reports and detailed analysis metadata for file hashes from the\ + \ ReversingLabs A1000 Malware Analysis Appliance. This action is used to enrich\ + \ file-related indicators by providing threat levels, status (e.g., malicious,\ + \ suspicious, known), and specific threat names identified by ReversingLabs.\n\ + \n### Parameters Description\n| Parameter | Type | Mandatory | Description |\n\ + | :--- | :--- | :--- | :--- |\n| None | N/A | N/A | This action does not require\ + \ any input parameters; it automatically processes all `FILEHASH` entities in\ + \ the scope. |\n\n### Additional Notes\n* This action performs a bulk lookup for\ + \ all identified hashes in a single API call.\n* It does not submit new files\ + \ for analysis; it only retrieves existing reports.\n* Results are presented as\ + \ data tables attached to the case for each hash.\n\n### Flow Description\n1.\ + \ **Entity Identification**: The action scans the current context for entities\ + \ of type `FILEHASH`.\n2. **Data Retrieval**: It sends a list of these hashes\ + \ to the ReversingLabs A1000 `api/samples/list/` endpoint.\n3. **Context Enrichment**:\ + \ For every hash found, the action extracts key fields including `threat_status`,\ + \ `threat_level`, `threat_name`, and `trust_factor`.\n4. **Output Generation**:\ + \ \n * A data table is created for each hash and attached to the case.\n \ + \ * The full response is provided as a JSON result for further playbook processing." capabilities: can_create_case_comments: false can_create_insight: false can_modify_alert_data: false can_mutate_external_data: false - can_mutate_internal_data: true + can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null fetches_data: true - internal_data_mutation_explanation: >- - The action adds detailed classification data tables to the case wall for each - processed file hash and attaches the raw JSON results to the action output. + internal_data_mutation_explanation: null + reasoning: >- + The action fetches data from the ReversingLabs A1000 API using a POST request + to retrieve reports for file hashes. It does not mutate external systems (no + block/delete/update actions). It does not mutate internal SOAR data (no entity + updates, insights, or comments). It simply outputs the retrieved data as tables + and JSON results. categories: enrichment: true + reasoning: >- + The action is an enrichment action because it fetches data from an external + source (ReversingLabs A1000) to provide context for file hashes. It does not + modify any external or internal state. entity_usage: entity_types: - FILEHASH @@ -158,27 +175,85 @@ Get Report: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over `siemplify.target_entities` and filters for `FILEHASH` + types. It does not filter by any other properties. Get Scan Status: - ai_description: "### General Description\nThe **Get Scan Status** action retrieves\ - \ the current processing status for a list of file hash entities from the ReversingLabs\ - \ A1000 Malware Analysis Appliance. This action is primarily used to check if\ - \ a previously submitted sample has finished analysis or to verify if the system\ - \ already has a record of the hash.\n\n### Parameters Description\nThere are no\ - \ parameters for this action.\n\n### Additional Notes\n* This action specifically\ - \ targets **FILEHASH** entities.\n* Although the underlying API call uses a POST\ - \ method, it is a read-only operation intended for batch status retrieval and\ - \ does not modify the state of the A1000 system.\n\n### Flow Description\n1. **Entity\ - \ Filtering:** The action identifies all `FILEHASH` entities within the current\ - \ alert context.\n2. **Data Collection:** It extracts the identifiers (hashes)\ - \ of these entities and converts them to lowercase for consistency.\n3. **API\ - \ Query:** The action sends a batch request to the ReversingLabs A1000 `api/samples/status/`\ - \ endpoint to fetch the processing status for all collected hashes.\n4. **Result\ - \ Processing:** \n * If statuses are found, it generates a mapping of hashes\ - \ to their respective statuses (e.g., 'processed').\n * It creates a data table\ - \ named \"Scan Status:\" to display these results in the case wall.\n * It\ - \ attaches the raw status data as a JSON result for use in downstream playbook\ - \ logic.\n5. **Completion:** The action concludes with a success message if data\ - \ was retrieved, or a failure message if the status could not be obtained." + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves the processing status of file hashes from an external malware + analysis platform. This provides intelligence about the file's analysis state, + which aligns with the 'Enrich IOC' category. It does not perform any other actions + like updating alerts, creating tickets, or modifying security controls. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: >- + ### General Description + + Retrieves the processing status of file hash entities from the ReversingLabs A1000 + Malware Analysis platform. This action allows analysts to check if submitted samples + have finished analysis or are still being processed, providing visibility into + the malware analysis lifecycle. + + + ### Parameters Description + + | Parameter Name | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | None | N/A | N/A | This action does not require any input parameters beyond + the entities in the context. | + + + ### Additional Notes + + * This action performs a bulk lookup of hash statuses using a POST request to + the `/api/samples/status/` endpoint of the A1000 API. + + * The action is designed to process `FILEHASH` entities. If no status information + is returned for the provided hashes, the action will complete with a failure status. + + + ### Flow Description + + 1. **Entity Collection**: The action iterates through the `target_entities` in + the current SOAR case and identifies all entities of type `FILEHASH`. + + 2. **Status Query**: It sends a bulk request to the ReversingLabs A1000 API using + the collected hash values to retrieve their current processing status. + + 3. **Data Processing**: The API response is parsed to map each hash to its specific + status (e.g., 'processed', 'uploading', 'analyzing'). + + 4. **Output Generation**: The action generates a data table named 'Scan Status:' + for the action result and provides a JSON result containing the status mapping + for downstream playbook logic. capabilities: can_create_case_comments: false can_create_insight: false @@ -189,8 +264,19 @@ Get Scan Status: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action fetches data from an external system (ReversingLabs A1000) to retrieve + the status of file hashes. It does not mutate external data (it is a read-only + query operation). It does not mutate internal SOAR data (it does not update + entities, create insights, or modify alerts; it only adds a data table and JSON + result to the action output). categories: enrichment: true + reasoning: >- + The action is an enrichment action because it proactively fetches supplemental + context (processing status) for entities (file hashes) from an external source. + It does not mutate external systems, and it does not modify existing internal + SOAR data (it only adds reporting data to the action result). entity_usage: entity_types: - FILEHASH @@ -207,43 +293,75 @@ Get Scan Status: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over `siemplify.target_entities` and explicitly filters for + entities where `entity.entity_type == FILEHASH`. Ping: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action is a diagnostic tool used to verify connectivity to the ReversingLabs + A1000 API. It does not perform any of the defined operational tasks such as + enrichment, containment, or ticket management. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description The **Ping** action is a diagnostic tool used to verify the connectivity between - Google SecOps and the Reversinglabs A1000 Malware Analysis Appliance. Its primary - purpose is to ensure that the integration configuration (API Root, Username, and - Password) is valid and that the external service is reachable and responding to - requests. + the Google SecOps platform and the **ReversingLabs A1000 Malware Analysis Appliance**. + It ensures that the integration is correctly configured and that the provided + credentials have the necessary permissions to interact with the A1000 API. ### Parameters Description - There are no input parameters for this action. + There are no parameters for this action. - ### Additional Notes + ### Flow Description - This action performs a functional test by attempting to retrieve the processing - status of a hardcoded test hash. It does not interact with any entities present - in the current case or alert. + 1. **Configuration Retrieval**: The action retrieves the API Root, Username, and + Password from the integration configuration. + 2. **Client Initialization**: It initializes the `A1000MalwareAnalysisClient` + with the provided credentials. - ### Flow Description + 3. **Connectivity Test**: The action executes a connectivity test by querying + the status of a predefined test hash. - 1. **Configuration Retrieval**: The action extracts the API Root, Username, and - Password from the integration's shared configuration. + 4. **Completion**: If the API responds successfully, the action returns a 'Connected + Successfully' message. - 2. **Authentication**: It initializes the A1000 client, which performs a POST - request to the `/api-token-auth/` endpoint to obtain an authorization token. - 3. **Connectivity Validation**: The action calls the `test_connectivity` method, - which sends a POST request to the `/api/samples/status/` endpoint using a predefined - test hash. + ### Additional Notes - 4. **Completion**: If the API responds successfully, the action concludes with - a success message and a boolean result indicating connectivity. + This action does not process any entities or modify any data within the SecOps + platform or the external A1000 system. capabilities: can_create_case_comments: false can_create_insight: false @@ -252,10 +370,18 @@ Ping: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null - fetches_data: false + fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a connectivity test by making a POST request to the A1000 + API to check the status of a test hash. It does not mutate external or internal + data, nor does it update entities or create insights. categories: enrichment: false + reasoning: >- + The action is a 'Ping' action, which is explicitly excluded from being an enrichment + action per the instructions. Additionally, it does not perform any data enrichment + or state modification. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -271,49 +397,86 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with any entities. It performs a global connectivity + test against the ReversingLabs A1000 API. Upload File: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action uploads a file to the ReversingLabs A1000 appliance for analysis + and retrieves the report. This directly aligns with the 'Submit File' category, + which involves uploading a sample to an analysis engine and returning a behavior + report. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: true + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - Uploads a file from a specified local path to the ReversingLabs A1000 appliance - for automated malware analysis. This action is used to submit samples that are - not yet present in the A1000 environment to retrieve detailed threat intelligence, - including classification, threat level, and trust factors. + Uploads a file to the ReversingLabs A1000 appliance for automated malware analysis. + This action submits a local file to the A1000 system, monitors its processing + status until completion, and retrieves a comprehensive analysis report containing + critical security metadata such as threat levels, status, and classification details. ### Parameters Description - | Parameter | Type | Mandatory | Description | + | Parameter Name | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | File Path | String | Yes | The full local path to the file on the system where - the agent is running that should be uploaded for analysis. | + | File Path | string | True | The absolute path to the file on the local system + that needs to be uploaded for analysis. | ### Flow Description - 1. **Authentication**: Connects to the ReversingLabs A1000 appliance using the - configured API credentials. + 1. **Authentication**: The action authenticates with the ReversingLabs A1000 appliance + using the configured API credentials. 2. **File Upload**: Submits the file located at the provided 'File Path' to the A1000 `/api/uploads/` endpoint. - 3. **Processing Wait**: Enters a polling loop, checking the processing status - of the uploaded file's SHA1 hash until the status is marked as 'processed'. + 3. **Status Polling**: Enters a polling loop, checking the processing status of + the file's SHA1 hash until the appliance marks it as 'processed'. - 4. **Report Retrieval**: Fetches the summary classification report for the file - once processing is complete. + 4. **Report Retrieval**: Once processing is finished, the action fetches the summary + classification report for the file. - 5. **Data Output**: Formats the analysis results into a data table ('File Details:') - and attaches the full JSON response to the action results. + 5. **Data Output**: The retrieved report is flattened and presented as a data + table named 'File Details:' and also attached as a raw JSON result for further + playbook processing. ### Additional Notes - This action does not run on SecOps entities; it requires a direct file path as - input. It is a synchronous action that will wait (block) until the A1000 appliance - finishes analyzing the file. + This action is synchronous and will wait (block) until the A1000 appliance has + finished analyzing the file. Ensure that the environment where the action runs + has read access to the specified file path. capabilities: can_create_case_comments: false can_create_insight: false @@ -322,12 +485,21 @@ Upload File: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Uploads a new file sample to the ReversingLabs A1000 appliance, which creates - a new analysis record in the external system. + Uploads a file to the ReversingLabs A1000 appliance for malware analysis. fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a POST request to upload a file to the A1000 appliance, + which constitutes an external mutation. It subsequently polls for status and + performs a GET request to retrieve the analysis report, meaning it fetches data. + It does not modify internal SOAR data (entities, insights, or case comments). categories: enrichment: false + reasoning: >- + The action performs an external mutation by uploading a file to the A1000 appliance. + According to the enrichment definition, an action is only classified as 'Enrichment' + if it does not create, update, or delete data in any external platform. Therefore, + this action is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -343,3 +515,7 @@ Upload File: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not operate on entities. It takes a file path as a parameter + and performs an analysis on that file, independent of any specific SecOps entity + objects. diff --git a/content/response_integrations/google/reversinglabs_a1000/resources/ai/integration_ai_description.yaml b/content/response_integrations/google/reversinglabs_a1000/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..ebf103f75 --- /dev/null +++ b/content/response_integrations/google/reversinglabs_a1000/resources/ai/integration_ai_description.yaml @@ -0,0 +1,21 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: false + reasoning: >- + The ReversingLabs A1000 integration is a malware analysis platform that provides + threat intelligence for file-based indicators. Its primary actions, such as 'Get + Report' and 'Get Scan Status', are designed to enrich file hashes (IOCs) with + reputation data, threat levels, and analysis status, which directly aligns with + the 'Threat Intelligence' category. It does not perform SIEM log analysis, EDR + host containment, network security blocking, email management, IAM operations, + cloud resource management, ITSM ticketing, vulnerability scanning, asset inventory + management, or collaboration/notification tasks. + siem: false + threat_intelligence: true + vulnerability_management: false diff --git a/content/response_integrations/google/stealthwatch_v610/resources/ai/actions_ai_description.yaml b/content/response_integrations/google/stealthwatch_v610/resources/ai/actions_ai_description.yaml index 03a2809e7..d96b09717 100644 --- a/content/response_integrations/google/stealthwatch_v610/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/google/stealthwatch_v610/resources/ai/actions_ai_description.yaml @@ -1,33 +1,54 @@ -# Copyright 2026 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - Ping: - ai_description: "### General Description\nThe **Ping** action is a diagnostic tool\ - \ used to verify the connectivity between Google SecOps and the Cisco Stealthwatch\ - \ (v6.10) instance. It ensures that the provided integration parameters\u2014\ - such as the API Root, Username, and Password\u2014are correct and that the Stealthwatch\ - \ server is reachable over the network.\n\n### Parameters\nThere are no user-input\ - \ parameters for this action. It relies entirely on the integration's global configuration\ - \ settings.\n\n### Flow Description\n1. **Configuration Retrieval**: The action\ - \ fetches the 'Api Root', 'Username', and 'Password' from the StealthwatchV6-10\ - \ integration settings.\n2. **Authentication**: The action initializes the `StealthwatchManager`,\ - \ which performs a POST request to the `/token/v2/authenticate` endpoint to obtain\ - \ a JWT cookie.\n3. **Connectivity Test**: The manager executes the `test_connectivity`\ - \ method, which performs a GET request to the `/sw-reporting/v1/tenants` endpoint\ - \ to retrieve available domains.\n4. **Result Reporting**: If the authentication\ - \ and domain retrieval are successful, the action returns a 'Connected Successfully'\ - \ message and a boolean `True` result." + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action is a connectivity test ('Ping') and does not perform any of the defined + product category operations (enrichment, containment, ticketing, etc.). + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: "General Description: The Ping action is a utility designed to verify\ + \ the connectivity between the Google SecOps platform and the Cisco Stealthwatch\ + \ (v6.10) instance. Its primary purpose is to ensure that the integration's configuration\ + \ parameters\u2014specifically the API Root, Username, and Password\u2014are correct\ + \ and that the Stealthwatch server is reachable and responding to requests. Parameters\ + \ Description: There are no parameters for this action. Additional Notes: The\ + \ action performs a live authentication check by requesting a JWT token from the\ + \ Stealthwatch server. It further validates the connection by attempting to retrieve\ + \ a list of available domains (tenants) from the system. If any step in the authentication\ + \ or domain retrieval fails, the action will report a failure, indicating a configuration\ + \ or network issue. Flow Description: 1. Configuration Retrieval: The action fetches\ + \ the 'Api Root', 'Username', and 'Password' from the StealthwatchV6-10 integration\ + \ settings. 2. Manager Initialization: It initializes the StealthwatchManager,\ + \ which triggers an authentication request (POST /token/v2/authenticate) to obtain\ + \ a session cookie/JWT. 3. Connectivity Test: The action calls the test_connectivity\ + \ method, which executes a GET request to the /sw-reporting/v1/tenants endpoint\ + \ to verify that the authenticated session can successfully read data. 4. Result\ + \ Reporting: If the requests are successful, the action concludes with a 'Connected\ + \ Successfully' message and returns a boolean True status." capabilities: can_create_case_comments: false can_create_insight: false @@ -38,8 +59,15 @@ Ping: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a connectivity test by authenticating (POST) and fetching + data (GET) from the Cisco Stealthwatch API. It does not mutate external or internal + data, nor does it update entities or create insights. categories: enrichment: false + reasoning: >- + The action is named 'Ping' and is a connectivity test. Per the instructions, + Ping actions are not categorized as enrichment actions. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -55,64 +83,109 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not process any entities. It is a global connectivity test. Search Events: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves security events for an IP, providing threat intelligence + and context, which matches 'Enrich IOC'. It also performs a search for historical + logs, which matches 'Search Events'. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: true + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - This action retrieves security events for specific IP address entities from Cisco - Stealthwatch (v6.10) within a user-defined timeframe. It is designed to provide - security analysts with visibility into the network behavior of a host by identifying - events where the host acted as either a source or a destination. The results are - presented as both raw JSON data and formatted entity tables for easy review within - the Google SecOps platform. + Retrieves security events for IP address entities from Cisco Stealthwatch within + a specified hourly timeframe. This action is useful for identifying malicious + or suspicious network activity associated with a host by searching for events + where the host is either the source or the target. ### Parameters Description - | Parameter | Type | Mandatory | Description | + | Parameter | Expected Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Timeframe | Integer | Yes | Specifies the lookback period in hours from the - current time to search for security events. | + | Timeframe | String | True | The number of hours back from the current time to + search for security events. | - ### Flow Description + ### Additional Notes - 1. **Time Calculation**: The action calculates the start and end timestamps for - the search based on the current UTC time and the provided `Timeframe` parameter. + - The action automatically identifies the correct Stealthwatch Domain ID for each + IP address before performing the search. - 2. **Entity Filtering**: It iterates through the target entities and processes - only those of type `ADDRESS` (IP addresses). + - Results are attached to the case as both raw JSON and formatted entity-level + data tables. - 3. **Domain Identification**: For each IP address, the action queries the Stealthwatch - API to determine the `domain_id` associated with that host. - 4. **Search Initiation**: If a domain is found, the action initiates two separate - asynchronous search queries: one for events where the IP is the source and another - where it is the destination. + ### Flow Description + + 1. **Time Calculation**: Calculates the search start and end times based on the + provided `Timeframe` parameter and the current UTC time. - 5. **Result Retrieval**: The action polls the Stealthwatch API for the completion - of these search jobs and retrieves the resulting event data. + 2. **Domain Identification**: For each IP address entity, the action queries Stealthwatch + to find the associated Domain ID. - 6. **Data Attachment**: The retrieved events are attached to the entity in the - SOAR interface as a JSON object and a formatted CSV table containing security - event details. + 3. **Event Search**: Initiates two asynchronous search queries per entity: one + for events where the IP is the source and another where it is the destination. - 7. **Final Status**: The action concludes by reporting which entities had security - events found or if no events were discovered. + 4. **Result Polling**: Polls the Stealthwatch API until the search jobs are completed. + + 5. **Data Retrieval**: Fetches the search results for both queries. + + 6. **Data Attachment**: Flattens the event data and attaches it to the case as + a JSON result and an entity data table titled 'Security Event Details'. capabilities: can_create_case_comments: false can_create_insight: false can_modify_alert_data: false can_mutate_external_data: false - can_mutate_internal_data: false + can_mutate_internal_data: true can_update_entities: false external_data_mutation_explanation: null fetches_data: true - internal_data_mutation_explanation: null + internal_data_mutation_explanation: >- + Adds JSON results and entity data tables to the case. + reasoning: >- + The action fetches security event data from Cisco Stealthwatch by performing + search queries. It does not modify external system state (no blocking or configuration + changes). It performs internal mutations by attaching JSON results and entity + data tables to the case, which is standard for enrichment actions. categories: enrichment: true + reasoning: >- + The action retrieves security events (contextual data) for IP entities and attaches + them to the case. It does not mutate external systems and the internal mutations + (adding tables/JSON) are standard enrichment practices. Therefore, it is classified + as an enrichment action. entity_usage: entity_types: - ADDRESS @@ -129,34 +202,98 @@ Search Events: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over `siemplify.target_entities` and explicitly filters for + entities where `entity.entity_type == EntityTypes.ADDRESS`. Search Flows: - ai_description: "### General Description\nThe **Search Flows** action retrieves\ - \ network flow records from Cisco Stealthwatch (Secure Network Analytics) for\ - \ specific IP address entities. It identifies flows where the target entity acts\ - \ as either the source or the destination within a user-defined timeframe. This\ - \ action is primarily used for network forensics and visibility, allowing analysts\ - \ to see which internal or external hosts an IP has been communicating with.\n\ - \n### Parameters Description\n| Parameter | Type | Mandatory | Description |\n\ - | :--- | :--- | :--- | :--- |\n| **Timeframe** | Integer | Yes | The number of\ - \ hours to look back from the current time (e.g., 3) to define the search window.\ - \ |\n| **Limit** | Integer | Yes | The maximum number of flow records to retrieve\ - \ for each search (source and destination). |\n\n### Flow Description\n1. **Initialization**:\ - \ The action retrieves the integration configuration (API Root, credentials) and\ - \ the user-provided parameters: `Timeframe` and `Limit`.\n2. **Time Calculation**:\ - \ It calculates the `start_time` and `end_time` in ISO format based on the current\ - \ UTC time and the `Timeframe` parameter.\n3. **Domain Identification**: For each\ - \ IP address entity, the action queries the Stealthwatch API to find the `domain_id`\ - \ associated with that specific IP.\n4. **Flow Searching**: For each valid domain\ - \ found, the action initiates two separate asynchronous search queries:\n *\ - \ A search for flows where the entity is the **source IP**.\n * A search for\ - \ flows where the entity is the **destination IP**.\n5. **Data Retrieval**: The\ - \ action polls the Stealthwatch API for the status of the search jobs. Once completed,\ - \ it retrieves the flow results up to the specified `Limit`.\n6. **Enrichment\ - \ and Output**: \n * The raw flow data is attached to the action results as\ - \ a JSON object.\n * A flattened CSV table of the flows is created and attached\ - \ as an **Entity Table** for the specific IP address.\n7. **Completion**: The\ - \ action concludes by listing the entities for which flows were successfully identified\ - \ and retrieved." + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves network flow data for IP addresses, which provides context + for investigation, matching the 'Enrich IOC' category. Additionally, it performs + a search for historical telemetry data, which matches the 'Search Events' category. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: true + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: >- + ### General Description + + The **Search Flows** action retrieves network flow data from Cisco Stealthwatch + (v6.10+) for specific IP Address entities. It allows security analysts to investigate + network traffic patterns by searching for flows where the target entity acts as + either the source or the destination within a defined historical window. This + provides critical context for understanding lateral movement, data exfiltration, + or communication with known malicious infrastructure. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | **Timeframe** | String | Yes | The number of hours to look back from the current + time (e.g., '3' for the last 3 hours). | + + | **Limit** | String | Yes | The maximum number of flow records to return for + each search (source and destination). | + + + ### Flow Description + + 1. **Initialization**: The action retrieves integration credentials (API Root, + Username, Password) and input parameters (`Timeframe`, `Limit`). + + 2. **Time Calculation**: It calculates the search window's start and end timestamps + based on the provided `Timeframe` relative to the current UTC time. + + 3. **Domain Resolution**: For each IP Address entity in the scope, the action + queries Stealthwatch to identify the corresponding `domain_id` required for reporting. + + 4. **Source Search**: It initiates a flow search query where the entity is the + source IP. + + 5. **Destination Search**: It initiates a flow search query where the entity is + the destination IP. + + 6. **Data Retrieval**: The action polls the Stealthwatch API for the completion + of both search jobs and fetches the resulting flow records. + + 7. **Output Generation**: It aggregates the results, flattens the data for CSV/Table + display, and attaches the findings to the action results as both raw JSON and + entity-specific tables for visualization in the Google SecOps UI. + + + ### Additional Notes + + - This action performs two separate searches per entity (Source and Destination) + and combines the results into a single output. + + - If the action cannot resolve a domain ID for a specific IP address, that entity + will be skipped. capabilities: can_create_case_comments: false can_create_insight: false @@ -167,8 +304,18 @@ Search Flows: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action fetches network flow data from an external system (Cisco Stealthwatch) + based on IP entities. It does not modify any external system state (no blocking/quarantining) + nor does it modify internal case data (it does not update entities, create insights, + or add case comments). It only attaches results to the action output. categories: enrichment: true + reasoning: >- + The action is designed to fetch contextual data (network flows) for entities. + It does not mutate external systems or internal case data, and it does not perform + any forbidden actions (like ping or file downloads). Therefore, it qualifies + as an enrichment action. entity_usage: entity_types: - ADDRESS @@ -185,3 +332,6 @@ Search Flows: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over `siemplify.target_entities` and explicitly filters for + entities where `entity.entity_type == EntityTypes.ADDRESS`. diff --git a/content/response_integrations/google/stealthwatch_v610/resources/ai/integration_ai_description.yaml b/content/response_integrations/google/stealthwatch_v610/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..981f2193f --- /dev/null +++ b/content/response_integrations/google/stealthwatch_v610/resources/ai/integration_ai_description.yaml @@ -0,0 +1,24 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: true + reasoning: >- + The stealthwatch_v610 integration provides network visibility and security analytics. + The available actions, 'Search Events' and 'Search Flows', allow security analysts + to retrieve security events and network flow data for IP address entities. This + functionality aligns with SIEM capabilities by enabling the investigation of activity + related to assets and IOCs. It aligns with Network Security as it provides visibility + into network traffic and communication patterns, which is essential for identifying + malicious network activity. It also aligns with Threat Intelligence, as the retrieved + events and flows serve as enrichment data to help determine the reputation of + IP indicators and confirm if alerts are True Positives. It does not provide EDR, + Email Security, IAM, ITSM, Vulnerability Management, Asset Inventory, or Collaboration + capabilities. + siem: true + threat_intelligence: true + vulnerability_management: false diff --git a/content/response_integrations/google/symantec_content_analysis/resources/actions_ai_description.yaml b/content/response_integrations/google/symantec_content_analysis/resources/actions_ai_description.yaml deleted file mode 100644 index 831374b51..000000000 --- a/content/response_integrations/google/symantec_content_analysis/resources/actions_ai_description.yaml +++ /dev/null @@ -1,194 +0,0 @@ -# Copyright 2026 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -Get Hash Report: - ai_description: >- - ### General Description - - Enriches File Hash entities by retrieving sample reports from Symantec Content - Analysis. This action supports both MD5 and SHA256 hash types, providing detailed - sample information in a tabular format and updating the entity's metadata within - Google SecOps. - - - ### Parameters - - There are no specific action parameters for this action. It relies on the global - integration configuration (API Root, API Key, and Verify SSL). - - - ### Flow Description - - 1. **Entity Filtering**: The action identifies all `FILEHASH` entities within - the current context. - - 2. **Hash Validation**: For each entity, it validates the hash type based on string - length (32 characters for MD5, 64 characters for SHA256). - - 3. **Data Retrieval**: It performs a GET request to the Symantec Content Analysis - API to fetch sample data associated with the specific hash. - - 4. **Data Attachment**: If a report is found, the action converts the results - into a CSV format and attaches it as an entity table. - - 5. **Internal Enrichment**: The raw JSON response is mapped to the entity's 'additional_properties' - field. - - 6. **Entity Update**: Finally, the action updates the entities in the case to - persist the enriched data. - capabilities: - can_create_case_comments: false - can_create_insight: false - can_modify_alert_data: false - can_mutate_external_data: false - can_mutate_internal_data: true - can_update_entities: true - external_data_mutation_explanation: null - fetches_data: true - internal_data_mutation_explanation: >- - Updates entity additional properties with the retrieved hash report and adds - a data table to the entity in the SOAR. - categories: - enrichment: true - entity_usage: - entity_types: - - FILEHASH - filters_by_additional_properties: false - filters_by_alert_identifier: false - filters_by_case_identifier: false - filters_by_creation_time: false - filters_by_entity_type: true - filters_by_identifier: false - filters_by_is_artifact: false - filters_by_is_enriched: false - filters_by_is_internal: false - filters_by_is_pivot: false - filters_by_is_suspicious: false - filters_by_is_vulnerable: false - filters_by_modification_time: false -Ping: - ai_description: >- - ### General Description - - The Ping action is a diagnostic tool designed to verify the connectivity between - Google SecOps and the Symantec Content Analysis server. It ensures that the provided - API Root and API Key are valid and that the network path is open. - - - ### Parameters Description - - There are no action-specific parameters for this action. It relies entirely on - the integration's global configuration (API Root, API Key, and Verify SSL). - - - ### Additional Notes - - - This action is typically used during the initial setup or troubleshooting of - the Symantec Content Analysis integration. - - - According to standard SOAR practices, Ping actions are not categorized as enrichment - actions. - - - ### Flow Description - - 1. **Configuration Retrieval**: The action fetches the integration's global settings, - including the API Root, API Key, and SSL verification preference. - - 2. **Manager Initialization**: It initializes the `SymantecContentAnalysisManager` - with the retrieved credentials. - - 3. **Connectivity Test**: The manager executes a `GET` request to the `rapi/pattern_groups` - endpoint of the Symantec Content Analysis API. - - 4. **Validation**: The action validates the HTTP response. If the status code - indicates success, it confirms the connection. - - 5. **Result Reporting**: The action outputs 'Connection Established' on success - or 'Connection Failed' if an error occurs. - capabilities: - can_create_case_comments: false - can_create_insight: false - can_modify_alert_data: false - can_mutate_external_data: false - can_mutate_internal_data: false - can_update_entities: false - external_data_mutation_explanation: null - fetches_data: true - internal_data_mutation_explanation: null - categories: - enrichment: false - entity_usage: - entity_types: [] - filters_by_additional_properties: false - filters_by_alert_identifier: false - filters_by_case_identifier: false - filters_by_creation_time: false - filters_by_entity_type: false - filters_by_identifier: false - filters_by_is_artifact: false - filters_by_is_enriched: false - filters_by_is_internal: false - filters_by_is_pivot: false - filters_by_is_suspicious: false - filters_by_is_vulnerable: false - filters_by_modification_time: false -Submit File: - ai_description: "### General Description\nThis action uploads a file from a specified\ - \ local path to Symantec Content Analysis for security scanning and reputation\ - \ analysis. It is used to determine if a file is malicious or suspicious by leveraging\ - \ Symantec's analysis engine. The action retrieves a reputation score and provides\ - \ immediate feedback within the case.\n\n### Parameters Description\n| Parameter\ - \ | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| File Path\ - \ | String | Yes | The full local path to the file that should be uploaded and\ - \ scanned. |\n\n### Flow Description\n1. **Configuration Retrieval**: The action\ - \ initializes the Symantec Content Analysis manager using the provided API Root\ - \ and API Key.\n2. **File Submission**: It reads the file from the provided `File\ - \ Path` and performs a POST request to the Symantec `rapi/cas/scan` endpoint.\n\ - 3. **Score Extraction**: The action waits for the scan results (with a 5-minute\ - \ timeout) and extracts the `file_reputation_score` from the API response.\n4.\ - \ **Insight Creation**: \n * If the score is between 2 and 6, a 'File Found\ - \ as Suspicious' insight is created.\n * If the score is between 7 and 10,\ - \ a 'File Found as Malicious' insight is created.\n5. **Completion**: The action\ - \ ends by returning the reputation score and a summary message to the Google SecOps\ - \ workbench." - capabilities: - can_create_case_comments: false - can_create_insight: true - can_modify_alert_data: false - can_mutate_external_data: false - can_mutate_internal_data: true - can_update_entities: false - external_data_mutation_explanation: null - fetches_data: true - internal_data_mutation_explanation: >- - Creates case insights in Google SecOps based on the reputation score returned - by the Symantec Content Analysis scan. - categories: - enrichment: true - entity_usage: - entity_types: [] - filters_by_additional_properties: false - filters_by_alert_identifier: false - filters_by_case_identifier: false - filters_by_creation_time: false - filters_by_entity_type: false - filters_by_identifier: false - filters_by_is_artifact: false - filters_by_is_enriched: false - filters_by_is_internal: false - filters_by_is_pivot: false - filters_by_is_suspicious: false - filters_by_is_vulnerable: false - filters_by_modification_time: false diff --git a/content/response_integrations/google/symantec_content_analysis/resources/ai/actions_ai_description.yaml b/content/response_integrations/google/symantec_content_analysis/resources/ai/actions_ai_description.yaml index 831374b51..ec0d9660a 100644 --- a/content/response_integrations/google/symantec_content_analysis/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/google/symantec_content_analysis/resources/ai/actions_ai_description.yaml @@ -1,52 +1,84 @@ -# Copyright 2026 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - Get Hash Report: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves threat intelligence (sample reports) for file hashes, which + aligns with the 'Enrich IOC' category. It does not perform any other actions + like ticketing, blocking, or alert management. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - Enriches File Hash entities by retrieving sample reports from Symantec Content - Analysis. This action supports both MD5 and SHA256 hash types, providing detailed - sample information in a tabular format and updating the entity's metadata within - Google SecOps. + Enriches File Hash entities (MD5 and SHA256) by retrieving sample reports from + Symantec Content Analysis. This action queries the Symantec API to find basic + sample information associated with a specific file hash and provides the results + as both entity attributes and a data table within the case. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | - ### Parameters + | :--- | :--- | :--- | :--- | + + | None | N/A | N/A | This action does not have any specific input parameters beyond + the target entities. | + + + ### Additional Notes - There are no specific action parameters for this action. It relies on the global - integration configuration (API Root, API Key, and Verify SSL). + + * The action automatically distinguishes between MD5 (32 characters) and SHA256 + (64 characters) hashes to use the appropriate API endpoint. + + * If a hash is neither 32 nor 64 characters long, an error will be logged for + that specific entity. ### Flow Description - 1. **Entity Filtering**: The action identifies all `FILEHASH` entities within - the current context. - 2. **Hash Validation**: For each entity, it validates the hash type based on string - length (32 characters for MD5, 64 characters for SHA256). + 1. **Filter Entities:** The action identifies all File Hash entities within the + current context. - 3. **Data Retrieval**: It performs a GET request to the Symantec Content Analysis - API to fetch sample data associated with the specific hash. + 2. **API Query:** For each identified hash, it determines the hash type (MD5 or + SHA256) and sends a GET request to the Symantec Content Analysis API to retrieve + sample data. - 4. **Data Attachment**: If a report is found, the action converts the results - into a CSV format and attaches it as an entity table. + 3. **Data Processing:** If a report is found, the action flattens the JSON response + and adds it to the entity's additional properties. - 5. **Internal Enrichment**: The raw JSON response is mapped to the entity's 'additional_properties' - field. + 4. **UI Enhancement:** A CSV-formatted table containing the report details is + attached to the entity in the Google SecOps interface. - 6. **Entity Update**: Finally, the action updates the entities in the case to - persist the enriched data. + 5. **Update:** The action updates the entities in the platform to persist the + enriched data. capabilities: can_create_case_comments: false can_create_insight: false @@ -57,10 +89,19 @@ Get Hash Report: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates entity additional properties with the retrieved hash report and adds - a data table to the entity in the SOAR. + Updates entity additional properties and adds a data table to the entity within + the SOAR platform. + reasoning: >- + The action fetches file hash reports from Symantec Content Analysis via a GET + request. It does not modify any external systems. It performs internal mutations + by updating entity additional properties and adding a data table to the entity + within the SOAR platform. categories: enrichment: true + reasoning: >- + The action fetches data from an external source (Symantec) and updates internal + entities without modifying external systems. This fits the definition of an + enrichment action. entity_usage: entity_types: - FILEHASH @@ -77,46 +118,89 @@ Get Hash Report: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over `siemplify.target_entities` and filters specifically + for `EntityTypes.FILEHASH`. Ping: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action is a diagnostic connectivity test and does not perform any of the + defined operational tasks such as enrichment, containment, ticket management, + or alert modification. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - The Ping action is a diagnostic tool designed to verify the connectivity between - Google SecOps and the Symantec Content Analysis server. It ensures that the provided - API Root and API Key are valid and that the network path is open. + The **Ping** action is a diagnostic utility designed to verify the connectivity + between Google SecOps and the Symantec Content Analysis server. Its primary purpose + is to ensure that the integration's configuration parameters (API Root and API + Key) are correct and that the server is reachable over the network. ### Parameters Description - There are no action-specific parameters for this action. It relies entirely on - the integration's global configuration (API Root, API Key, and Verify SSL). + | Parameter | Type | Mandatory | Description | + | :--- | :--- | :--- | :--- | - ### Additional Notes + | API Root | String | Yes | The base URL of the Symantec Content Analysis server + (configured in the integration settings). | + + | API Key | String | Yes | The API token used for authentication (configured in + the integration settings). | - - This action is typically used during the initial setup or troubleshooting of - the Symantec Content Analysis integration. + | Verify SSL | Boolean | Yes | Determines whether to validate the SSL certificate + of the target server (configured in the integration settings). | - - According to standard SOAR practices, Ping actions are not categorized as enrichment - actions. + + ### Additional Notes + + This action does not accept any input parameters directly and does not process + any entities. It relies entirely on the integration's global configuration. ### Flow Description - 1. **Configuration Retrieval**: The action fetches the integration's global settings, - including the API Root, API Key, and SSL verification preference. + 1. **Initialization**: The action retrieves the integration configuration, including + the API Root, API Key, and SSL verification preference. - 2. **Manager Initialization**: It initializes the `SymantecContentAnalysisManager` - with the retrieved credentials. + 2. **Manager Setup**: It initializes the `SymantecContentAnalysisManager` with + the provided credentials. - 3. **Connectivity Test**: The manager executes a `GET` request to the `rapi/pattern_groups` - endpoint of the Symantec Content Analysis API. + 3. **API Call**: The action executes a `GET` request to the `rapi/pattern_groups` + endpoint on the Symantec Content Analysis server. - 4. **Validation**: The action validates the HTTP response. If the status code - indicates success, it confirms the connection. + 4. **Validation**: It validates the HTTP response status. If the request is successful + (2xx status code), the connectivity is confirmed. - 5. **Result Reporting**: The action outputs 'Connection Established' on success - or 'Connection Failed' if an error occurs. + 5. **Final Output**: The action returns a success message ('Connection Established') + or a failure message ('Connection Failed') based on the API response. capabilities: can_create_case_comments: false can_create_insight: false @@ -125,10 +209,18 @@ Ping: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null - fetches_data: true + fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a diagnostic connectivity check (Ping) by sending a GET + request to the Symantec Content Analysis server. It does not fetch contextual + data regarding alerts or entities, nor does it mutate any external or internal + data. It is a purely diagnostic action. categories: enrichment: false + reasoning: >- + The action is a diagnostic 'Ping' utility. Per the instructions, Ping actions + are explicitly excluded from being categorized as enrichment actions. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -144,25 +236,59 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not process any entities. It is a global diagnostic tool that + relies on integration configuration settings. Submit File: - ai_description: "### General Description\nThis action uploads a file from a specified\ - \ local path to Symantec Content Analysis for security scanning and reputation\ - \ analysis. It is used to determine if a file is malicious or suspicious by leveraging\ - \ Symantec's analysis engine. The action retrieves a reputation score and provides\ - \ immediate feedback within the case.\n\n### Parameters Description\n| Parameter\ - \ | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| File Path\ - \ | String | Yes | The full local path to the file that should be uploaded and\ - \ scanned. |\n\n### Flow Description\n1. **Configuration Retrieval**: The action\ - \ initializes the Symantec Content Analysis manager using the provided API Root\ - \ and API Key.\n2. **File Submission**: It reads the file from the provided `File\ - \ Path` and performs a POST request to the Symantec `rapi/cas/scan` endpoint.\n\ - 3. **Score Extraction**: The action waits for the scan results (with a 5-minute\ - \ timeout) and extracts the `file_reputation_score` from the API response.\n4.\ - \ **Insight Creation**: \n * If the score is between 2 and 6, a 'File Found\ - \ as Suspicious' insight is created.\n * If the score is between 7 and 10,\ - \ a 'File Found as Malicious' insight is created.\n5. **Completion**: The action\ - \ ends by returning the reputation score and a summary message to the Google SecOps\ - \ workbench." + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action submits a file to an analysis engine and returns a threat score, + which matches the 'Submit File' category. Additionally, by providing a reputation + score for the file, it serves as an 'Enrich IOC' action. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: true + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: "### General Description\nThis action submits a file from a specified\ + \ local path to the Symantec Content Analysis service for scanning and reputation\ + \ analysis. It retrieves the file's reputation score and generates case insights\ + \ within the SOAR platform based on the severity of the findings. This action\ + \ is useful for automating the initial triage of suspicious files.\n\n### Parameters\ + \ Description\n| Parameter Name | Type | Mandatory | Description |\n| :--- | :---\ + \ | :--- | :--- |\n| File Path | string | True | The local file system path of\ + \ the file to be uploaded and scanned. |\n\n### Flow Description\n1. **Configuration\ + \ Retrieval:** The action initializes the Symantec Content Analysis manager using\ + \ the provided API Root and API Key.\n2. **File Submission:** It reads the file\ + \ from the provided 'File Path' and performs a POST request to the Symantec Content\ + \ Analysis API to initiate a scan.\n3. **Score Parsing:** The action extracts\ + \ the file reputation score from the API response.\n4. **Insight Generation:**\ + \ \n * If the score is between 2 and 6, it creates a 'File Found as Suspicious'\ + \ insight.\n * If the score is between 7 and 10, it creates a 'File Found as\ + \ Malicious' insight.\n5. **Completion:** The action concludes by returning the\ + \ reputation score and a summary message." capabilities: can_create_case_comments: false can_create_insight: true @@ -173,10 +299,18 @@ Submit File: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Creates case insights in Google SecOps based on the reputation score returned - by the Symantec Content Analysis scan. + Creates case insights based on the file reputation score. + reasoning: >- + The action performs a POST request to submit a file for analysis (fetching data/reputation + score). It does not modify external system configurations or security posture + (no external mutation). It performs internal mutations by creating case insights + based on the analysis results. categories: enrichment: true + reasoning: >- + The action fetches data (reputation score) and performs allowed internal mutations + (creating insights). It does not mutate external systems or perform prohibited + actions. Therefore, it qualifies as an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -192,3 +326,6 @@ Submit File: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over or process SOAR entities. It operates on a + file path provided as a parameter. diff --git a/content/response_integrations/google/symantec_content_analysis/resources/ai/integration_ai_description.yaml b/content/response_integrations/google/symantec_content_analysis/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..b417b3852 --- /dev/null +++ b/content/response_integrations/google/symantec_content_analysis/resources/ai/integration_ai_description.yaml @@ -0,0 +1,22 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: false + reasoning: >- + The symantec_content_analysis integration is designed to analyze files and file + hashes to determine their threat potential, which is a core function of threat + intelligence. The 'Get Hash Report' action enriches file hash entities with reputation + data, and the 'Submit File' action performs sandboxing and reputation analysis. + These capabilities directly align with the 'Threat Intelligence' category, which + focuses on enriching external indicators (IPs, Hashes, URLs) to determine reputation + and confirm if an alert is a True Positive. The integration does not perform SIEM, + EDR, Network Security, Email Security, IAM, Cloud Security, ITSM, Vulnerability + Management, Asset Inventory, or Collaboration functions. + siem: false + threat_intelligence: true + vulnerability_management: false diff --git a/content/response_integrations/google/symantec_icdx/resources/ai/actions_ai_description.yaml b/content/response_integrations/google/symantec_icdx/resources/ai/actions_ai_description.yaml index 83e63c58c..1c30687ee 100644 --- a/content/response_integrations/google/symantec_icdx/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/google/symantec_icdx/resources/ai/actions_ai_description.yaml @@ -1,36 +1,85 @@ -# Copyright 2026 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - Get Event: - ai_description: "### General Description\nThis action retrieves detailed information\ - \ for a specific event from Symantec ICDX using its unique identifier (UUID).\ - \ It is primarily used to gather granular event data that may not be present in\ - \ the initial alert, allowing analysts to perform deeper investigations into specific\ - \ activities recorded by Symantec ICDX.\n\n### Parameters Description\n| Parameter\ - \ | Description | Type | Mandatory |\n| :--- | :--- | :--- | :--- |\n| Event UUID\ - \ | The unique identifier (UUID) of the event to be retrieved from the Symantec\ - \ ICDX archives. | String | Yes |\n\n### Flow Description\n1. **Initialization**:\ - \ The action initializes the Symantec ICDX manager using the provided API Root\ - \ and API Token from the integration configuration.\n2. **Parameter Retrieval**:\ - \ The `Event UUID` is extracted from the action parameters.\n3. **API Request**:\ - \ The action sends a POST request to the Symantec ICDX search endpoint with a\ - \ specific request type (`id: 0`) designed for direct event retrieval by UUID.\n\ - 4. **Data Processing**: \n * If the event is found, the raw JSON response is\ - \ attached to the action results.\n * A flattened version of the event data\ - \ is created and added as a data table for visibility in the SOAR interface.\n\ - 5. **Completion**: The action concludes with a success message if the event was\ - \ found, or a failure message if the UUID did not match any records." + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves specific event data from Symantec ICDX based on a provided + UUID. This aligns with the 'Search Events' category as it returns historical + telemetry data. It does not modify external systems, update entities, or enrich + specific IOCs/assets. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: true + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: >- + ### General Description + + The **Get Event** action retrieves detailed information for a specific event from + Symantec ICDX using its unique identifier (UUID). This action is primarily used + for deep-dive investigations where a specific event ID is already known, allowing + analysts to pull the full raw data and structured fields associated with that + event from the ICDX archives. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | **Event UUID** | string | Yes | The unique universal identifier (UUID) of the + event to be retrieved from Symantec ICDX. | + + + ### Additional Notes + + * This action does not process entities automatically; it requires a manual input + of the Event UUID. + + * The results are presented both as a raw JSON object and a flattened data table + for easier viewing within the case wall. + + + ### Flow Description + + 1. **Configuration Retrieval:** The action starts by fetching the Symantec ICDX + integration settings, including the API Root, API Token, and SSL verification + preferences. + + 2. **Parameter Extraction:** It retrieves the `Event UUID` provided by the user + or a previous playbook step. + + 3. **API Interaction:** The action calls the Symantec ICDX Manager to perform + a POST request to the search endpoint (`/r3_epmp_i/dx/archives/search`) with a + request type ID of `0` (specific to 'get event' requests). + + 4. **Data Processing:** If an event is found, the action flattens the dictionary + data for display. + + 5. **Output Generation:** The action populates the JSON result and creates a data + table named after the UUID. If no event is found, it terminates with a 'Not found' + message. capabilities: can_create_case_comments: false can_create_insight: false @@ -41,8 +90,16 @@ Get Event: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a POST request to retrieve event data from Symantec ICDX + (fetches_data=true). It does not modify external systems (can_mutate_external_data=false). + It does not modify internal SOAR data (entities, insights, etc.) (can_mutate_internal_data=false). categories: enrichment: false + reasoning: >- + The action fetches data from an external system (Symantec ICDX) but does not + perform enrichment on entities or alerts. It is a retrieval action for specific + event data. Therefore, it is not classified as an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -58,14 +115,51 @@ Get Event: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over `siemplify.target_entities` or use any entity-specific + identifiers. It relies on a user-provided `Event UUID` parameter to fetch data. + Therefore, it does not run on any entity types. Get Events Minutes Back: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action searches for historical event logs in Symantec ICDX based on a query + and time window. This directly matches the 'Search Events' category. It does + not perform enrichment, containment, or ticket management. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: true + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - This action retrieves security events from Symantec ICDX based on a specific search - query and a relative time window (minutes back from the current time). It is primarily - used for log searching and event retrieval to gather historical context within - a SOAR workflow. + The **Get Events Minutes Back** action retrieves historical event data from Symantec + ICDX based on a user-defined query and a relative time window (minutes back from + the current time). This action is primarily used for log searching and event correlation + within a specific timeframe, allowing analysts to pull raw event data directly + into the Google SecOps case for further investigation. ### Parameters Description @@ -74,46 +168,51 @@ Get Events Minutes Back: | :--- | :--- | :--- | :--- | - | Query | String | Yes | The search query string to be executed against the Symantec - ICDX archives. | + | **Query** | string | Yes | The search query string used to filter events in + Symantec ICDX (e.g., filtering by specific IP, user, or event type). | - | Limit | Integer | No | The maximum number of events to retrieve. Defaults to - 10 if not specified. | + | **Limit** | string | No | The maximum number of events to retrieve. Defaults + to 10 if not specified. | - | Minutes Back | Integer | No | The number of minutes to look back from the current - time for the search window. Defaults to 60 if not specified. | + | **Minutes Back** | string | No | The number of minutes to look back from the + current time to define the start of the search window. Defaults to 60 minutes. + | - | Fields | String | No | A comma-separated list of specific event fields to include - in the results. If left empty, all default fields are returned. | + | **Fields** | string | No | A comma-separated list of specific event fields to + return (e.g., 'uuid,type,device_ip'). If left empty, all default fields are returned. + | - ### Flow Description + ### Additional Notes - 1. **Authentication**: The action initializes a connection to the Symantec ICDX - API using the provided API Root and Token. + - This action does not run on specific entities; it performs a global search based + on the provided query. - 2. **Time Calculation**: It calculates the start time for the search by subtracting - the 'Minutes Back' value from the current UTC time, converted to milliseconds. + - The action handles API pagination automatically to ensure the requested limit + of events is reached if available. - 3. **Search Execution**: It sends a POST request to the ICDX search endpoint with - the query, start time, and limit. If specific fields are provided, they are included - in the request payload. + - Results are presented both as a raw JSON object and a flattened data table for + easier viewing in the SOAR interface. - 4. **Pagination**: If the initial response indicates more results are available - (via a 'next' UUID), the action automatically paginates through the results to - fulfill the request. - 5. **Data Processing**: The retrieved events are flattened and formatted. + ### Flow Description - 6. **Output**: The action populates the 'JsonResult' with the raw event data and - creates a data table in the SOAR case containing the flattened event details. + 1. **Time Calculation:** The action calculates the start timestamp by subtracting + the 'Minutes Back' value from the current UTC time. + 2. **API Request Construction:** It builds a search payload containing the query, + start time, and limit. If specific fields are requested, they are added to the + payload. - ### Additional Notes + 3. **Data Retrieval:** The action executes a POST request to the Symantec ICDX + search endpoint. + + 4. **Pagination:** If the initial response indicates more results are available + (via a 'next' UUID), the action paginates through the results until the limit + is met or all events are retrieved. - This action does not run on specific entities (like IPs or Hostnames). It performs - a general search based on the 'Query' parameter. If no events are found, the action - completes successfully with a message indicating no results. + 5. **Output Generation:** The retrieved events are added to the action results + as a JSON object and converted into a flattened data table for the case wall. capabilities: can_create_case_comments: false can_create_insight: false @@ -124,8 +223,17 @@ Get Events Minutes Back: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a search query against Symantec ICDX to retrieve event logs. + It fetches data via a POST request to the search endpoint but does not modify + external systems or internal SOAR entities, insights, or case data. categories: enrichment: false + reasoning: >- + The action fetches historical event logs from an external system. While it fetches + data, it is a general search action rather than an enrichment action designed + to add context to specific entities or alerts. Therefore, it does not meet the + criteria for an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -141,14 +249,49 @@ Get Events Minutes Back: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not operate on target entities. It performs a global search + based on the provided query parameter. Ping: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action is a diagnostic connectivity test. It does not perform any of the + defined product category operations (Enrichment, Containment, Ticket management, + etc.). + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - Tests the connectivity to the Symantec ICDX (Integrated Cyber Defense Exchange) - platform to ensure that the provided credentials and API endpoint are valid and - reachable. This action is primarily used for troubleshooting and verifying the - integration setup. + The **Ping** action is a diagnostic utility designed to verify the connectivity + between Google SecOps and the Symantec ICDX (Integrated Cyber Defense Exchange) + platform. It validates the integration's configuration, including the API Root, + API Token, and SSL settings, by performing a test API call. ### Parameters Description @@ -158,19 +301,19 @@ Ping: ### Flow Description - 1. **Initialization**: The action initializes the `SymantecICDXManager` using - the integration's configuration parameters, including the API Root, API Token, - and SSL verification settings. + 1. **Configuration Retrieval**: The action fetches the integration's global configuration, + including the `Api Root`, `Api Token`, and `Verify SSL` settings. - 2. **Connectivity Test**: It calls the `test_connectivity` method, which attempts - to retrieve a specific hardcoded event UUID from the ICDX archives to verify API - access. + 2. **Manager Initialization**: It initializes the `SymantecICDXManager` using + the retrieved credentials. - 3. **Validation**: The manager validates the HTTP response from the Symantec ICDX - API. + 3. **Connectivity Test**: The action executes the `test_connectivity` method, + which attempts to retrieve a specific event by a hardcoded UUID from the Symantec + ICDX search endpoint. - 4. **Completion**: If the API call is successful, the action concludes with a - "Connection Established" status. + 4. **Result Reporting**: If the API call is successful, the action concludes with + a success status and the message 'Connection Established'. If the connection fails, + an exception is raised. capabilities: can_create_case_comments: false can_create_insight: false @@ -181,8 +324,16 @@ Ping: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a test API call to verify connectivity. While it technically + makes a network request (POST), it is a diagnostic 'Ping' action, not an enrichment + or mutation action. It does not modify external or internal data. categories: enrichment: false + reasoning: >- + The action is a 'Ping' action. According to the instructions, 'Actions named + Ping must not be categorized as enrichment actions.' Therefore, it is not an + enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -198,3 +349,6 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not use any entities. It is a diagnostic tool that runs independently + of any specific entity. diff --git a/content/response_integrations/google/symantec_icdx/resources/ai/connectors_ai_description.yaml b/content/response_integrations/google/symantec_icdx/resources/ai/connectors_ai_description.yaml new file mode 100644 index 000000000..840a60c57 --- /dev/null +++ b/content/response_integrations/google/symantec_icdx/resources/ai/connectors_ai_description.yaml @@ -0,0 +1,69 @@ +SymantecICDX query Connector: + ai_description: >- + ### General Description + + This connector integrates with the Symantec ICDX server to fetch security events + based on a user-defined query. It enables security teams to ingest relevant logs + or alerts into Google SecOps for centralized monitoring, investigation, and case + management. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | DeviceProductField | String | Yes | The field name used to determine the device + product. | + + | EventClassId | String | No | The field name used to determine the event name + (sub-type). | + + | PythonProcessTimeout | Integer | Yes | The timeout limit (in seconds) for the + python process. | + + | Api Root | String | Yes | The base URL of the Symantec ICDX API. | + + | Api Token | String | Yes | The API token for authentication. | + + | Verify SSL | Boolean | Yes | Whether to use SSL verification for the connection. + | + + | Search Query | String | Yes | The query string used to filter events from Symantec + ICDX. | + + | Events Limit | Integer | Yes | The maximum number of events to pull in one cycle. + | + + | Max Days Backwards | Integer | Yes | The maximum number of days to look back + when fetching events. | + + | Proxy Server Address | String | No | The address of the proxy server to use. + | + + | Proxy Username | String | No | The proxy username to authenticate with. | + + | Proxy Password | String | No | The proxy password to authenticate with. | + + + ### Flow Description + + 1. The connector initializes a connection to the Symantec ICDX API using the provided + credentials and API root. + + 2. It determines the start time for the query based on the last successful run + timestamp or the configured 'Max Days Backwards' parameter. + + 3. It executes the 'Search Query' against the Symantec ICDX API to retrieve events. + + 4. It filters out events that have already been processed by checking against + a local 'ids.json' file. + + 5. For each new event, it maps the data to a Google SecOps 'CaseInfo' object, + including relevant fields like device vendor, product, and event time. + + 6. It checks for overflow conditions to prevent ingestion issues. + + 7. Finally, it saves the new timestamp and updates the 'ids.json' file to track + processed events for the next cycle. diff --git a/content/response_integrations/google/symantec_icdx/resources/ai/integration_ai_description.yaml b/content/response_integrations/google/symantec_icdx/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..8f1dec9a3 --- /dev/null +++ b/content/response_integrations/google/symantec_icdx/resources/ai/integration_ai_description.yaml @@ -0,0 +1,22 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: false + reasoning: >- + The Symantec ICDX (Integrated Cyber Defense Exchange) integration functions primarily + as a data aggregator and log collector. Its connector is designed to ingest security + events and logs into the Google SecOps platform for centralized monitoring and + investigation. The available actions ('Get Event' and 'Get Events Minutes Back') + allow analysts to search through these historical logs to identify activity related + to assets or users. This aligns directly with the SIEM category, which focuses + on log ingestion, centralized monitoring, and searching for activity across logs. + It does not provide EDR, Network Security, Threat Intelligence, or other specialized + security management capabilities. + siem: true + threat_intelligence: false + vulnerability_management: false diff --git a/content/response_integrations/power_ups/connectors/resources/ai/actions_ai_description.yaml b/content/response_integrations/power_ups/connectors/resources/ai/actions_ai_description.yaml deleted file mode 100644 index 0967ef424..000000000 --- a/content/response_integrations/power_ups/connectors/resources/ai/actions_ai_description.yaml +++ /dev/null @@ -1 +0,0 @@ -{} diff --git a/content/response_integrations/power_ups/connectors/resources/ai/connectors_ai_description.yaml b/content/response_integrations/power_ups/connectors/resources/ai/connectors_ai_description.yaml new file mode 100644 index 000000000..f90e24762 --- /dev/null +++ b/content/response_integrations/power_ups/connectors/resources/ai/connectors_ai_description.yaml @@ -0,0 +1,106 @@ +Cron Scheduled Connector: + ai_description: >- + ### General Description + + This connector acts as a scheduler to generate alerts and cases within Google + SecOps at specific intervals defined by a cron expression. It is highly customizable, + allowing users to define the alert name, type, product, and arbitrary alert fields + via JSON configuration. It is useful for testing playbooks, creating heartbeat + alerts, or simulating periodic events. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Alert fields | String | Yes | JSON formatted fields to include in the alert. + | + + | Alert name | String | Yes | The name of the alert to be created. | + + | Alert type | String | No | The type of the alert. | + + | Cron Expression | String | No | Cron schedule for case creation. | + + | DeviceProductField | String | Yes | Field name for device product. | + + | EventClassId | String | Yes | Field name for event name. | + + | Product name | String | No | The product name for the alert. | + + | PythonProcessTimeout | String | Yes | Timeout limit in seconds. | + + + ### Flow Description + + 1. The connector initializes and retrieves configuration parameters. + + 2. It evaluates the provided Cron Expression against the current system time. + + 3. If the cron schedule matches, it parses the Alert fields JSON string. + + 4. It constructs a CaseInfo object with the specified alert name, type, product, + and custom fields. + + 5. It generates a corresponding event and attaches it to the case. + + 6. The case is ingested into the SOAR platform for further processing by playbooks. +Scheduled Connector: + ai_description: >- + ### General Description + + This connector acts as a synthetic alert generator for Google SecOps SOAR. It + allows users to manually define and trigger alerts (cases) based on custom parameters, + such as product name, alert name, and alert type. It is primarily used to test + playbooks or trigger specific workflows by injecting custom alert data into the + SOAR platform. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Alert fields | String | Yes | The alert fields you would like to insert in a + JSON format. | + + | Alert name | String | Yes | The Alert name associated with the alert that will + be created. | + + | Alert type | String | No | The Alert type associated with the alert that will + be created. | + + | DeviceProductField | String | Yes | The field name used to determine the device + product. | + + | EventClassId | String | Yes | The field name used to determine the event name + (sub-type). | + + | Product name | String | No | The Product name associated with the alert that + will be created. | + + | PythonProcessTimeout | String | Yes | The timeout limit (in seconds) for the + python process running current script. | + + + ### Flow Description + + 1. The connector initializes the SiemplifyConnectorExecution environment. + + 2. It retrieves the user-defined configuration parameters (Product name, Alert + name, Alert type, and Alert fields). + + 3. It parses the Alert fields JSON string into a dictionary. + + 4. It constructs a CaseInfo object, populating it with the provided alert details, + including the alert name, type, and product. + + 5. It maps the parsed Alert fields into the case extensions. + + 6. It generates a corresponding event and attaches it to the case. + + 7. Finally, it returns the constructed case package to the SOAR platform to trigger + relevant playbooks. diff --git a/content/response_integrations/power_ups/connectors/resources/ai/integration_ai_description.yaml b/content/response_integrations/power_ups/connectors/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..50fcfbd4b --- /dev/null +++ b/content/response_integrations/power_ups/connectors/resources/ai/integration_ai_description.yaml @@ -0,0 +1,20 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: false + reasoning: >- + The integration consists of connectors designed to generate synthetic alerts and + cases within Google SecOps, primarily for testing playbooks and simulating periodic + events. It does not perform security operations functions such as log analysis + (SIEM), endpoint management (EDR), network security, threat intelligence enrichment, + email security, identity management, cloud resource management, ITSM ticketing, + vulnerability scanning, asset inventory management, or collaboration/notification. + Consequently, it does not align with any of the specified product categories. + siem: false + threat_intelligence: false + vulnerability_management: false diff --git a/content/response_integrations/power_ups/email_utilities/actions/AnalyzeHeaders.py b/content/response_integrations/power_ups/email_utilities/actions/AnalyzeHeaders.py index b36a581ec..165a274a8 100644 --- a/content/response_integrations/power_ups/email_utilities/actions/AnalyzeHeaders.py +++ b/content/response_integrations/power_ups/email_utilities/actions/AnalyzeHeaders.py @@ -201,9 +201,7 @@ def parseHops(received): raise if "date" not in parsed_route: continue - hop_info["time"] = ( - parsed_route["date"].astimezone(datetime.UTC).replace(tzinfo=None) - ) + hop_info["time"] = parsed_route["date"].astimezone(datetime.UTC).replace(tzinfo=None) hop_info["blacklisted"] = False if "from" in parsed_route: for f in parsed_route["from"]: @@ -219,14 +217,12 @@ def parseHops(received): response = DbIpCity.get(f, api_key="free") hop_info["from_geo"] = json.loads(response.to_json()) except Exception as expe: - template = ( - "An exception of type {0} occurred. Arguments:\n{1!r}" - ) + template = "An exception of type {0} occurred. Arguments:\n{1!r}" message = template.format(type(expe).__name__, expe.args) denylist["blacklisted"] = ip_check.blacklisted denylist["detected_by"] = ip_check.detected_by.copy() - denylist["categories"] = ip_check.categories.copy() + denylist["categories"] = ip_check.ai_categories.copy() hop_info["blacklist_info"].append(denylist) except ValueError: try: @@ -244,19 +240,15 @@ def parseHops(received): hop_info["from_geo"] = json.loads(response.to_json()) hop_info["from_ip_whois"] = ip_whois except Exception as exp: - template = ( - "An exception of type {0} occurred. Arguments:\n{1!r}" - ) + template = "An exception of type {0} occurred. Arguments:\n{1!r}" message = template.format(type(exp).__name__, exp.args) denylist["blacklisted"] = domain_check.blacklisted denylist["detected_by"] = domain_check.detected_by.copy() - denylist["categories"] = domain_check.categories.copy() + denylist["categories"] = domain_check.ai_categories.copy() hop_info["blacklist_info"].append(denylist) except Exception as e: - template = ( - "An exception of type {0} occurred. Arguments:\n{1!r}" - ) + template = "An exception of type {0} occurred. Arguments:\n{1!r}" message = template.format(type(e).__name__, e.args) logger(message) except Exception as ex: @@ -290,9 +282,7 @@ def parseHops(received): response = DbIpCity.get(resolved_ip, api_key="free") hop_info["by_geo"] = json.loads(response.to_json()) except Exception as expl: - template = ( - "An exception of type {0} occurred. Arguments:\n{1!r}" - ) + template = "An exception of type {0} occurred. Arguments:\n{1!r}" message = template.format(type(expl).__name__, expl.args) except Exception as exp: template = "An exception of type {0} occurred. Arguments:\n{1!r}" @@ -303,9 +293,7 @@ def parseHops(received): else: hop_info["with"] = "" if previous_hop: - hop_info["delay"] = ( - parsed_route["date"] - previous_hop["date"] - ).total_seconds() + hop_info["delay"] = (parsed_route["date"] - previous_hop["date"]).total_seconds() else: hop_info["delay"] = "*" previous_hop = hop_info @@ -400,11 +388,9 @@ def buildResult(header, siemplify): if "by" in fromserver: result["SourceServer"] = fromserver["by"][0] try: - result["SourceServerIP"] = ( - EmailUtilitiesManager.Resolver().query( - result["SourceServer"], - )[0][2] - ) + result["SourceServerIP"] = EmailUtilitiesManager.Resolver().query( + result["SourceServer"], + )[0][2] except: pass continue @@ -433,13 +419,11 @@ def main(siemplify): print_value=False, ) - status = EXECUTION_STATE_COMPLETED # used to flag back to siemplify system, the action final status - output_message = ( - "output message :" # human readable message, showed in UI as the action result - ) - result_value = ( - None # Set a simple result value, used for playbook if\else and placeholders. + status = ( + EXECUTION_STATE_COMPLETED # used to flag back to siemplify system, the action final status ) + output_message = "output message :" # human readable message, showed in UI as the action result + result_value = None # Set a simple result value, used for playbook if\else and placeholders. h = json.loads(headers_json) headers_res = buildResult(h, siemplify) diff --git a/content/response_integrations/power_ups/email_utilities/resources/ai/actions_ai_description.yaml b/content/response_integrations/power_ups/email_utilities/resources/ai/actions_ai_description.yaml index 45af87633..8e4457538 100644 --- a/content/response_integrations/power_ups/email_utilities/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/power_ups/email_utilities/resources/ai/actions_ai_description.yaml @@ -1,5 +1,39 @@ Analyze EML Headers: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action performs heuristic analysis on email headers provided as input. It + does not match any of the predefined product categories (e.g., it is not an + enrichment, containment, or ticketing action). + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- + ### General Description + Analyzes email headers provided either as a base64-encoded EML file or a JSON-formatted list of headers. The action performs a security-focused heuristic analysis to identify potential spoofing, misconfigurations, or suspicious patterns. It evaluates @@ -12,7 +46,6 @@ Analyze EML Headers: ### Parameters Description - | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | @@ -65,8 +98,16 @@ Analyze EML Headers: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action parses provided email data and performs heuristic analysis. It does + not make external API calls (fetches_data=false), does not mutate external systems, + and does not modify internal SOAR case data (entities, insights, comments). + It only returns a result JSON. categories: enrichment: false + reasoning: >- + The action does not fetch data from an external source (it processes provided + input) and does not meet the criteria for an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -82,15 +123,52 @@ Analyze EML Headers: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code does not reference `target_entities` or perform any entity-based operations. + It processes email data provided via input parameters. Analyze Headers: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action analyzes email headers and returns a structured JSON result. It does + not match any of the predefined product categories (e.g., it does not enrich + an IOC entity, update an alert, or interact with an external ticketing system). + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- + ### General Description + Analyzes email headers provided in JSON format to perform a comprehensive security audit of an email's origin and routing path. The action validates authentication records (SPF, DMARC, DKIM, ARC), traces the relay hops, and enriches the data with threat intelligence. - ### Parameters + ### Parameters Description | Parameter | Type | Mandatory | Description | @@ -100,6 +178,13 @@ Analyze Headers: be analyzed. This is typically extracted from an email parsing action. | + ### Additional Notes + + This action does not operate on SOAR entities directly. It requires a JSON object + containing email headers as input. The action performs external lookups (DNS, + WHOIS, GeoIP, RBLs) to analyze the email's origin and routing. + + ### Flow Description 1. **Input Extraction:** Retrieves the `Headers JSON` parameter and parses it @@ -140,8 +225,16 @@ Analyze Headers: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action parses email headers and performs external lookups (DNS, WHOIS, GeoIP, + RBLs) to analyze the email's origin and routing. It does not modify any external + or internal systems, nor does it operate on SOAR entities. categories: enrichment: false + reasoning: >- + The action does not operate on entities and does not meet the criteria for an + enrichment action as defined (which requires operating on alerts or entities). + It is a utility action for email header analysis. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -157,7 +250,41 @@ Analyze Headers: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code does not reference `target_entities`. It processes a JSON string provided + as a parameter. Parse Base64 Email: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action is a utility for parsing email content. It does not match any of + the defined product categories (e.g., enrichment, containment, ticketing, etc.). + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description @@ -235,8 +362,16 @@ Parse Base64 Email: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action parses a Base64 encoded email blob (EML/MSG) provided as input. It + performs local processing to extract headers, body, attachments, and IOCs. It + does not interact with external APIs or modify internal SOAR data. categories: enrichment: false + reasoning: >- + The action is a local utility for parsing email blobs. It does not fetch data + from external systems, nor does it modify internal SOAR data. Therefore, it + does not meet the criteria for an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -252,7 +387,42 @@ Parse Base64 Email: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not operate on entities. It processes a raw Base64 string provided + as a parameter. Parse Case Wall Email: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action parses email files to extract indicators and create entities. It + does not match any of the specific product categories like 'Enrich IOC' (which + implies reputation fetching), 'Contain Host', or 'Create Ticket'. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- Parses EML or MSG email files attached to the Google SecOps case wall to extract headers, body content, and nested attachments. This action automates the decomposition @@ -333,13 +503,21 @@ Parse Case Wall Email: can_mutate_internal_data: true can_update_entities: true external_data_mutation_explanation: null - fetches_data: false + fetches_data: true internal_data_mutation_explanation: >- - Creates new entities (User, Email Subject, IP, URL, etc.) based on email content, - adds extracted email attachments to the case wall, and updates existing entity - attributes with attachment metadata. + Creates new entities (User, Subject, Indicators) and updates existing FILENAME + entities with attachment IDs. + reasoning: >- + The action reads email attachments from the case wall (fetches_data=true). It + creates new entities (User, Subject, Indicators) and updates existing FILENAME + entities with attachment IDs (can_mutate_internal_data=true, can_update_entities=true). + It does not mutate external systems. categories: - enrichment: false + enrichment: true + reasoning: >- + The action fetches data (email attachments) and performs internal mutations + (creating/updating entities) to enrich the case with indicators. It does not + mutate external systems. This fits the definition of an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -355,7 +533,41 @@ Parse Case Wall Email: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not operate on `target_entities` as input. It operates on attachments + found in the case/alert wall. Parse EML Base64 Blob: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action is a utility for parsing EML content. It does not match any of the + defined product categories (Enrichment, Containment, Ticket management, etc.). + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description @@ -421,8 +633,17 @@ Parse EML Base64 Blob: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action is a pure utility that parses a provided base64 string into an EML + object. It does not perform any external API calls (fetches_data=false), does + not mutate any external systems (can_mutate_external_data=false), and does not + modify any internal SOAR data such as entities, insights, or comments (can_mutate_internal_data=false). categories: enrichment: false + reasoning: >- + The action is a utility for parsing data. It does not fetch data from external + sources (not enrichment) and does not mutate any systems. Therefore, it does + not meet the criteria for an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -438,7 +659,40 @@ Parse EML Base64 Blob: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not reference or process any entities from the SOAR platform. Ping: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action is a health check/ping. It does not match any of the defined product + categories (e.g., Enrich IOC, Contain Host, Create Ticket, etc.). + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description @@ -477,8 +731,14 @@ Ping: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a simple connectivity check by returning a success message. + It does not fetch data, mutate external systems, or modify internal SOAR data. categories: enrichment: false + reasoning: >- + The action is a 'Ping' action, which is explicitly excluded from enrichment + by the provided rules. It does not fetch data or perform any enrichment tasks. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -494,3 +754,6 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with any entities. The SimulationDataJson indicates + an empty list of entities, and the code does not reference target_entities. diff --git a/content/response_integrations/power_ups/email_utilities/resources/ai/integration_ai_description.yaml b/content/response_integrations/power_ups/email_utilities/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..16dc0deaf --- /dev/null +++ b/content/response_integrations/power_ups/email_utilities/resources/ai/integration_ai_description.yaml @@ -0,0 +1,25 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: false + edr: false + email_security: true + iam_and_identity_management: false + itsm: false + network_security: false + reasoning: >- + The integration 'email_utilities' provides a suite of tools for parsing email + files (EML/MSG) and analyzing email headers. It is classified under 'Email Security' + because its primary purpose is to assist in the investigation of email-based threats, + such as phishing reports, by parsing email content, extracting indicators, and + analyzing headers for anomalies. It is also classified under 'Threat Intelligence' + because the 'Analyze Headers' action performs external lookups (DNS, WHOIS, GeoIP, + and RBLs) to assess the reputation of relay servers and email origins, which serves + as an enrichment step for indicators. It does not meet the criteria for other + categories like SIEM, EDR, Network Security, IAM, Cloud Security, ITSM, Vulnerability + Management, Asset Inventory, or Collaboration, as it does not interact with logs, + host processes, network gateways, identity providers, cloud resources, ticketing + systems, or asset databases. + siem: false + threat_intelligence: true + vulnerability_management: false diff --git a/content/response_integrations/power_ups/enrichment/resources/ai/actions_ai_description.yaml b/content/response_integrations/power_ups/enrichment/resources/ai/actions_ai_description.yaml index 50ae811f7..69b761684 100644 --- a/content/response_integrations/power_ups/enrichment/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/power_ups/enrichment/resources/ai/actions_ai_description.yaml @@ -1,67 +1,78 @@ Enrich Entities from List with Field: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action updates entity properties within the SOAR platform. It does not fetch + external data, nor does it perform specific product-related tasks like blocking, + ticketing, or searching. It is a generic utility for enriching entity metadata. + Therefore, it does not match any of the specific product categories. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - The **Enrich Entities from List with Field** action is designed to bulk-update - entities within a Google SecOps case by adding a custom field and value to their - metadata. This action is particularly useful for tagging or labeling a specific - subset of entities (e.g., marking a list of IP addresses as 'Known Malicious' - or 'Executive Owned') based on a provided list of identifiers. + This action enriches specific entities within a case by adding a custom field + and value to their `additional_properties`. It is a utility action designed to + update entity metadata based on a provided list of identifiers. - ### Parameters - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | **List of Entities** | String | Yes | A delimited string containing the identifiers - of the entities to be enriched (e.g., '192.168.1.1, 192.168.1.2'). | - - | **Entity Type** | String | Yes | The specific type of entities to target (e.g., - ADDRESS, HOSTNAME, USERUNIQNAME). Only entities matching this type will be processed. - | + ### Flow Description - | **Entity Delimiter** | String | Yes | The character used to separate the identifiers - in the 'List of Entities' parameter (e.g., a comma, semicolon, or pipe). | + 1. Parses the input `List of Entities` string using the provided `Entity Delimiter`. - | **Enrichment Field** | String | Yes | The name of the property/key to be added - to the entity's 'additional_properties'. | + 2. Retrieves all entities from the current case alerts. - | **Enrichment Value** | String | Yes | The value to be assigned to the specified - 'Enrichment Field'. | + 3. Matches entities from the input list against the case entities based on identifier + and the specified `Entity Type`. + 4. Updates the `additional_properties` of the matched entities with the provided + `Enrichment Field` and `Enrichment Value`. - ### Flow Description + 5. Updates the entities in the SOAR platform. - 1. **Initialization:** The action retrieves the input parameters, including the - list of entities, the target entity type, the delimiter, and the enrichment key-value - pair. - 2. **Parsing:** The 'List of Entities' string is split into individual identifiers - using the provided delimiter, and whitespace is trimmed from each entry. + ### Parameters Description - 3. **Entity Retrieval:** The action fetches all entities associated with the alerts - in the current Google SecOps case. + | Parameter | Type | Mandatory | Description | - 4. **Matching Logic:** It iterates through the parsed list of identifiers and - attempts to find matching entities in the case. A match is confirmed if the entity's - identifier (case-insensitive) and entity type both align with the input parameters. + | :--- | :--- | :--- | :--- | - 5. **Data Mutation:** For every matched entity, the action updates its `additional_properties` - dictionary by inserting the 'Enrichment Field' as the key and the 'Enrichment - Value' as the value. + | List of Entities | string | Yes | A delimited list of entity identifiers to + enrich. | - 6. **Commitment:** The action calls the SDK's `update_entities` method to save - the changes back to the Google SecOps platform and returns the count of successfully - enriched entities. + | Entity Type | string | Yes | The type of entity to filter for (e.g., "ADDRESS", + "HOSTNAME"). | + | Entity Delimiter | string | Yes | The character used to separate entities in + the list. | - ### Additional Notes + | Enrichment Field | string | Yes | The key name for the new property. | - This action performs internal data manipulation only and does not interact with - any external APIs or services. It is strictly used for organizing and enriching - data already present within the SOAR environment. + | Enrichment Value | string | Yes | The value to assign to the new property. | capabilities: can_create_case_comments: false can_create_insight: false @@ -72,10 +83,17 @@ Enrich Entities from List with Field: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: >- - Updates the 'additional_properties' attribute of matched entities within the - Google SecOps case with a user-specified field and value. + Updates the `additional_properties` of entities within the case. + reasoning: >- + The action updates the `additional_properties` of entities within the case (internal + mutation). It does not fetch external data, nor does it mutate external systems. + It updates entities in the SOAR platform. categories: enrichment: false + reasoning: >- + The action updates entity fields/attributes, which is an allowed internal mutation + for enrichment actions. However, it does not fetch data from an external source, + which is a requirement for an enrichment action. entity_usage: entity_types: - ADDRESS @@ -126,15 +144,51 @@ Enrich Entities from List with Field: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action iterates over `siemplify.case.alerts` and filters entities by `identifier` + and `entity_type`. It does not use `target_entities` directly but rather searches + through all alert entities. Since it filters by `entity_type` provided as a + parameter, it supports all entity types dynamically. Enrich Entity From Event Field: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: true + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action adds contextual metadata (from event fields) to the entity. This + matches the 'Enrich Asset' category. It does not perform any other listed actions. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - This action extracts specific data fields from the first security event of an - alert and maps them to the entities within that alert. It is designed to enrich - entity profiles with contextual information already present in the event logs, - such as custom metadata or specific identifiers that were not automatically mapped - during ingestion. + This action enriches entities by extracting specific fields from the associated + security event and updating the entity's additional properties. It allows analysts + to map event-specific data (e.g., user agents, source ports, or custom metadata) + directly onto the entities involved in an alert, facilitating better context and + investigation. ### Parameters Description @@ -143,37 +197,29 @@ Enrich Entity From Event Field: | :--- | :--- | :--- | :--- | - | Fields to enrich | String | Yes | A comma-separated list of field names (e.g., - 'src_port, device_id') to extract from the event's additional properties and add - to the entities. | - - - ### Additional Notes + | Fields to enrich | string | Yes | The name of the fields in the event that will + be used to enrich the entity. Supports a comma-separated list. | - - The action performs a case-insensitive search for the specified fields within - the event's `additional_properties`. - - Only the first security event (`security_events[0]`) associated with the alert - is used as the data source. + ### Flow Description + 1. The action retrieves the "Fields to enrich" parameter. - ### Flow Description + 2. It accesses the first security event associated with the current alert. - 1. **Initialization**: Retrieves the comma-separated list of field names from - the action parameters. + 3. It iterates through all target entities provided in the action context. - 2. **Data Retrieval**: Accesses the first security event of the current alert - and converts its additional properties into a case-insensitive dictionary. + 4. For each entity, it checks if the specified fields exist in the event's additional + properties. - 3. **Entity Processing**: Iterates through all target entities in the current - scope. + 5. If a match is found, it updates the entity's `additional_properties` with the + corresponding value from the event. - 4. **Field Mapping**: For each entity, it checks if the requested fields exist - in the event data. If found, the field and its value are added to the entity's - `additional_properties`. + 6. If any entities were updated, the action calls `update_entities` to persist + the changes in the SOAR platform. - 5. **Update**: Updates all modified entities in Google SecOps and outputs the - enriched data as a JSON result. + 7. Finally, it returns the enriched data in the action results and completes the + execution. capabilities: can_create_case_comments: false can_create_insight: false @@ -184,10 +230,18 @@ Enrich Entity From Event Field: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates the 'additional_properties' of entities within the Google SecOps case - using data extracted from the alert's security events. + Updates entity `additional_properties` with data extracted from the event. + reasoning: >- + The action retrieves data from the internal security event object and updates + the entity's additional properties. It does not interact with external systems. + It performs an internal mutation by updating entity fields, which is an allowed + operation for enrichment actions. categories: enrichment: true + reasoning: >- + The action fetches data from the internal event and updates entity fields. This + is a valid enrichment action as it does not mutate external systems and only + performs allowed internal mutations (updating entity fields). entity_usage: entity_types: - ADDRESS @@ -238,15 +292,48 @@ Enrich Entity From Event Field: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action iterates over all `target_entities` without filtering by type, so + it supports all entity types. Enrich Entity From JSON: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action does not match any of the predefined product categories. It is a + generic utility action for enriching entities from a JSON input. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - The **Enrich Entity From JSON** action is a utility designed to update entity - attributes within Google SecOps using data provided in a JSON format. It allows - users to map external data (passed as a parameter) to existing entities by matching - identifiers. This is particularly useful for manual enrichment or when data is - retrieved in a previous step of a playbook and needs to be associated with entities. + Enriches entities by mapping data from a provided JSON input to the entity's `additional_properties`. + This action is a utility tool that allows users to inject custom data into entities + based on a JSON structure, facilitating the association of external data with + entities within the SOAR platform. ### Parameters Description @@ -255,58 +342,46 @@ Enrich Entity From JSON: | :--- | :--- | :--- | :--- | - | **Enrichment JSON** | String | Yes | A JSON-formatted list of objects containing - the enrichment data. | + | Enrichment JSON | string | Yes | The JSON data containing enrichment information. + Expected to be a list of JSON objects. | - | **Identifier KeyPath** | String | Yes | The path within the JSON objects to - the field that matches the entity's identifier (e.g., `EntityResult.id`). Supports - multiple paths separated by newlines. | + | Identifier KeyPath | string | Yes | The path to the identifier within the JSON, + used to match the JSON data with the entity. | - | **Separator** | String | Yes | The character used to separate keys in the `Identifier - KeyPath` (default is `.`). | + | Separator | string | Yes | The separator used in the key path (e.g., "."). | - | **PrefixForEnrichment** | String | No | An optional prefix to prepend to the - keys of the added enrichment data. | + | PrefixForEnrichment | string | No | A prefix to add to the enriched field names + in the entity's `additional_properties`. | - | **Enrichment JSONPath** | String | No | An optional JSONPath expression to extract - specific subsets of data from the matching JSON object. | + | Enrichment JSONPath | string | No | A JSONPath expression to filter the data + to be added to the entity. | ### Additional Notes - - The action flattens nested JSON structures into a flat key-value format before - adding them to the entity's `additional_properties`. - - - If multiple key paths are provided in `Identifier KeyPath`, the action will - check them sequentially. - - - This action does not perform external API calls; it processes data already present - in the playbook context. + This action does not perform any external API calls. It relies entirely on the + provided `Enrichment JSON` parameter to perform the enrichment. It is a utility + action for mapping data to entities. ### Flow Description - 1. **Data Parsing**: The action parses the `Enrichment JSON` input into a list - of dictionaries. + 1. The action accepts a JSON string, a key path to identify the entity, and optional + configuration (separator, prefix, JSONPath). - 2. **Entity Iteration**: It iterates through all target entities in the current - context. + 2. It iterates through the target entities in the case. - 3. **Identifier Matching**: For each entity, it searches the JSON list for a record - where the value at `Identifier KeyPath` matches the entity's identifier. + 3. For each entity, it searches the provided JSON for a matching identifier using + the specified `Identifier KeyPath`. - 4. **Data Extraction**: - - If `Enrichment JSONPath` is provided, it extracts the specific data matching - the path. - - Otherwise, it uses the entire matching JSON object. - 5. **Flattening and Prefixing**: The extracted data is flattened into a single-level - dictionary. If a `PrefixForEnrichment` is defined, it is applied to all keys. + 4. If a match is found, it extracts the relevant data (optionally using the provided + `Enrichment JSONPath`). - 6. **Entity Update**: The entity's `additional_properties` are updated with the - processed data. + 5. The extracted data is flattened and added to the entity's `additional_properties` + (optionally with a prefix). - 7. **Finalization**: The action updates the entities in the system and returns - the count of successfully enriched entities. + 6. Finally, the action updates the entities in the SOAR platform with the new + properties. capabilities: can_create_case_comments: false can_create_insight: false @@ -317,10 +392,17 @@ Enrich Entity From JSON: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: >- - Updates the 'additional_properties' field of entities within the Google SecOps - case based on the provided JSON data. + Updates entity `additional_properties` with data extracted from the provided + JSON. + reasoning: >- + The action updates entity `additional_properties` based on provided JSON input. + It does not fetch data from external systems (no API calls), nor does it mutate + external data. It performs internal mutation by updating entity fields. categories: enrichment: false + reasoning: >- + The action does not fetch data from an external source, which is a requirement + for the Enrichment category. It is a utility action for mapping data to entities. entity_usage: entity_types: - ADDRESS @@ -371,52 +453,75 @@ Enrich Entity From JSON: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action iterates over all `siemplify.target_entities` without applying any + filters, therefore it supports all entity types. Enrich Entity With Field: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action is a utility for updating entity metadata. It does not perform any + of the defined product-specific actions like enriching IOCs, updating alerts, + or managing tickets. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description + General description: - This action allows users to manually enrich entities within a Google SecOps case - by adding custom key-value pairs to their 'additional_properties' attribute. It - is primarily used to inject static data or context into entities that may not - be available through automated enrichment sources. + This action allows users to manually enrich entities by adding custom key-value + pairs to their `additional_properties`. It is a utility action designed to update + entity metadata within the SOAR platform. - ### Parameters Description + Parameters description: - | Parameter Name | Type | Mandatory | Description | + | Parameter | Type | Mandatory | Description | - | :--- | :--- | :--- | :--- | + | --- | --- | --- | --- | | Fields to enrich | string | Yes | A JSON-formatted string representing a list - of objects. Each object must contain `entity_field_name` (the key) and `entity_field_value` - (the value) to be added to the entities. Example: `[{"entity_field_name": "Department", - "entity_field_value": "Finance"}]`. | - - - ### Additional Notes + of objects, where each object contains `entity_field_name` and `entity_field_value`. + | - - This action does not interact with any external APIs; it only processes the - data provided in the input parameters. - - The action updates all entities currently in the scope of the action execution. + Flow description: + 1. Retrieve the `Fields to enrich` parameter. - ### Flow Description + 2. Parse the JSON string into a list of field objects. - 1. **Parse Input:** The action retrieves the `Fields to enrich` parameter and - parses the JSON string into a Python list of dictionaries. + 3. Iterate through all target entities. - 2. **Iterate Entities:** It iterates through all `target_entities` provided in - the current context. + 4. For each entity, update its `additional_properties` with the provided key-value + pairs. - 3. **Apply Enrichment:** For each entity, it loops through the list of key-value - pairs and adds them to the entity's `additional_properties` dictionary. + 5. Update the entities in the SOAR platform. - 4. **Update Internal State:** The action calls the SDK's `update_entities` method - to persist the changes within Google SecOps. - - 5. **Report Results:** It adds a JSON result for each updated entity and concludes - the execution with a summary message indicating the number of enriched entities. + 6. Add the enrichment data to the action result. capabilities: can_create_case_comments: false can_create_insight: false @@ -427,10 +532,17 @@ Enrich Entity With Field: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: >- - The action updates the 'additional_properties' attribute of entities within - the Google SecOps case based on the provided input parameters. + Updates the `additional_properties` attribute of the target entities with user-provided + key-value pairs. + reasoning: >- + The action takes user-provided key-value pairs and updates the `additional_properties` + of the target entities. It does not fetch data from external sources, so it + is not an enrichment action. It modifies internal entity data. categories: enrichment: false + reasoning: >- + The action does not fetch data from an external source, so it does not meet + the criteria for an enrichment action. entity_usage: entity_types: - ADDRESS @@ -481,60 +593,92 @@ Enrich Entity With Field: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over `siemplify.target_entities` without any filtering, meaning + it applies the enrichment fields to all entities provided in the action scope. Enrich Entity from Explorer Attributes: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: true + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves contextual metadata for entities from the Entity Explorer + and updates the entity objects. This aligns with 'Enrich Asset'. It does not + perform IOC-specific threat intelligence lookups (like reputation scores), so + 'Enrich IOC' is false. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - Enriches entities within a case by retrieving historical attribute data from the - Google SecOps Entity Explorer. This action allows analysts to automatically populate - entity properties with previously discovered information, ensuring consistency - and providing immediate context without manual lookups. + Enriches entities with historical data retrieved from the Entity Explorer. This + action allows users to pull specific attributes associated with an entity from + the system's historical data and apply them to the current entity object within + the SOAR platform. - ### Parameters + ### Flow Description - | Parameter | Type | Mandatory | Description | + 1. **Configuration Extraction**: The action retrieves the 'Field Name' (a comma-delimited + list of fields) and the 'Use Field Name as Whitelist' boolean parameter. - | :--- | :--- | :--- | :--- | + 2. **Entity Iteration**: The action iterates through all entities provided in + the `target_entities` list. - | Field Name | string | No | A comma-separated list of specific field names to - retrieve from the Entity Explorer. If left empty, all available fields (except - system fields) will be processed. | + 3. **Data Retrieval**: For each entity, it calls the `get_entity_data` function + to fetch historical attributes from the Entity Explorer. - | Use Field Name as Whitelist | boolean | No | Determines how the 'Field Name' - parameter is applied. If 'true' (default), only the specified fields are added - to the entity. If 'false', the specified fields are excluded (denylist), and all - other available fields are added. | + 4. **Field Filtering**: It filters the retrieved fields based on the 'Field Name' + parameter, applying either a whitelist or blacklist logic depending on the 'Use + Field Name as Whitelist' setting. System fields are automatically excluded. + 5. **Entity Update**: It updates the entity's attributes or `additional_properties` + with the filtered data. - ### Additional Notes + 6. **Result Reporting**: The action updates the entities in the SOAR platform + and adds the enrichment results to the action output. - - The action automatically filters out internal system fields (e.g., 'IsSuspicious', - 'Environment', 'Type') to prevent accidental overwriting of core platform data. - - If a field already exists as a standard attribute on the entity object, it is - updated directly; otherwise, it is added to the entity's 'additional_properties' - dictionary. + ### Parameters Description + | Parameter | Type | Mandatory | Description | - ### Flow Description + | :--- | :--- | :--- | :--- | - 1. **Initialization**: The action retrieves the configuration parameters, specifically - the list of fields and the allowlist/denylist toggle. + | Field Name | string | No | A comma-delimited string of fields from the Entity + Explorer to use for enrichment. If null, all available fields are processed. | - 2. **Data Retrieval**: For every entity targeted in the current scope, the action - calls the internal SecOps API to fetch historical data stored in the Entity Explorer. + | Use Field Name as Whitelist | boolean | No | When true, 'Field Name' acts as + a whitelist. When false, it acts as a blacklist. Defaults to true. | - 3. **Filtering**: The retrieved fields are filtered based on the 'Field Name' - and 'Use Field Name as Whitelist' logic. System-protected fields are explicitly - excluded from the update list. - 4. **Entity Update**: The action maps the filtered data to the entity object. - It attempts to set attributes directly if they exist or appends them to the 'additional_properties' - metadata. + ### Additional Notes - 5. **Commit**: The updated entity objects are sent back to the Google SecOps platform - to persist the changes, and a summary of the updated properties is logged. + This action performs internal updates to entity objects. It does not interact + with external third-party APIs for data retrieval, relying instead on the internal + Entity Explorer data. capabilities: can_create_case_comments: false can_create_insight: false @@ -545,10 +689,17 @@ Enrich Entity from Explorer Attributes: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates entity attributes and additional properties within the Google SecOps - platform using historical data retrieved from the Entity Explorer. + Updates entity attributes and additional_properties within the SOAR platform. + reasoning: >- + The action fetches entity data from the internal SOAR system using `get_entity_data` + and updates the entity objects within the SOAR platform using `update_entities`. + It does not interact with external systems or modify alert/case metadata. categories: enrichment: true + reasoning: >- + The action fetches data (enrichment) and updates entities (allowed internal + mutation). It does not mutate external systems. It fits the definition of an + enrichment action. entity_usage: entity_types: - ADDRESS @@ -599,45 +750,68 @@ Enrich Entity from Explorer Attributes: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action iterates over all `target_entities` without filtering by type, so + it supports all entity types. Enrich FileName Entity with Path: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: true + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action adds contextual metadata (file path, name, extension) to the entity, + which aligns with the 'Enrich Asset' category. It does not fetch threat intelligence + (Enrich IOC) or perform any other actions. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - This action parses file path strings from entity identifiers to extract and enrich - entities with specific file-related metadata, including the directory path, the - full filename, and the file extension. It is designed to work with both Windows - and Unix-style path conventions. + This action parses file path strings from entity identifiers to extract the file + name, directory path, and file extension. It then updates the entity's `additional_properties` + with these extracted details, providing enriched context for further analysis. - ### Parameters Description - - No parameters are required for this action. - - - ### Additional Notes + ### Parameters - This action does not interact with external APIs or services. It performs local - string manipulation on the entity's identifier to derive its components. If an - identifier cannot be parsed as a valid path (e.g., it does not contain a directory - component), the entity will not be enriched. + There are no parameters for this action. ### Flow Description - 1. **Iterate Entities**: The action retrieves all target entities from the current - context. + 1. The action iterates through all target entities provided in the playbook. - 2. **Path Analysis**: For each entity, it examines the identifier to detect the - path format (Windows vs. Unix). + 2. For each entity, it uses `ntpath` (for Windows-style paths) or `os.path` (for + POSIX-style paths) to parse the identifier. - 3. **Extraction**: It utilizes path-parsing libraries to split the identifier - into `file_path`, `file_name`, and `file_extension`. + 3. It extracts the `file_name`, `file_path`, and `file_extension` from the identifier. - 4. **Internal Mutation**: If parsing is successful, it updates the entity's `additional_properties` - with the extracted values. + 4. The extracted details are added to the entity's `additional_properties`. - 5. **Update and Report**: It updates the entities within Google SecOps and returns - a JSON result mapping identifiers to their parsed details. + 5. The action updates the entities in the SOAR platform and adds a JSON result + containing the parsed information. capabilities: can_create_case_comments: false can_create_insight: false @@ -648,10 +822,18 @@ Enrich FileName Entity with Path: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: >- - Updates entity additional properties with parsed file path, name, and extension - metadata derived from the entity identifier. + Updates the entity's `additional_properties` with parsed file path details. + reasoning: >- + The action performs local string manipulation on entity identifiers to extract + file path components. It updates the entity's `additional_properties` within + the SOAR platform. It does not interact with external systems or fetch external + data. categories: - enrichment: false + enrichment: true + reasoning: >- + The action updates entity attributes (enriching the entity's profile) without + modifying external systems or fetching external data. This fits the definition + of an enrichment action. entity_usage: entity_types: - ADDRESS @@ -702,30 +884,77 @@ Enrich FileName Entity with Path: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over `siemplify.target_entities` without any type-based filtering. + Therefore, it is technically applicable to all entity types, although it is + logically intended for file-related entities. Enrich Source and Destinations: - ai_description: "### General Description\nThis action enriches entities within a\ - \ Google SecOps alert by identifying their roles as network sources or destinations.\ - \ It retrieves contextual data from the Chronicle Investigator API to determine\ - \ which identifiers are associated with source and destination activities and\ - \ then updates the corresponding entities in the SOAR with specific flags.\n\n\ - ### Parameters\nThere are no user-configurable parameters for this action. It\ - \ automatically processes entities based on the context of the current alert.\n\ - \n### Additional Notes\n- This action specifically targets entities associated\ - \ with the current alert being processed.\n- It relies on the `get_investigator_data`\ - \ method to fetch the underlying security event details from Google SecOps.\n\ - - The enrichment is internal to the SOAR, adding `isSource` or `isDest` attributes\ - \ to the entity's additional properties.\n\n### Flow Description\n1. **Fetch Alert\ - \ Context**: The action calls the Chronicle Investigator API to retrieve the full\ - \ JSON representation of the current alert.\n2. **Identify Roles**: It parses\ - \ the alert data (specifically looking at `securityEventCards` or field groups)\ - \ to extract lists of identifiers categorized as 'sources' and 'destinations'.\n\ - 3. **Match Entities**: The action iterates through all entities associated with\ - \ the current alert.\n4. **Apply Enrichment**: \n - If an entity's identifier\ - \ matches a 'source' from the API data, the property `isSource: true` is added\ - \ to the entity.\n - If an entity's identifier matches a 'destination' from\ - \ the API data, the property `isDest: true` is added to the entity.\n5. **Update\ - \ SOAR**: The modified entities are updated within the Google SecOps platform\ - \ to reflect these new attributes." + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: true + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action adds contextual metadata ('isSource' or 'isDest') to entities, which + aligns with the 'Enrich Asset' category. It does not fetch threat intelligence + (Enrich IOC), nor does it perform any other listed operations. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: >- + Enriches entities within the current alert by identifying them as sources or destinations + based on the alert's event data. This action parses the alert's security event + cards to extract source and destination identifiers, then updates the corresponding + entities in the SOAR platform with contextual metadata. + + + ### Flow Description + + 1. **Fetch Alert Data**: Retrieves the current alert's details from the SOAR platform + using `get_investigator_data`. + + 2. **Parse Event Data**: Extracts lists of source and destination identifiers + from the alert's `securityEventCards` or fields. + + 3. **Identify Entities**: Iterates through all entities associated with the current + alert. + + 4. **Update Entities**: Compares entity identifiers against the extracted source + and destination lists. If a match is found, it updates the entity's `additional_properties` + with `isSource: "true"` or `isDest: "true"`. + + 5. **Commit Changes**: Updates the modified entities in the SOAR platform. + + + ### Parameters + + There are no input parameters for this action. + + + ### Additional Notes + + This action performs internal enrichment by updating entity attributes based on + existing alert data. It does not interact with external systems. capabilities: can_create_case_comments: false can_create_insight: false @@ -736,10 +965,17 @@ Enrich Source and Destinations: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates entity additional properties with 'isSource' or 'isDest' flags based - on the alert context retrieved from the investigator API. + Updates entity 'additional_properties' to include 'isSource' or 'isDest' flags. + reasoning: >- + The action fetches alert data from the internal SOAR platform to identify sources + and destinations. It then updates the entity's `additional_properties` attribute + within the SOAR platform. It does not interact with or mutate any external systems. categories: enrichment: true + reasoning: >- + The action fetches internal alert data and updates entity attributes (enrichment). + It does not mutate external systems, nor does it perform forbidden internal + mutations. It meets the criteria for an enrichment action. entity_usage: entity_types: - ADDRESS @@ -778,11 +1014,11 @@ Enrich Source and Destinations: - USB - USERUNIQNAME filters_by_additional_properties: false - filters_by_alert_identifier: true + filters_by_alert_identifier: false filters_by_case_identifier: false filters_by_creation_time: false filters_by_entity_type: false - filters_by_identifier: true + filters_by_identifier: false filters_by_is_artifact: false filters_by_is_enriched: false filters_by_is_internal: false @@ -790,40 +1026,63 @@ Enrich Source and Destinations: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action iterates over all entities in the current alert using `get_alert_entities(siemplify)` + and updates those that match the source or destination identifiers found in + the alert data. It does not apply any type-based filtering, so it supports all + entity types. Mark Entity as Suspicious: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action updates the `is_suspicious` flag on entities within the SOAR platform. + It does not match any of the provided categories, as it is an internal entity + update rather than an enrichment, containment, or ticket management action. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description - - Marks all entities within the current scope as suspicious. This is an internal - utility action used to flag entities for further investigation or to trigger specific - playbooks based on the suspicious status within Google SecOps. + Marks entities as suspicious within the Google SecOps platform. This action updates + the `is_suspicious` attribute of all entities in the current scope to `True`. - ### Parameters Description - - There are no parameters for this action. - - - ### Additional Notes + ### Flow - This action does not interact with any external services. It only modifies the - internal state of entities within Google SecOps. It processes all entities in - the scope regardless of their type. + 1. Iterate through all entities provided in the action's scope. + 2. Update the `is_suspicious` attribute of each entity to `True`. - ### Flow Description + 3. Update the entities in the SecOps platform using `siemplify.update_entities`. - 1. **Retrieve Entities**: The action accesses the list of target entities in the - current scope. + 4. Return a completion message indicating the number of entities updated. - 2. **Flag Entities**: It iterates through every entity and sets its `is_suspicious` - attribute to `True`. - 3. **Update Platform**: The action sends the updated entity objects back to Google - SecOps to persist the changes. + ### Parameters - 4. **Finalize**: It reports the total number of entities successfully marked as - suspicious and completes the execution. + There are no parameters for this action. capabilities: can_create_case_comments: false can_create_insight: false @@ -834,10 +1093,17 @@ Mark Entity as Suspicious: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: >- - Updates the 'is_suspicious' attribute of entities within the Google SecOps case - to True. + Updates the `is_suspicious` flag of entities within the SOAR platform. + reasoning: >- + The action iterates over `siemplify.target_entities` and sets `entity.is_suspicious + = True`. It then calls `siemplify.update_entities(updated_entities)`. It does + not fetch data from external sources, nor does it mutate external systems. It + only modifies the internal entity state within the SOAR platform. categories: enrichment: false + reasoning: >- + The action does not fetch data from any external or internal source, which is + a requirement for an enrichment action. Therefore, it is not classified as enrichment. entity_usage: entity_types: - ADDRESS @@ -888,35 +1154,48 @@ Mark Entity as Suspicious: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over `siemplify.target_entities` without any filtering, meaning + it processes all entity types provided in the scope. Ping: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action is a connectivity check ('Ping') and does not perform any of the + defined product category operations (enrichment, containment, ticketing, etc.). + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description - - The **Ping** action is a diagnostic utility designed to verify the connectivity - between the Google SecOps (Chronicle) environment and the integration's execution - context. It serves as a health check to ensure that the integration is correctly - configured and reachable within the SOAR platform. - - - ### Parameters Description - - There are no parameters for this action. - - - ### Flow Description - - 1. **Initialization**: The action initializes the Siemplify action module to establish - a session. - - 2. **Connectivity Confirmation**: The action immediately terminates with a success - status and a message indicating that the connection is active ('Siemplify is connected'). - - - ### Additional Notes - - This action does not perform any data retrieval from external sources, nor does - it interact with or modify any entity data or case information. It is strictly - used for configuration validation. + This action verifies the connectivity between the Google SecOps SOAR platform + and the integration. It serves as a health check to ensure the integration is + properly configured and reachable. ### Parameters There are no parameters for + this action. ### Flow Description 1. The action initializes the SiemplifyAction + module. 2. It immediately terminates the execution with a success message, confirming + that the connection is established. capabilities: can_create_case_comments: false can_create_insight: false @@ -927,8 +1206,14 @@ Ping: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action is a simple connectivity check. It does not fetch data, mutate external + or internal systems, or interact with entities. categories: enrichment: false + reasoning: >- + The action is a 'Ping' action. Per the guidelines, Ping actions are explicitly + excluded from being categorized as enrichment actions. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -944,15 +1229,50 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not reference target_entities or perform any operations on entities. Whois: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves reputation, registration, and geolocation data for indicators + (IPs, Domains). This directly matches the 'Enrich IOC' category. It does not + perform containment, ticketing, or other management operations. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - The **Whois** action queries WHOIS and RDAP servers to retrieve registration and - ownership information for various entity types, including IP Addresses, Domains, - URLs, and Email addresses. It provides critical context regarding domain age, - registrar details, and geographic location for IP addresses to assist in threat - analysis. + The Whois action queries WHOIS servers and IP geolocation services to retrieve + registration and location information for various entity types, including IP Addresses, + URLs, Email addresses, and Domains. It enriches these entities with metadata such + as geolocation (city, country, coordinates) and domain registration details (creation + date, age). Additionally, it supports the creation of linked DOMAIN entities and + can mark entities as suspicious based on a configurable domain age threshold. ### Parameters @@ -961,49 +1281,48 @@ Whois: | :--- | :--- | :--- | :--- | - | Create Entities | boolean | No | If set to `true`, the action extracts the root - domain from URLs or Email addresses and creates a new, linked DOMAIN entity within - the case. Default is `true`. | + | Create Entities | boolean | false | If set to true, the action will create and + link new DOMAIN entities to the original URL, Email, or User entities. | - | Domain Age Threshold | string | No | A threshold in days. If a domain's age - is less than this value, the entity is marked as suspicious. A value of 0 or empty - disables this check. | + | Domain Age Threshold | string | false | Domains with an age (in days) less than + this value will be marked as suspicious. | - ### Flow Description + ### Additional Notes - 1. **Entity Identification**: The action iterates through all target entities - in the current context. + - The action processes entities based on their type. IP Addresses are processed + via RDAP and geolocation services, while other types (Domains, URLs, Emails) are + processed via WHOIS lookups. - 2. **IP Enrichment**: For `ADDRESS` entities, it performs an RDAP lookup and a - geographic lookup (via DB-IP) to identify the owner, ASN, and physical location. + - If 'Create Entities' is enabled, the action may generate new DOMAIN entities + in the case. - 3. **Domain/URL/Email Processing**: For other entities, it extracts the registered - domain using the `tldextract` library. - 4. **WHOIS Query**: It performs a WHOIS lookup for the extracted domain to retrieve - creation dates, expiration dates, and registrar information. + ### Flow Description - 5. **Entity Creation**: If the `Create Entities` parameter is enabled and a new - domain is identified (e.g., extracted from a URL or Email), a new `DOMAIN` entity - is created and linked to the source entity. + 1. **Initialization**: The action initializes the `SiemplifyAction` and extracts + configuration parameters ('Create Entities', 'Domain Age Threshold'). - 6. **Risk Assessment**: The action calculates the domain age in days. If the age - is below the user-defined `Domain Age Threshold`, the entity's `is_suspicious` - attribute is set to `true`. + 2. **Entity Processing**: The action iterates through all target entities in the + case. - 7. **Data Update**: All retrieved information is flattened and added to the entities' - additional properties with a `WHOIS` prefix. The entities are then marked as enriched - and updated in the system. + 3. **IP Enrichment**: If the entity is an 'ADDRESS', it performs an RDAP lookup + and retrieves geolocation data using the `DbIpCity` service. + 4. **Domain/Other Enrichment**: If the entity is not an 'ADDRESS', it extracts + the domain and performs a WHOIS lookup. It calculates the domain age in days. - ### Additional Notes + 5. **Entity Creation**: If 'Create Entities' is enabled, it creates a new DOMAIN + entity linked to the original entity. - - This action requires outbound network access to WHOIS/RDAP servers and the DB-IP - API. + 6. **Entity Update**: The action updates the original entities with the retrieved + WHOIS and geolocation data in their `additional_properties`. - - The `Domain Age Threshold` parameter is processed as an integer; ensure numeric - values are provided. + 7. **Suspicious Marking**: If the domain age is below the 'Domain Age Threshold', + the entity is marked as suspicious. + + 8. **Finalization**: The action updates the entities in the SOAR platform and + adds the full result JSON to the action output. capabilities: can_create_case_comments: false can_create_insight: false @@ -1014,12 +1333,20 @@ Whois: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - The action creates new DOMAIN entities and establishes relationships between - them and the original entities. It also updates existing entities by setting - 'is_suspicious' based on domain age, marking them as 'is_enriched', and adding - WHOIS/Geo-location data to their additional properties. + The action creates new DOMAIN entities and updates existing entities with enriched + metadata (WHOIS/Geo) and suspicious status. + reasoning: >- + The action fetches external data (WHOIS, IP geolocation) and updates internal + SOAR entities (adding properties, marking as suspicious, creating new entities). + It does not mutate external systems (read-only). It performs internal mutations + by creating and updating entities. categories: - enrichment: false + enrichment: true + reasoning: >- + The action is designed to fetch supplemental context (WHOIS/Geo) for entities. + It does not mutate external systems. It performs allowed internal mutations + (updating entities, creating entities). Therefore, it qualifies as an enrichment + action. entity_usage: entity_types: - ADDRESS @@ -1039,3 +1366,8 @@ Whois: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action iterates over all target entities. It explicitly checks for 'ADDRESS' + entity types to apply specific logic, while treating others as domains. It supports + ADDRESS, DOMAIN, DestinationURL, and USERUNIQNAME types based on the description + and logic. diff --git a/content/response_integrations/power_ups/enrichment/resources/ai/integration_ai_description.yaml b/content/response_integrations/power_ups/enrichment/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..f526738d8 --- /dev/null +++ b/content/response_integrations/power_ups/enrichment/resources/ai/integration_ai_description.yaml @@ -0,0 +1,25 @@ +product_categories: + asset_inventory: true + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: false + reasoning: >- + The integration provides a suite of utility actions for enriching entities within + the SOAR platform. The 'Whois' action performs external lookups for IP and domain + registration and geolocation data, which qualifies it for the 'Threat Intelligence' + category as it provides reputation-related context for external indicators. Several + other actions, such as 'Enrich Entity from Explorer Attributes', 'Enrich Source + and Destinations', and 'Enrich Entity From Event Field', retrieve internal context + (from security events or the entity explorer) to populate entity metadata. This + aligns with the 'Asset Inventory' category, as these actions provide deeper context + about the assets involved in an investigation. The integration does not perform + actions related to SIEM (log searching), EDR (host containment), Network Security + (blocking traffic), Email Security, IAM, Cloud Security, ITSM, Vulnerability Management, + or Collaboration. + siem: false + threat_intelligence: true + vulnerability_management: false diff --git a/content/response_integrations/power_ups/file_utilities/resources/ai/actions_ai_description.yaml b/content/response_integrations/power_ups/file_utilities/resources/ai/actions_ai_description.yaml index de6d5520a..3f743586f 100644 --- a/content/response_integrations/power_ups/file_utilities/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/power_ups/file_utilities/resources/ai/actions_ai_description.yaml @@ -1,56 +1,80 @@ Add Attachment: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action adds an attachment to the case wall. This does not align with any + of the provided categories (e.g., Enrich IOC, Create Ticket, etc.), as it is + a specific case management utility. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - The **Add Attachment** action allows users to upload and attach files directly - to the case wall within Google SecOps. This utility is designed to facilitate - evidence preservation and documentation by allowing users to provide file content - in Base64 format, which is then stored as a formal attachment within the context - of the current case. + This action adds a file attachment to the Google SecOps case wall. It allows users + to upload files (provided as Base64 encoded strings) directly to the case, facilitating + evidence management and documentation within the platform. - ### Parameters + ### Flow Description - | Parameter | Type | Mandatory | Description | + 1. The action retrieves the provided parameters: Name, Base64 Blob, Type, Description, + and IsFavorite status. - | :--- | :--- | :--- | :--- | + 2. It constructs a `CaseWallAttachment` object using the provided details and + the current case identifier. - | Name | string | Yes | The name of the attachment file as it will appear on the - case wall. | + 3. The action calls the internal SOAR API `save_attachment_to_case_wall` to upload + the file to the case wall. - | IsFavorite | boolean | No | If set to `true`, the attachment will be marked - as a favorite or important item in the case wall. Defaults to `false`. | + 4. Upon success, it returns the attachment metadata as a JSON result. - | Base64 Blob | string | Yes | The actual content of the file, encoded in Base64 - format. | - | Type | string | Yes | The file extension or type (e.g., .txt, .pdf, .png). | + ### Parameters Description - | Description | string | Yes | A descriptive note providing context or details - about the attachment. | + | Parameter | Type | Mandatory | Description | + | :--- | :--- | :--- | :--- | - ### Flow Description + | Name | string | Yes | The name of the attachment. | - 1. **Input Retrieval**: The action extracts the file name, Base64-encoded content, - file type, and description from the user-provided parameters. + | Base64 Blob | string | Yes | The attachment's content encoded in Base64. | - 2. **Data Modeling**: It initializes a `CaseWallAttachment` object, associating - the file data with the current case's unique identifier. + | Type | string | Yes | The file extension or type (e.g., .txt). | - 3. **Internal API Interaction**: The action calls the internal Google SecOps API - (via `save_attachment_to_case_wall`) to upload the file content and metadata to - the case wall. + | Description | string | Yes | A description of the attachment. | - 4. **Response Handling**: It processes the response from the internal API, transforms - it into a structured JSON result containing attachment metadata (like `evidenceId` - and `creationTime`), and marks the action as successfully completed. + | IsFavorite | boolean | No | Whether the attachment is marked as a favorite in + the case wall. Defaults to false. | ### Additional Notes - This action is a local utility and does not communicate with external third-party - services. It strictly modifies internal case data by adding attachments. + This action does not interact with external systems and is strictly used for internal + case management within Google SecOps. capabilities: can_create_case_comments: false can_create_insight: false @@ -61,9 +85,16 @@ Add Attachment: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: >- - Adds a file attachment to the case wall of the current Google SecOps case. + Adds a new attachment to the case wall within the SOAR platform. + reasoning: >- + The action interacts with the internal SOAR API to upload a file to the case + wall. It does not fetch external data or mutate external systems. It mutates + internal SOAR data by creating a new attachment record. categories: enrichment: false + reasoning: >- + The action does not fetch data from external sources, nor does it perform any + enrichment tasks. It is a utility action for case management. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -79,59 +110,77 @@ Add Attachment: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not operate on specific entities; it operates on the case level + using the case identifier. Add Entity to File: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action performs a local file operation to append entity identifiers. It + does not interact with any external security products, ticketing systems, or + identity providers, nor does it modify alert or case data. Therefore, it does + not match any of the defined product categories. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - The **Add Entity to File** action appends the unique identifiers of target entities - to a local text file stored on the SOAR runner. This utility is primarily used - for state management, such as tracking which entities have already been processed - or creating simple local blocklists/allowlists within a playbook's lifecycle. - It ensures that each entity identifier is only recorded once in the specified - file. + This action appends the identifier of target entities to a specified local file + on the SOAR server. It ensures uniqueness by checking if the entity identifier + already exists in the file before adding it. This is useful for maintaining local + lists of entities for further processing or auditing. - ### Parameters Description + ### Parameters | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | **Filename** | String | Yes | The name of the file (e.g., `processed_entities.txt`) - where the entity identifiers will be stored. Files are stored in the `/tmp/` directory - of the runner. | + | Filename | string | Yes | The name of the file to write the entities to. | ### Flow Description - 1. **Initialization**: The action retrieves the `Filename` parameter and constructs - the full file path in the `/tmp/` directory. - - 2. **File Locking**: It utilizes a file-locking mechanism (`EntityFileManager`) - to ensure thread-safe operations, preventing concurrent actions from corrupting - the file. - - 3. **Deduplication Check**: The action reads the existing contents of the file - and compares them against the identifiers of the `target_entities` provided in - the current context. - - 4. **Update**: If an entity identifier is not already present in the file, it - is appended to the list. + 1. Extract the `Filename` parameter from the action configuration. - 5. **Persistence**: The updated list of identifiers is written back to the file, - and the file lock is released. + 2. Initialize the `EntityFileManager` to handle file locking and access, ensuring + thread-safe operations. - 6. **Result Reporting**: The action provides an output message detailing which - entities were added and which were already present. If any entity was already - in the file, the action's result value is set to `False`. + 3. Iterate through the `target_entities` provided in the action. + 4. For each entity, check if its identifier is already present in the file. - ### Additional Notes + 5. If the identifier is not present, append it to the file. - - This action operates strictly on the local file system of the execution environment - and does not interact with external APIs. + 6. If the identifier is already present, log the occurrence and skip adding it. - - It does not modify Google SecOps case, alert, or entity metadata. + 7. Finalize the action with a summary of added entities and the execution status. capabilities: can_create_case_comments: false can_create_insight: false @@ -142,8 +191,17 @@ Add Entity to File: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a local file operation on the SOAR server. It does not fetch + data from external APIs (fetches_data=false), does not mutate external systems + (can_mutate_external_data=false), and does not modify SOAR case data such as + entities, insights, or alert data (can_mutate_internal_data=false). categories: enrichment: false + reasoning: >- + The action does not fetch data from any external or internal source, nor does + it perform any enrichment. It performs a local file operation, which does not + meet the criteria for an enrichment action. entity_usage: entity_types: - ADDRESS @@ -194,58 +252,85 @@ Add Entity to File: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over `siemplify.target_entities` without any filtering, meaning + it processes all entity types provided in the action. Count Files: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action is a utility for counting files on the local filesystem. It does + not perform any of the defined product category operations such as enrichment, + containment, ticketing, or alert management. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description - - The **Count Files** action is a utility designed to count the number of files - within a specified directory on the local filesystem. It allows users to filter - files by a specific extension and optionally perform a recursive search through - subdirectories. This is particularly useful for automated workflows that need - to verify the presence or volume of specific file types (e.g., logs, temporary - files, or artifacts) as part of an investigation or maintenance task. - + The 'Count Files' action performs a local filesystem operation to count the number + of files within a specified directory that match a given file extension. This + utility action is useful for verifying the presence or volume of files on the + SOAR worker node. - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - | :--- | :--- | :--- | :--- | + ### Flow Description - | **Folder** | String | Yes | The absolute or relative directory path where the - file count should be performed. | + 1. **Parameter Extraction**: The action retrieves the 'Folder' path, 'Is Recursive' + flag, and 'File Extension' from the action configuration. - | **File Extension** | String | No | A glob-style pattern to filter files (e.g., - `*.txt`, `*.log`). If not provided, it defaults to `*.*` (all files). | + 2. **Path Construction**: It constructs the full search path using the provided + folder and extension (defaulting to '*.*' if no extension is provided). - | **Is Recursive** | Boolean | No | If set to `true`, the action will search for - files in the specified folder and all its subfolders. Defaults to `false`. | + 3. **File Counting**: It utilizes the `glob` library to identify and count all + files matching the criteria, optionally traversing subdirectories if 'Is Recursive' + is enabled. + 4. **Result Reporting**: The action returns the total count of files found as + the execution result. - ### Additional Notes - - The action uses the Python `glob` library to resolve file paths. + ### Parameters - - If the provided `Folder` path does not exist or is inaccessible, the action - will return a count of 0 or may fail depending on environment permissions. + | Parameter | Type | Mandatory | Description | - - This action does not interact with SecOps entities (IPs, Hostnames, etc.) and - operates strictly on the filesystem path provided. + | :--- | :--- | :--- | :--- | + | Folder | string | Yes | The absolute or relative path of the folder to search. + | - ### Flow Description + | File Extension | string | No | The file extension to filter by (e.g., '*.txt'). + Defaults to '*.*'. | - 1. **Parameter Extraction:** The action retrieves the `Folder`, `File Extension`, - and `Is Recursive` flag from the input parameters. + | Is Recursive | boolean | No | If enabled, the action will recursively count + files in all subdirectories. Defaults to 'false'. | - 2. **Pattern Construction:** If no file extension is provided, it defaults to - `*.*`. It then combines the folder path and the extension into a full search pattern. - 3. **File Discovery:** The action uses the `glob.glob` method with the specified - recursion flag to find all matching file paths. + ### Additional Notes - 4. **Counting and Completion:** It calculates the length of the resulting list - of files and returns this integer as the final result to the SOAR platform. + This action operates strictly on the local filesystem of the SOAR worker node + and does not interact with external APIs or internal case data. capabilities: can_create_case_comments: false can_create_insight: false @@ -254,10 +339,19 @@ Count Files: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null - fetches_data: true + fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a local filesystem operation using the `glob` library to + count files. It does not interact with any external APIs, modify external systems, + or update internal SOAR data (entities, insights, or comments). Therefore, it + has no mutation or enrichment capabilities. categories: enrichment: false + reasoning: >- + The action does not fetch contextual data for entities or alerts, nor does it + modify internal or external state. It is a utility action for local file counting + and does not meet the criteria for an Enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -273,48 +367,103 @@ Count Files: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with `target_entities` or any entity-related data + models. It operates solely on a provided file path string. Create Archive: - ai_description: "### General Description\nThis action creates compressed archive\ - \ files from a specified list of files or a directory located on the Google SecOps\ - \ server. It supports multiple archive formats including ZIP and various TAR configurations.\ - \ The resulting archive is stored in a predefined local directory on the server,\ - \ and the action returns the full path to the created file.\n\n### Parameters\ - \ Description\n| Parameter | Type | Mandatory | Description |\n| :--- | :--- |\ - \ :--- | :--- |\n| Archive Type | Dropdown | Yes | The compression format to use.\ - \ Supported values: `zip`, `tar` (uncompressed), `gztar` (gzip), `bztar` (bzip2),\ - \ and `xztar` (xz). |\n| Archive Base Name | String | Yes | The name of the archive\ - \ file to be created (do not include the file extension). |\n| Archive Input |\ - \ String | Yes | A comma-separated list of absolute file paths or a single absolute\ - \ directory path to be included in the archive. |\n\n### Additional Notes\n- The\ - \ action operates on the local filesystem of the Google SecOps (Siemplify) server.\ - \ \n- The output directory is hardcoded to `/opt/siemplify/siemplify_server/Scripting/FileUtilities/Archives`.\ - \ If this directory does not exist, the action attempts to create it.\n- If a\ - \ list of files is provided, the action creates a temporary directory to stage\ - \ the files before archiving.\n\n### Flow Description\n1. **Parameter Extraction**:\ - \ Retrieves the archive type, base name, and input paths from the action configuration.\n\ - 2. **Directory Validation**: Checks for the existence of the destination directory\ - \ on the server and creates it if necessary.\n3. **Input Processing**: \n -\ - \ If the input is a directory, it prepares to archive the directory directly.\n\ - \ - If the input is a list of files, it copies them to a temporary system directory.\n\ - 4. **Archive Creation**: Uses the Python `shutil` library to generate the archive\ - \ file in the specified format.\n5. **Cleanup**: If a temporary directory was\ - \ used for individual files, it is deleted after the archive is created.\n6. **Completion**:\ - \ Returns the path of the generated archive and provides a JSON result indicating\ - \ success." + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + This action is a file utility for creating archives. It does not perform any + of the listed security operations (enrichment, containment, ticketing, etc.). + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: >- + ### General Description + + This action creates an archive file (e.g., zip, tar) from a provided list of files + or a directory. It is a utility action designed to package data for further processing + or storage. + + + ### Flow Description + + 1. Extract parameters: `Archive Type`, `Archive Input`, and `Archive Base Name`. + + 2. Validate and create the destination directory if it does not exist. + + 3. If the input is a directory, archive it directly. + + 4. If the input is a list of files, copy them to a temporary directory, archive + the temporary directory, and then remove the temporary directory. + + 5. Return the path of the created archive file. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Archive Type | ddl | Yes | The format of the archive to create (zip, tar, gztar, + bztar, xztar). | + + | Archive Base Name | string | Yes | The name of the archive file to be created, + excluding the extension. | + + | Archive Input | string | Yes | A comma-delimited list of files or a directory + path to be archived. | + + + ### Additional Notes + + This action performs local file system operations on the SOAR server. It does + not interact with external APIs or modify SOAR case data. capabilities: can_create_case_comments: false can_create_insight: false can_modify_alert_data: false can_mutate_external_data: false - can_mutate_internal_data: true + can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null fetches_data: false - internal_data_mutation_explanation: >- - The action creates new archive files and potentially new directories within - the Google SecOps server's local filesystem at /opt/siemplify/siemplify_server/Scripting/FileUtilities/Archives. + internal_data_mutation_explanation: null + reasoning: >- + The action performs local file system operations (creating an archive) on the + SOAR server. It does not interact with external APIs, fetch data, or modify + SOAR case data/entities. categories: enrichment: false + reasoning: >- + The action is a file utility that creates archives. It does not fetch data from + external sources, nor does it modify internal SOAR data or entities. Therefore, + it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -330,68 +479,58 @@ Create Archive: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with entities. It operates on file paths provided + as input parameters. Create Hash From Base64: - ai_description: >- - ### General Description - - This action converts Base64 encoded strings into cryptographic hashes. It is a - utility tool used to generate file-like identifiers (MD5, SHA1, SHA256, etc.) - from encoded data provided as input. This is particularly useful for processing - file content extracted from emails or other sources where the raw data is available - in Base64 format. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Base64 | Content | Yes | One or more Base64 encoded strings to be hashed, separated - by the 'Base64 Separator'. | - - | Hash Algorythm | DDL | Yes | The cryptographic hashing algorithm to apply (e.g., - md5, sha1, sha256, sha512). | - - | Names | String | No | A list of names (e.g., filenames) corresponding to the - Base64 strings, separated by the 'Names Separator'. | - - | Names Separator | String | Yes | The character used to split the 'Names' parameter - (default is ','). | - - | Include Base64 | Boolean | No | If true, the original Base64 string will be - included in the JSON output. | - - | Base64 Separator | String | Yes | The character used to split the 'Base64' parameter - (default is ','). | - - - ### Flow Description - - 1. **Input Parsing**: The action retrieves the `Base64` input and splits it into - a list using the `Base64 Separator`. If the `Names` parameter is provided, it - is also split using the `Names Separator`. - - 2. **Decoding**: Each string in the `Base64` list is decoded from Base64 into - raw bytes using the Python `base64` library. - - 3. **Hashing**: The specified `Hash Algorythm` is dynamically invoked from the - `hashlib` library and applied to the decoded bytes to generate a hexadecimal digest. - - 4. **Result Construction**: A dictionary is created for each item containing the - generated hash, the algorithm used, and the associated name (if provided). If - `Include Base64` is set to true, the original encoded string is also included - in the dictionary. - - 5. **Output**: The resulting list of dictionaries is added to the action's JSON - results and the script result. - - - ### Additional Notes - - If the `Names` parameter is provided, it should ideally contain the same number - of items as the `Base64` parameter to ensure correct one-to-one mapping in the - output. + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action performs a local computation (hashing) on provided input strings. + It does not interact with external systems, fetch threat intelligence, or modify + case data. It does not fit any of the defined categories. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: "This action calculates cryptographic hashes for provided base64-encoded\ + \ strings. It is a utility action used to generate hashes (e.g., MD5, SHA256)\ + \ from raw data represented in base64 format. \n\n### Parameters\n| Name | Type\ + \ | Mandatory | Description |\n| --- | --- | --- | --- |\n| Base64 | content |\ + \ Yes | One or more base64 encoded strings. Strings should be separated by the\ + \ defined separator. |\n| Hash Algorythm | ddl | Yes | The algorithm to use (e.g.,\ + \ sha1, sha256, md5). |\n| Names | string | No | List of names identifying the\ + \ base64 strings. |\n| Names Separator | string | Yes | A character to separate\ + \ the list of names by. |\n| Include Base64 | boolean | No | Include the base64\ + \ input strings in the output. |\n| Base64 Separator | string | Yes | A character\ + \ to separate the base64 strings by. |\n\n### Flow Description\n1. The action\ + \ accepts base64 strings and a hash algorithm as input parameters.\n2. It decodes\ + \ the provided base64 strings.\n3. It computes the hash of the decoded data using\ + \ the specified algorithm (e.g., sha1, sha256, md5).\n4. The action returns the\ + \ resulting hashes, optionally including the original base64 strings and associated\ + \ names, in the action results." capabilities: can_create_case_comments: false can_create_insight: false @@ -402,8 +541,16 @@ Create Hash From Base64: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a local cryptographic hash calculation on provided input + strings. It does not fetch data from external sources, mutate external systems, + or modify internal SOAR data (entities, insights, or comments). categories: enrichment: false + reasoning: >- + The action does not fetch data from an external or internal source; it performs + a local computation on provided input parameters. Therefore, it does not meet + the criteria for an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -419,52 +566,75 @@ Create Hash From Base64: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action operates solely on input parameters provided by the user and does + not interact with the `siemplify.target_entities` object. Therefore, it does + not process any entity types. Decode Base64: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + This action is a utility for decoding strings. It does not perform any of the + defined product-specific operations such as enrichment, containment, ticketing, + or alert management. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - The **Decode Base64** action is a utility designed to convert Base64-encoded strings - back into their original text format. It allows users to specify the character - encoding (UTF-8 or ASCII) to ensure the decoded content is interpreted correctly. - This is particularly useful for decoding data found in logs, email headers, or - payloads that are often obfuscated or transmitted in Base64 format. + The Decode Base64 action is a utility tool designed to decode a Base64 encoded + string into its original format. It allows users to specify the input string and + the character encoding to be used during the decoding process. - ### Parameters Description + ### Parameters | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Base64 Input | String | Yes | The Base64 encoded string that needs to be decoded. + | Base64 Input | string | Yes | The Base64 encoded string that needs to be decoded. | - | Encoding | DDL | Yes | The character encoding to use for the decoded string. - Options include **UTF-8** and **ASCII**. | - - - ### Additional Notes - - - This action does not interact with external APIs; it performs the decoding logic - locally within the execution environment. - - - If the input string is not a valid Base64 sequence or the encoding fails, the - action will return a failure status. + | Encoding | ddl | Yes | The character encoding to use for the decoded string + (e.g., UTF-8, ASCII). | ### Flow Description - 1. **Parameter Extraction**: The action retrieves the `Base64 Input` string and - the selected `Encoding` from the user input. + 1. The action retrieves the 'Base64 Input' string and the 'Encoding' type from + the provided parameters. - 2. **Decoding**: It uses the standard Base64 library to decode the input string - into a byte object. + 2. It attempts to decode the Base64 input using the specified encoding. - 3. **String Conversion**: The byte object is converted into a string using the - specified encoding (UTF-8 or ASCII). + 3. If successful, it returns the decoded content as a JSON object in the action + results. - 4. **Result Output**: The decoded string is packaged into a JSON object and returned - as the action's result. + 4. If an error occurs during decoding, the action fails and returns an error message. capabilities: can_create_case_comments: false can_create_insight: false @@ -475,8 +645,15 @@ Decode Base64: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a local string manipulation (Base64 decoding). It does not + interact with external systems, fetch data, or modify internal SOAR data (entities, + insights, comments). It only returns a result JSON to the playbook. categories: enrichment: false + reasoning: >- + The action is a utility for data transformation (decoding). It does not fetch + data from external sources, so it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -492,69 +669,95 @@ Decode Base64: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with entities. Extract Archive: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action extracts files from an archive. It does not match any of the defined + product categories (Enrichment, Containment, Ticket Management, etc.). + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description + Extracts archive files (zip, tar, gztar, bztar, xtar) to a designated directory + on the server. This utility action simplifies the process of accessing contents + within compressed files for further analysis or processing within the SOAR environment. - The **Extract Archive** action is a utility designed to decompress archive files - located on the local filesystem of the Google SecOps server. It supports multiple - formats including ZIP, TAR, GZTAR, BZTAR, and XTAR. The action is primarily used - to prepare files for further analysis by expanding their contents into a structured - directory and providing a detailed map of the extracted files. + ### Flow Description - ### Parameters Description + 1. The action parses the `Archive` parameter to retrieve a list of file paths. - | Parameter | Type | Mandatory | Description | + 2. It iterates through each provided archive path. - | :--- | :--- | :--- | :--- | + 3. A target directory is created for each archive to store the extracted contents. - | **Archive** | String | Yes | A comma-separated list of absolute file paths to - the archives that need to be extracted. Example: `/tmp/data.zip, /tmp/logs.tar.gz`. - | + 4. The action uses `shutil.unpack_archive` to extract the contents of the archive. + 5. A JSON structure is generated, detailing the extracted files and their paths. - ### Flow Description + 6. The final result is returned to the SOAR platform using `add_result_json`. - 1. **Input Parsing**: The action retrieves the `Archive` parameter and splits - it into a list of individual file paths. - 2. **Directory Preparation**: For each archive path provided, the action creates - a specific destination directory within the predefined path `/opt/siemplify/siemplify_server/Scripting/FileUtilities/Extract` - based on the archive's name. + ### Parameters - 3. **Extraction**: It uses the Python `shutil` library to unpack the archive contents - into the newly created destination directory. + | Parameter | Type | Mandatory | Description | - 4. **Structure Mapping**: The action recursively traverses the extracted directory - to build a hierarchical dictionary (JSON) representing the file structure, including - file names, types, extensions, and full paths. + | :--- | :--- | :--- | :--- | - 5. **Result Compilation**: It aggregates the success status, folder location, - and file lists for all processed archives into a single JSON result and provides - an output message summarizing the operation. + | Archive | string | Yes | The path of the archive to be extracted. Supports comma-delimited + paths. | ### Additional Notes - - This action performs operations on the local filesystem of the SOAR execution - environment. - - - It does not interact with external APIs or modify case entities directly. + This action performs local file system operations on the SOAR server. It does + not interact with external systems or modify SOAR case data. capabilities: can_create_case_comments: false can_create_insight: false can_modify_alert_data: false can_mutate_external_data: false - can_mutate_internal_data: true + can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null fetches_data: false - internal_data_mutation_explanation: >- - Creates directories and extracts files onto the local filesystem of the Google - SecOps server environment. + internal_data_mutation_explanation: null + reasoning: >- + The action performs local file system operations (extracting archives) on the + SOAR server. It does not interact with external APIs, modify SOAR case data, + or update entities. categories: enrichment: false + reasoning: >- + The action does not fetch data from an external source, nor does it perform + any of the allowed internal mutations (creating insights, updating entities, + adding comments). It is a utility action for file extraction. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -570,78 +773,77 @@ Extract Archive: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with `siemplify.target_entities` or any SOAR entity + objects. It operates on file paths provided as parameters. Extract Zip Files: - ai_description: >- - ### General Description - - This action extracts files from ZIP archives associated with `FILENAME` entities - within a Google SecOps case. It is designed to handle password-protected archives - through either a provided list of passwords or a brute-force approach. The action - can automatically enrich the case by adding the extracted files back to the case - wall and creating new entities for the extracted files and their corresponding - hashes. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Include Data In JSON Result | boolean | No | If set to `true`, the base64 encoded - content of the extracted files will be included in the action's JSON output. Default - is `false`. | - - | Create Entities | boolean | No | If set to `true`, the action will create new - `FILENAME` and `FILEHASH` entities for every file extracted from the archive. - Default is `true`. | - - | Zip File Password | string | No | A string containing one or more passwords - used to attempt extraction of protected ZIP files. | - - | BruteForce Password | boolean | No | If set to `true`, the action will attempt - to brute-force the ZIP password using a built-in wordlist if the provided passwords - fail. Default is `false`. | - - | Add to Case Wall | boolean | No | If set to `true`, the extracted files will - be uploaded as new attachments to the case wall. Default is `true`. | - - | Zip Password List Delimiter | string | Yes | The character used to separate - multiple passwords provided in the 'Zip File Password' parameter (e.g., a comma). - | - - - ### Additional Notes - - * The action specifically targets `FILENAME` entities that possess an `attachment_id` - attribute in their additional properties. This ID is required to retrieve the - file from the SOAR's internal storage. - - * When creating entities, the action also generates relationships between the - extracted files and the original ZIP archive or the relevant email subject. - - - ### Flow Description - - 1. **Identification**: The action iterates through all `FILENAME` entities in - the current context, looking for those with an `attachment_id`. - - 2. **Retrieval**: For each valid entity, it downloads the associated file content - from the Google SecOps attachment service. - - 3. **Extraction**: It verifies if the file is a valid ZIP archive and attempts - to extract its contents. If the ZIP is encrypted, it uses the provided passwords - (split by the delimiter) and/or performs a brute-force attack if enabled. - - 4. **Internal Mutation (Case Wall)**: If 'Add to Case Wall' is enabled, each extracted - file is uploaded back to the case as a new attachment. - - 5. **Internal Mutation (Entities)**: If 'Create Entities' is enabled, the action - creates new `FILENAME` entities for the extracted files and `FILEHASH` entities - for their MD5 hashes, establishing parent-child relationships where applicable. - - 6. **Output**: The action returns a JSON summary of the extracted files, including - metadata like size, MIME type, and hashes (MD5, SHA1, SHA256, SHA512). + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action extracts files from a ZIP archive and manages them within the SOAR + platform (adding to case wall, creating entities). It does not match any of + the predefined product categories such as 'Enrich IOC', 'Contain Host', or 'Create + Ticket'. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: "### General Description\nThis action extracts files from ZIP archives\ + \ that are attached to FILENAME entities within the case. It supports password-protected\ + \ ZIP files by allowing users to provide a specific password or by enabling a\ + \ brute-force mechanism using a predefined wordlist. The action can optionally\ + \ add the extracted files to the Case Wall and create new entities for the extracted\ + \ files, linking them to the original ZIP file.\n\n### Flow Description\n1. **Initialization**:\ + \ The action initializes the `AttachmentsManager` and retrieves configuration\ + \ parameters.\n2. **Entity Filtering**: It iterates through the `target_entities`\ + \ and filters for those with `entity_type` equal to `FILENAME` that contain an\ + \ `attachment_id` in their `additional_properties`.\n3. **Extraction**: For each\ + \ valid entity, it downloads the attachment from the Case Wall, checks if it is\ + \ a valid ZIP file, and extracts the contents. If password protection is encountered,\ + \ it attempts to unlock the file using the provided password or the brute-force\ + \ list.\n4. **Case Wall & Entity Management**: \n - If `Add to Case Wall` is\ + \ enabled, extracted files are uploaded as new attachments to the case.\n -\ + \ If `Create Entities` is enabled, new entities are created for the extracted\ + \ files and linked to the parent file.\n5. **Result Generation**: The action returns\ + \ a JSON result containing the extracted file metadata (and optionally the raw\ + \ data) and updates the original entities with new properties if applicable.\n\ + \n### Parameters\n| Parameter | Type | Mandatory | Description |\n| :--- | :---\ + \ | :--- | :--- |\n| Include Data In JSON Result | boolean | false | If true,\ + \ includes the base64 encoded data of the extracted files in the action's JSON\ + \ result. |\n| Create Entities | boolean | false | If true, creates new entities\ + \ for the extracted files. |\n| Zip File Password | string | false | A password\ + \ or list of passwords (separated by the delimiter) to attempt extraction of password-protected\ + \ ZIP files. |\n| BruteForce Password | boolean | false | If true, attempts to\ + \ brute-force password-protected ZIP files using a built-in wordlist. |\n| Add\ + \ to Case Wall | boolean | false | If true, adds the extracted files as attachments\ + \ to the case wall. |\n| Zip Password List Delimiter | string | true | The character\ + \ used to separate multiple passwords in the 'Zip File Password' parameter. |\n\ + \n### Additional Notes\n- The action requires the `FILENAME` entity to have an\ + \ `attachment_id` attribute to successfully download the file from the Case Wall.\n\ + - If `Create Entities` is enabled, the action will create new entities and link\ + \ them to the parent file or email subject if applicable." capabilities: can_create_case_comments: false can_create_insight: false @@ -652,10 +854,22 @@ Extract Zip Files: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - The action adds extracted files as new attachments to the case wall and creates - new FILENAME and FILEHASH entities within the Google SecOps case environment. + The action adds new attachments to the case wall and creates new entities within + the SOAR platform. + reasoning: >- + The action fetches attachment data from the SOAR platform (fetches_data=true). + It does not mutate external systems (can_mutate_external_data=false). It performs + internal mutations by adding attachments to the case wall and creating new entities + (can_mutate_internal_data=true). It updates existing entities with new properties + (can_update_entities=true). It does not create insights, modify alert data, + or create case comments. categories: enrichment: false + reasoning: >- + While the action fetches data, it performs internal mutations (creating new + entities) that are not included in the allowed list for enrichment actions (which + are limited to adding comments, creating insights, or updating existing entity + fields). Therefore, it is not classified as an enrichment action. entity_usage: entity_types: - FILENAME @@ -672,14 +886,50 @@ Extract Zip Files: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action iterates over `siemplify.target_entities` and explicitly filters + for entities where `entity.entity_type == 'FILENAME'`. It also checks for the + presence of the 'attachment_id' key in the entity's `additional_properties`. Get Attachment: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves attachments from the case wall. It does not match any of + the specific product categories defined, such as enriching IOCs, updating tickets, + or performing containment actions. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - This action retrieves file attachments from the Google SecOps case wall or alert - wall and provides them as Base64-encoded strings. It is primarily used to programmatically - access files uploaded to a case for further processing in a playbook, such as - sending them to a sandbox or a malware analysis tool. + The 'Get Attachment' action retrieves attachments from the Google SecOps (Chronicle) + case wall. It allows users to fetch attachments based on a specified scope (either + the entire case or the current alert) and returns the file content encoded in + Base64 format. ### Parameters Description @@ -688,31 +938,31 @@ Get Attachment: | :--- | :--- | :--- | :--- | - | Attachment Scope | DDL | Yes | Determines the scope of the search. If set to - 'Alert', the action only retrieves attachments associated with the current alert. - If set to 'Case', it retrieves all attachments associated with the entire case. - | + | Attachment Scope | ddl | Yes | The scope of the attachment that needs to be + retrieved. Options are 'Case' or 'Alert'. | + + + ### Additional Notes + + This action is a utility tool for retrieving files from the internal case wall. + It does not perform any external API calls to third-party services or modify any + data within the SOAR platform. ### Flow Description - 1. **Scope Identification**: The action reads the 'Attachment Scope' parameter - to decide whether to filter by the specific alert or the whole case. + 1. The action retrieves the 'Attachment Scope' parameter. - 2. **Metadata Retrieval**: It fetches the metadata for all items on the case wall - using the case identifier. + 2. It fetches the metadata for all attachments associated with the current case. - 3. **Filtering**: The action filters the wall items to identify those of type - 'attachment' (type 4). If the scope is 'Alert', it further filters items to match - the current alert's unique identifier. + 3. It filters the attachments based on the selected scope ('Case' or 'Alert'). - 4. **Content Extraction**: For each identified attachment, the action calls the - internal SOAR API to retrieve the raw binary content. + 4. For each matching attachment, it retrieves the file content from the case wall. - 5. **Encoding**: The binary content is encoded into a Base64 string. + 5. The file content is encoded into a Base64 string. - 6. **Result Compilation**: The action appends the Base64 blob to the attachment - metadata and returns the complete list as a JSON result. + 6. The action returns the list of attachments, including their metadata and Base64 + content, as a JSON result. capabilities: can_create_case_comments: false can_create_insight: false @@ -723,8 +973,16 @@ Get Attachment: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action fetches attachment data from the case wall (internal). It does not + mutate external or internal data. It does not update entities, create insights, + or modify alerts. categories: - enrichment: true + enrichment: false + reasoning: >- + The action retrieves data (attachments) but does not add context to entities + or alerts, nor does it update the SOAR platform state. It is a utility action + for file retrieval, not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -740,59 +998,70 @@ Get Attachment: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over `target_entities` or perform operations on + specific entities. It retrieves attachments based on the case or alert scope, + which are internal identifiers, not entity objects. Get Files as Base64: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action is a file utility for base64 conversion. It does not match any of + the defined product categories (Enrichment, Containment, Ticket management, + etc.). + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - The **Get Files as Base64** action is a utility designed to read local files from - the system where the Google SecOps runner is executing and convert their content - into Base64-encoded strings. This action is primarily used to prepare file data - for transmission to external APIs, inclusion in reports, or further processing - within a playbook where binary data is not supported. + This action converts local files to base64-encoded strings. It is a utility action + that reads files from the local file system and encodes them into base64 format + for further processing or analysis. ### Parameters Description - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | **File Paths** | String | Yes | A comma-delimited list of absolute file paths - to be processed (e.g., `/tmp/logs/audit.log, /home/user/evidence.bin`). | - - - ### Additional Notes - - - The action includes specialized logic to handle filenames that may contain commas - by recursively checking for the existence of path segments on the local filesystem. - - - If a file cannot be read or does not exist, the action will log an error and - fail the execution. + * **File Paths** (string, mandatory): A comma-delimited list of files, including + their path. ### Flow Description - 1. **Input Parsing**: The action retrieves the `File Paths` parameter and splits - it into individual path strings. + 1. Parse the `File Paths` parameter into a list of file paths. - 2. **Path Resolution**: It utilizes a helper function to correctly identify file - boundaries, ensuring that paths containing commas are correctly interpreted if - they exist on the disk. + 2. Iterate through the provided paths, verifying the existence of each file. - 3. **File Access**: The action iterates through the resolved file paths and attempts - to open each file in binary read mode (`rb`). + 3. Read the content of each valid file in binary mode. - 4. **Encoding**: The raw binary content of each file is encoded into a Base64 - string using the UTF-8 character set. + 4. Encode the file content into a base64 string. - 5. **Metadata Extraction**: For each file, the action extracts the directory path, - filename, and file extension. + 5. Compile the results (filename, path, extension, base64 data) into a JSON object. - 6. **Result Construction**: All encoded data and associated metadata are compiled - into a JSON object. - - 7. **Output**: The final JSON result is returned to the SOAR platform, and the - action completes with a summary of the converted files. + 6. Add the JSON result to the action output and terminate the action. capabilities: can_create_case_comments: false can_create_insight: false @@ -803,8 +1072,15 @@ Get Files as Base64: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a local file system operation to convert files to base64. + It does not interact with external APIs, modify internal case data, or update + entities. categories: enrichment: false + reasoning: >- + The action is a file utility that converts local files to base64. It does not + fetch external data or perform enrichment on entities. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -820,21 +1096,59 @@ Get Files as Base64: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not use `target_entities`. It operates on file paths provided + as a parameter. Ping: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action is a connectivity check ('Ping') and does not perform any of the + defined functional outcomes like enrichment, containment, or ticketing. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description\nVerifies the connectivity and functional status of the - **File Utilities** integration within Google SecOps. This action serves as a diagnostic - heartbeat to ensure that the integration environment is properly configured and - capable of executing tasks.\n\n### Parameters\nThis action does not require any - input parameters.\n\n| Parameter | Type | Mandatory | Description |\n| :--- | - :--- | :--- | :--- |\n| None | N/A | N/A | This action has no parameters. |\n\n### - Flow Description\n1. **Initialization**: The action initializes the Siemplify - SDK context.\n2. **Connectivity Check**: It performs a basic internal check to - confirm the action runner can execute the script logic.\n3. **Completion**: The - action concludes by returning a success message ("Siemplify is connected") to - the case wall.\n\n### Additional Notes\nThere are no external API dependencies - for this specific action as it serves as a heartbeat check for the integration - framework itself. + Checks connectivity to the File Utilities integration. This action performs a + simple connectivity test to verify that the integration is properly configured + and communicating with the SOAR platform. It does not perform any data retrieval + or modification. + + + ### Parameters + + There are no parameters for this action. + + + ### Flow Description + + 1. The action initializes the `SiemplifyAction` object. + + 2. It immediately terminates the execution by calling `siemplify.end` with a success + message, confirming that the integration is reachable. capabilities: can_create_case_comments: false can_create_insight: false @@ -845,8 +1159,15 @@ Ping: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a simple connectivity check by calling `siemplify.end`. + It does not interact with external APIs, fetch data, or modify any internal + or external systems. categories: enrichment: false + reasoning: >- + The action is a 'Ping' action, which is explicitly excluded from being an enrichment + action per the instructions. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -862,39 +1183,95 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with any entities. Remove Entity from File: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action is a file utility that removes entries from a local file. It does + not perform any of the defined product actions (Enrichment, Containment, Ticket, + etc.). + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description\nRemoves the identifiers of target entities from a specified - local file. This utility action is primarily used for managing local state, exclusion - lists, or temporary data stores within the SOAR environment's local filesystem.\n\n### - Parameters Description\n| Parameter | Type | Mandatory | Description |\n| :--- - | :--- | :--- | :--- |\n| Filename | string | Yes | The name of the file (located - in the /tmp/ directory) from which the entity identifiers will be removed. |\n\n### - Flow Description\n1. **Initialization**: The action extracts the `Filename` parameter - and constructs the full path within the `/tmp/` directory.\n2. **File Locking**: - It opens the file using a locking mechanism to ensure exclusive access and prevent - data corruption from concurrent processes.\n3. **Entity Processing**: The action - iterates through all entities provided in the current context (`target_entities`).\n4. - **Removal Logic**: For each entity, it checks if the identifier exists in the - file's content. If found, the identifier is removed from the internal list.\n5. - **Persistence**: The updated list of identifiers is written back to the file, - and the lock is released.\n6. **Result Evaluation**: If any entity identifier - was not found in the file, the action's final result is set to `False`. Otherwise, - it returns `True`.\n\n### Additional Notes\n- The action operates strictly on - the local filesystem of the SOAR runner.\n- It returns a failure status if at - least one entity was missing from the file, even if others were successfully removed. + This action removes the identifier of a target entity from a specified local file + on the SOAR server. It iterates through the provided target entities, checks if + each identifier exists in the file, and removes it if found. The action returns + a success or failure status based on whether all entities were successfully processed. + + + ### Parameters + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Filename | string | Yes | The name of the file from which to remove the entities. + | + + + ### Flow Description + + 1. Extract the `Filename` parameter. + + 2. Initialize `EntityFileManager` with the file path and a timeout. + + 3. Iterate through the provided `target_entities`. + + 4. Check if each entity's identifier exists in the file. + + 5. If found, remove the identifier from the file's content. + + 6. Update the file with the modified list. + + 7. Return a success/failure status based on whether all entities were successfully + removed. capabilities: can_create_case_comments: false can_create_insight: false can_modify_alert_data: false can_mutate_external_data: false - can_mutate_internal_data: false + can_mutate_internal_data: true can_update_entities: false external_data_mutation_explanation: null fetches_data: false - internal_data_mutation_explanation: null + internal_data_mutation_explanation: >- + Modifies a local file on the SOAR server by removing entity identifiers. + reasoning: >- + The action modifies a local file on the SOAR server. It does not fetch external + data, mutate external systems, or update SOAR entities/insights. It is a file + utility operation. categories: enrichment: false + reasoning: >- + The action does not fetch data from an external source, nor does it perform + any of the allowed internal mutations (Case Comments, Insights, Entity updates). + It is a file utility. entity_usage: entity_types: - ADDRESS @@ -945,63 +1322,86 @@ Remove Entity from File: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action iterates over all `target_entities` without filtering by type, so + it supports all entity types. Save Base64 to File: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + This action is a utility for saving files to the local filesystem. It does not + perform any of the defined product category operations (e.g., enrichment, containment, + ticketing, etc.). + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - The **Save Base64 to File** action converts base64-encoded strings into physical - files and saves them to the local filesystem of the Google SecOps runner (either - on the main server or a remote agent). This utility is primarily used to stage - file content received via logs or API responses for subsequent analysis or processing - steps within a playbook. + The **Save Base64 to File** action converts a provided base64-encoded string into + a binary file and saves it to the local filesystem of the SOAR engine or agent. + This utility is useful for extracting files from base64 data, such as attachments + or payloads, for further analysis or storage. - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | **Base64 Input** | String | Yes | A comma-separated list of base64 encoded strings - to be converted into files. | + ### Flow Description - | **Filename** | String | Yes | A comma-separated list of filenames corresponding - to the base64 inputs. | + 1. **Input Parsing**: The action retrieves the `Base64 Input` and `Filename` parameters. + Both support comma-separated lists to process multiple files in a single execution. - | **File Extension** | String | No | An optional comma-separated list of file - extensions (e.g., 'txt', '.png') to append to the filenames. | + 2. **Directory Setup**: It determines the target directory (the `downloads` folder) + based on whether the action is running locally or on a remote agent. + 3. **File Processing**: It iterates through the provided inputs, decodes the base64 + strings, and writes the resulting binary data to the specified file paths. - ### Additional Notes + 4. **Result Generation**: It constructs a JSON object containing the details of + the saved files (name, path, and extension) and returns this as the action result. - - This action is a utility and does not interact with SOAR entities or external - APIs. - - If the number of provided **File Extensions** is less than the number of **Filenames**, - the action automatically applies the last extension in the list to all remaining - files. + ### Parameters - - Filenames are sanitized to remove invalid characters before saving. + | Parameter | Type | Mandatory | Description | + | :--- | :--- | :--- | :--- | - ### Flow Description + | `Base64 Input` | String | Yes | The base64 encoded string(s) to be converted. + Supports comma-separated values for multiple files. | - 1. **Parameter Parsing**: The action splits the `Base64 Input`, `Filename`, and - `File Extension` parameters into lists based on comma separators. + | `Filename` | String | Yes | The name(s) to assign to the saved files. Supports + comma-separated values. | - 2. **Directory Preparation**: It identifies the target download folder on the - runner's filesystem and ensures the directory exists. + | `File Extension` | String | No | An optional extension to append to the output + filename(s). | - 3. **Extension Alignment**: If extensions are provided, the action ensures the - extension list matches the length of the filename list by repeating the last provided - extension as needed. - 4. **Decoding and Writing**: The action iterates through the inputs, decodes each - base64 string into binary data, and writes it to the calculated file path on the - disk. + ### Additional Notes - 5. **Result Compilation**: It generates a JSON result containing the filename, - full path, and extension for every file successfully created. + - The action does not interact with external systems or SOAR entities. It performs + purely local filesystem operations. capabilities: can_create_case_comments: false can_create_insight: false @@ -1012,8 +1412,17 @@ Save Base64 to File: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs local file system operations (writing files) based on provided + input. It does not interact with external APIs, nor does it modify SOAR case + data or entities. It does not fetch data, mutate external systems, or update + internal SOAR data. categories: enrichment: false + reasoning: >- + The action does not fetch data from external sources, nor does it perform any + enrichment or modification of SOAR entities. It is a utility action for file + creation on the local filesystem. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1029,3 +1438,5 @@ Save Base64 to File: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with or reference any SOAR entities. diff --git a/content/response_integrations/power_ups/file_utilities/resources/ai/integration_ai_description.yaml b/content/response_integrations/power_ups/file_utilities/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..4dec8b11a --- /dev/null +++ b/content/response_integrations/power_ups/file_utilities/resources/ai/integration_ai_description.yaml @@ -0,0 +1,20 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: false + reasoning: >- + The 'file_utilities' integration provides a collection of general-purpose utility + actions for file and data manipulation, such as archiving, hashing, base64 decoding/encoding, + and local file system operations. It also includes actions for managing file attachments + on the Google SecOps case wall. None of these actions perform security-specific + functions like threat intelligence enrichment, host containment, identity management, + ticketing, or asset inventory. Consequently, this integration does not align with + any of the defined product categories. + siem: false + threat_intelligence: false + vulnerability_management: false diff --git a/content/response_integrations/power_ups/functions/resources/ai/actions_ai_description.yaml b/content/response_integrations/power_ups/functions/resources/ai/actions_ai_description.yaml index 420a27c5a..392d5091e 100644 --- a/content/response_integrations/power_ups/functions/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/power_ups/functions/resources/ai/actions_ai_description.yaml @@ -1,64 +1,85 @@ Calculate Timestamp: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action is a utility function that calculates timestamps based on provided + inputs. It does not interact with external systems, perform enrichment on entities, + or modify alert/case data. Therefore, it does not fit into any of the predefined + product categories. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - Calculates one or more new timestamps by applying specified time offsets (deltas) - to a baseline starting point. This utility action is part of the 'Functions' integration - and is used to generate relative time ranges or specific points in time for use - in subsequent playbook steps. + The 'Calculate Timestamp' action is a utility tool designed to compute new timestamps + by applying time offsets (deltas) to a specified baseline time. It supports various + input sources, including the current time, alert creation time, case creation + time, or a custom timestamp provided by the user. ### Parameters - | Parameter | Type | Mandatory | Description | + | Parameter | Type | Mandatory | Default Value | Description | - | :--- | :--- | :--- | :--- | + | :--- | :--- | :--- | :--- | :--- | - | Input Type | Dropdown | No | Defines the baseline time source. Options: 'Current - Time' (default), 'Alert Creation Time', 'Case Creation Time', or 'Custom Timestamp'. + | Input Type | DDL | No | Current Time | The baseline time source for the calculation. + Options: Current Time, Alert Creation Time, Case Creation Time, Custom Timestamp. | - | Custom Timestamp | String | No | The specific date/time string to use as a baseline. - **Mandatory** if 'Input Type' is set to 'Custom Timestamp'. | - - | Custom Timestamp Format | String | No | The strftime-style format of the 'Custom - Timestamp'. Defaults to ISO 8601 (%Y-%m-%dT%H:%M:%S%z). If empty, the action attempts - to parse as epoch. | - - | Timestamp Delta | String | No | A comma-separated list of offsets to apply. - Format: [operator][value][unit]. Units: m (months), d (days), H (hours), M (minutes), - S (seconds). Example: '+1d, -30M'. | - - | Output Timestamp Format | String | No | The desired format for the resulting - timestamps. Use 'epoch' for Unix timestamps or strftime-style strings. Defaults - to ISO 8601. | - + | Custom Timestamp | String | No | "" | The specific date/time string to use if + 'Input Type' is set to 'Custom Timestamp'. | - ### Additional Notes + | Custom Timestamp Format | String | No | %Y-%m-%dT%H:%M:%S%z | The format of + the 'Custom Timestamp'. Defaults to epoch if not provided. | - - If 'Input Type' is 'Custom Timestamp', the 'Custom Timestamp' parameter must - be populated. + | Timestamp Delta | String | No | +30M,-30M | A comma-separated list of time offsets + (e.g., +30M, -1d). Supported units: m (months), d (days), H (hours), M (minutes), + S (seconds). | - - If 'Output Timestamp Format' is set to 'epoch', the result will be an integer - representing seconds since the Unix epoch. + | Output Timestamp Format | String | No | %Y-%m-%dT%H:%M:%S%z | The desired format + for the resulting timestamps. Defaults to epoch if not provided. | ### Flow Description - 1. **Baseline Identification**: The action determines the starting timestamp based - on the 'Input Type' (e.g., fetching the current system time or the creation time - of the active alert/case). - - 2. **Parsing**: If a custom timestamp is provided, it is parsed using the specified - format or identified as an epoch value. + 1. **Parameter Extraction**: The action extracts and validates all input parameters, + ensuring that if 'Custom Timestamp' is selected, a valid timestamp and format + are provided. - 3. **Delta Calculation**: The action iterates through the 'Timestamp Delta' list, - applying each offset (addition or subtraction) to the baseline time using the - `arrow` library. + 2. **Baseline Determination**: Based on the 'Input Type', the action retrieves + the starting timestamp from the current system time, the alert's creation time, + the case's creation time, or the provided custom timestamp. - 4. **Formatting**: The original baseline and all calculated offsets are formatted - according to the 'Output Timestamp Format'. + 3. **Delta Calculation**: The action iterates through the provided 'Timestamp + Delta' strings, parsing the operator (+/-), value, and unit to shift the baseline + timestamp accordingly. - 5. **Output**: The results are returned as a JSON object containing the 'original_timestamp' - and a dictionary of 'calculated_timestamps'. + 4. **Formatting and Output**: Each calculated timestamp is formatted according + to the 'Output Timestamp Format' and added to the final JSON result, which is + then returned to the SOAR platform. capabilities: can_create_case_comments: false can_create_insight: false @@ -67,10 +88,18 @@ Calculate Timestamp: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null - fetches_data: false + fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action fetches internal data (alert or case creation time) when required, + but it does not interact with external systems or modify any internal data (entities, + insights, or alert fields). It is a pure utility action for timestamp calculation. categories: enrichment: false + reasoning: >- + The action is a utility function that calculates timestamps. It does not gather + supplemental context about alerts or entities, nor does it modify any internal + or external data. Therefore, it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -86,34 +115,90 @@ Calculate Timestamp: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over `target_entities` or perform any operations + on specific entities. It operates on the alert or case context directly, or + uses a custom timestamp, making it a utility action that does not use entities. Convert Time Format: - ai_description: "### General Description\nThis action converts a datetime value\ - \ from one format to another using the `arrow` library. It is a utility function\ - \ designed to normalize time data within a playbook, allowing for format conversion,\ - \ timezone adjustments, and time shifting (adding or subtracting seconds).\n\n\ - ### Parameters Description\n| Parameter | Type | Mandatory | Description |\n|\ - \ :--- | :--- | :--- | :--- |\n| Input | string | Yes | The input datetime value\ - \ to be converted. If left empty, the current time is used. Supports epoch timestamps\ - \ (10 or 13 digits). |\n| From Format | string | Yes | The `strftime` format of\ - \ the input string (e.g., `%Y-%m-%d %H:%M:%S`). Special handling is included for\ - \ 'UTC' or 'GMT' suffixes. |\n| To Format | string | Yes | The desired output\ - \ format using Arrow tokens (e.g., `YYYY/MM/DD`). |\n| Time Delta In Seconds |\ - \ string | Yes | A shift value in seconds to move the time forward (positive)\ - \ or backward (negative). Default is 0. |\n| Timezone | string | No | The target\ - \ timezone for the output (e.g., 'UTC', 'US/Eastern'). |\n\n### Additional Notes\n\ - - If the `Input` parameter is a 10-digit or 13-digit number, the action treats\ - \ it as a Unix timestamp (seconds or milliseconds respectively) regardless of\ - \ the `From Format` provided.\n- The action handles 'UTC' and 'GMT' offsets directly\ - \ if they are appended to the `From Format` string.\n\n### Flow Description\n\ - 1. **Parameter Extraction**: Retrieves the input string, source format, target\ - \ format, time delta, and timezone from the action parameters.\n2. **Time Parsing**:\ - \ \n - If no input is provided, it defaults to the current time.\n - If\ - \ the input is numeric, it parses it as a Unix timestamp.\n - Otherwise, it\ - \ attempts to parse the string using the provided `From Format`.\n3. **Time Manipulation**:\ - \ Applies the `Time Delta In Seconds` to shift the time and converts the object\ - \ to the specified `Timezone` if provided.\n4. **Formatting**: Converts the resulting\ - \ datetime object into the string format defined by `To Format`.\n5. **Output**:\ - \ Returns the formatted string as the action result." + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + This action is a utility function for time manipulation. It does not perform + any of the defined product actions such as enriching IOCs, updating tickets, + or modifying alerts. It is strictly a data transformation tool. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: >- + ### General Description + + This action converts a datetime string from one format to another. It supports + time shifting and timezone conversion, providing a flexible utility for normalizing + time data within SOAR workflows. It is a pure utility function that does not interact + with external systems or modify internal SOAR data. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | --- | --- | --- | --- | + + | Input | string | Yes | The input datetime value that will be converted. | + + | From Format | string | Yes | The datetime format the input string is in. | + + | To Format | string | Yes | The desired time format of the output. | + + | Time Delta In Seconds | string | No | Shift parameter that allows to change + the output actual time to either the future (positive) or past (negative). | + + | Timezone | string | No | Output timezone. | + + + ### Additional Notes + + The action uses the `arrow` library for time manipulation. The `Time Delta In + Seconds` parameter defaults to 0 if not provided. The `Timezone` parameter is + optional. + + + ### Flow Description + + 1. Retrieve parameters (`Input`, `From Format`, `To Format`, `Time Delta`, `Timezone`). + + 2. Parse the input string (handles timestamps or formatted strings). + + 3. Apply time shift (if provided). + + 4. Convert to target timezone (if provided). + + 5. Format the output string. + + 6. Return the result. capabilities: can_create_case_comments: false can_create_insight: false @@ -124,8 +209,16 @@ Convert Time Format: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs local time calculations using the `arrow` library. It does + not perform any network I/O, API calls, or modifications to external or internal + systems. categories: enrichment: false + reasoning: >- + The action does not fetch data from any external or internal source, nor does + it modify any system state. It is a pure utility function for data transformation, + thus it does not meet the criteria for an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -141,37 +234,59 @@ Convert Time Format: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action is a utility function that performs time format conversion. It does + not interact with the `target_entities` list or any specific entity objects. Create Thumbnail: - ai_description: "### General Description\nThe **Create Thumbnail** action is a utility\ - \ function designed to generate a resized version (thumbnail) of an image provided\ - \ in Base64 format. This action is primarily used for data transformation within\ - \ a playbook, allowing users to standardize image sizes for reporting or display\ - \ purposes without interacting with external APIs.\n\n### Parameters Description\n\ - | Parameter | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n\ - | **Base64 Image** | String | No | The Base64 encoded string of the image to be\ - \ resized. This parameter is used if the image is provided directly rather than\ - \ through a JSON structure. |\n| **Thumbnail Size** | String | Yes | A comma-separated\ - \ string representing the target width and height in pixels (e.g., \"250,250\"\ - ). |\n| **Input JSON** | String | No | A JSON-formatted string (typically an array\ - \ of objects) containing image data. If provided, the action will iterate through\ - \ the JSON to find images. |\n| **Image Key Path** | String | No | A dot-notation\ - \ path (e.g., \"data.content.image\") used to locate the Base64 image string within\ - \ the objects provided in the `Input JSON`. |\n\n### Additional Notes\n- The action\ - \ requires either the **Base64 Image** or the **Input JSON** parameter to be populated\ - \ to function correctly.\n- The output thumbnail is always returned in PNG format,\ - \ encoded as a Base64 string.\n- This action does not interact with the Google\ - \ SecOps entity model directly; it processes data passed through parameters.\n\ - \n### Flow Description\n1. **Initialization**: The action extracts the target\ - \ dimensions from the `Thumbnail Size` parameter and identifies the source of\ - \ the image data.\n2. **Data Extraction**: \n - If `Input JSON` is provided,\ - \ the action parses the JSON and uses the `Image Key Path` to recursively find\ - \ the Base64 image strings for each entry.\n - If `Input JSON` is not provided,\ - \ it uses the single string from the `Base64 Image` parameter.\n3. **Image Processing**:\ - \ For each identified image, the action decodes the Base64 string, utilizes the\ - \ PIL (Pillow) library to resize the image to the specified dimensions, and saves\ - \ the result as a PNG.\n4. **Encoding**: The resized PNG image is re-encoded into\ - \ a Base64 string.\n5. **Result Generation**: The action compiles the processed\ - \ thumbnails into a JSON result object and completes the execution." + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action is a utility function for image processing (creating thumbnails). + It does not perform any security-related operations such as enrichment, containment, + or ticket management. Therefore, it does not match any of the defined product + categories. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: >- + General Description: Creates a Base64 thumbnail from an input image. This action + allows users to resize images provided as Base64 strings or extracted from a JSON + object, returning the processed thumbnail as a Base64 string. Parameters Description: + Base64 Image (string, optional): The Base64 string of the image. Thumbnail Size + (string, mandatory): Comma-separated pixels (e.g., 250,250) representing X and + Y dimensions. Input JSON (string, optional): A JSON object containing the image + data. Image Key Path (string, optional): The key path to locate the image within + the Input JSON. Flow Description: 1. Extract parameters: Base64 Image, Thumbnail + Size, Input JSON, and Image Key Path. 2. If Input JSON is provided, parse it and + extract the image string using the Image Key Path. 3. If Base64 Image is provided, + use it directly. 4. Decode the Base64 string, resize the image to the specified + dimensions using the PIL library, and re-encode it to Base64. 5. Return the resulting + thumbnail as a JSON object via siemplify.result.add_result_json. Additional Notes: + This action is a utility function and does not interact with external systems + or modify SOAR case data. capabilities: can_create_case_comments: false can_create_insight: false @@ -182,8 +297,16 @@ Create Thumbnail: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs local image processing using the PIL library. It does not + interact with external APIs, modify internal case data, or update entities. + It simply transforms input data and returns it as a JSON result. categories: enrichment: false + reasoning: >- + The action is a utility function for image manipulation. It does not fetch data + from external sources, nor does it modify internal SOAR data or entities. Therefore, + it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -199,53 +322,55 @@ Create Thumbnail: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code does not interact with siemplify.target_entities. It processes raw + input strings or JSON data provided via parameters. Defang Text: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action is a text processing utility that performs local string manipulation. + It does not interact with external systems, fetch threat intelligence, or modify + case/alert data. It does not match any of the defined product categories. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description - - This action defangs a provided text string by modifying potentially dangerous - indicators such as URLs, IP addresses, and email addresses. Defanging is a security - practice used to prevent accidental clicking or automatic resolution of malicious - links by rendering them non-functional while remaining human-readable. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Input | string | No | The raw text string that needs to be defanged. If the - input is empty or not provided, the action will return an empty string. | - - - ### Flow Description - - 1. **Extraction**: The action retrieves the `Input` string from the action parameters. - - 2. **Validation**: If the input text is empty, the action sets the output message - to "Input text is empty" and returns an empty result. - - 3. **URL Defanging**: Identifies HTTP/HTTPS URLs and replaces `http` with `hxxp` - and replaces dots in the domain with `[.]` (e.g., `http://example.com` becomes - `hxxp://example[.]com`). - - 4. **IP Defanging**: Identifies IPv4 addresses and replaces the dots with `[.]` - (e.g., `1.1.1.1` becomes `1[.]1[.]1[.]1`). - - 5. **Email Defanging**: Identifies email addresses and replaces the `@` symbol - with `[at]` and dots in the domain with `[.]` (e.g., `user@example.com` becomes - `user[at]example[.]com`). - - 6. **Result**: The final modified string is returned in the `converted_text` JSON - result field. - - - ### Additional Notes - - This is a utility action that performs local text transformation. It does not - interact with external APIs, does not require network connectivity, and does not - modify any internal SOAR objects like entities or case comments. + The **Defang Text** action is a utility function designed to sanitize potentially + malicious text strings. It takes an input string and applies regex-based transformations + to 'defang' indicators, making them safe for inclusion in reports or communications. + **Flow:** 1. Extract the **Input** parameter from the action configuration. 2. + Validate that the input is not empty. 3. Apply regex transformations to replace + http/https with hxxp/hxxps and dots in domains with [.]. 4. Apply regex transformations + to replace dots in IPv4 addresses with [.]. 5. Apply regex transformations to + replace @ in email addresses with [at] and dots in domains with [.]. 6. Return + the resulting defanged text in the **converted_text** JSON output. **Parameters:** + **Input** (string, optional): The raw text string to be defanged. **Additional + Notes:** If the **Input** parameter is not provided, the action returns an empty + string. capabilities: can_create_case_comments: false can_create_insight: false @@ -256,8 +381,15 @@ Defang Text: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action is a pure text transformation utility. It does not fetch data from + external APIs, nor does it mutate any external or internal systems. It simply + processes a string input and returns a transformed string. categories: enrichment: false + reasoning: >- + The action does not fetch data from any external or internal source, which is + a requirement for an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -273,58 +405,83 @@ Defang Text: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over target_entities or use entity-specific identifiers. + It processes a raw string input provided via the Input parameter. Therefore, + it does not run on entities. Detect Hash Type: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action identifies the hash type of file hash entities and updates their + properties. This provides context about the indicator, matching the 'Enrich + IOC' category. It does not perform external mutations or other actions. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - The **Detect Hash Type** action identifies the most likely hash algorithm (MD5, - SHA-1, SHA-256, or SHA-512) for provided strings or `FILEHASH` entities. It uses - the `hashid` library to perform local identification without external API calls. - This utility is primarily used to categorize hash values for downstream logic - in playbooks. + Detects the cryptographic hash type (e.g., SHA256, MD5, SHA1, SHA-512) for a given + list of hash strings or for `FILEHASH` entities present in the case. This action + uses the `hashid` library to identify the hash type and updates the entity's `additional_properties` + with the result. ### Parameters Description | Parameter | Type | Mandatory | Description | - | :--- | :--- | :--- | :--- | + | --- | --- | --- | --- | - | **Hashes** | String | No | A comma-separated list of hash strings to identify. - If provided, the action will identify the types for these specific strings in - addition to any entities in the case scope. | + | Hashes | string | false | One or more hashes that are comma separated. | - ### Flow Description + ### Additional Notes - 1. **Parameter Parsing**: The action retrieves the `Hashes` parameter and splits - it into individual strings if provided. + If no hashes are provided in the `Hashes` parameter, the action will only process + `FILEHASH` entities found in the case. - 2. **Manual Identification**: For each string in the `Hashes` parameter, the action - uses the `hashid` library to detect the algorithm. It checks if the detected type - is within the supported set (MD5, SHA-1, SHA-256, SHA-512). - 3. **Entity Filtering**: The action iterates through all entities in the current - case scope, specifically targeting those with the type `FILEHASH`. + ### Flow Description - 4. **Entity Identification**: For each `FILEHASH` entity, the action identifies - the hash type using the same logic as the manual identification. + 1. Initialize the `HashID` utility. - 5. **Internal Enrichment**: The action updates the `additional_properties` of - the `FILEHASH` entities with a new key `HashType` containing the detected algorithm - name. + 2. If the `Hashes` parameter is provided, iterate through the comma-separated + list and identify the hash type for each. - 6. **Result Reporting**: The action compiles all identified hash types (from both - parameters and entities) into a JSON result and provides a summary message. + 3. Iterate through `target_entities` of type `FILEHASH`. + 4. Identify the hash type for each entity using the `HashID` utility. - ### Additional Notes + 5. Update the entity's `additional_properties` with the detected hash type. - - If a hash cannot be identified or does not match the supported types, the `HashType` - is set to `UNDETECTED`. + 6. Update the entities in the SOAR platform. - - This action is entirely local and does not require network connectivity to external - threat intelligence services. + 7. Return the results as a JSON object. capabilities: can_create_case_comments: false can_create_insight: false @@ -333,12 +490,21 @@ Detect Hash Type: can_mutate_internal_data: true can_update_entities: true external_data_mutation_explanation: null - fetches_data: false + fetches_data: true internal_data_mutation_explanation: >- - The action updates the 'additional_properties' attribute of FILEHASH entities - to include the detected hash algorithm type. + Updates the `additional_properties` of `FILEHASH` entities with the detected + hash type. + reasoning: >- + The action uses the `hashid` library to determine the hash type of provided + strings or `FILEHASH` entities. It updates the `FILEHASH` entities with this + information using `siemplify.update_entities`. It does not interact with external + systems. categories: - enrichment: false + enrichment: true + reasoning: >- + The action identifies the hash type and updates the entity's properties. It + does not mutate external systems and only performs allowed internal mutations + (updating entities). It qualifies as an enrichment action. entity_usage: entity_types: - FILEHASH @@ -355,54 +521,82 @@ Detect Hash Type: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over `siemplify.target_entities` and filters for `FILEHASH` + entities using `if entity.entity_type == "FILEHASH"`. Detect IP Type: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: true + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action adds metadata ('IPType') to the entity. This matches the 'Enrich + Asset' category, which involves returning contextual metadata for a resource. + It does not fetch threat intelligence (Enrich IOC) or perform any other listed + actions. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - The **Detect IP Type** action is a utility designed to identify whether an IP - address is in IPv4 or IPv6 format. It processes both manually provided IP addresses - and existing IP Address entities within a case, enriching the entities with the - detected type. + This action identifies whether provided IP addresses (from parameters) or IP Address + entities (from the case) are IPv4 or IPv6. It updates the entity's `additional_properties` + with the `IPType` and returns the results in the action output. ### Parameters Description | Parameter | Type | Mandatory | Description | - | :--- | :--- | :--- | :--- | - - | IP Addresses | String | No | A comma-separated list of IP addresses to evaluate. - If provided, these addresses are processed alongside case entities. | + | --- | --- | --- | --- | + | IP Addresses | string | false | Comma-separated list of IP addresses to check. + | - ### Additional Notes - - This action uses local regular expression matching and does not require connectivity - to external threat intelligence services. + ### Flow Description - - If an address does not conform to standard IPv4 or IPv6 formats, it is categorized - as 'UNDETECTED'. + 1. Retrieve the `IP Addresses` parameter (if provided). + 2. For each provided IP address, determine if it is IPv4, IPv6, or UNDETECTED + using regex. - ### Flow Description + 3. Iterate through `target_entities` and filter for `ADDRESS` type. - 1. **Input Retrieval**: The action fetches the 'IP Addresses' parameter and splits - it into a list if it contains values. + 4. For each `ADDRESS` entity, determine if it is IPv4, IPv6, or UNDETECTED using + regex. - 2. **Manual IP Processing**: Each IP address from the parameter is checked against - IPv4 and IPv6 regex patterns. The results are stored for the final output. + 5. Update the entity's `additional_properties` with the `IPType`. - 3. **Entity Filtering**: The action iterates through the case's `target_entities` - and identifies those with the type `ADDRESS`. + 6. Return the results as a JSON object in the action output. - 4. **Type Detection**: For each identified entity, the action applies regex patterns - to its identifier to determine the IP version. - 5. **Internal Enrichment**: The detected type is added to the entity's `additional_properties` - dictionary under the key `IPType`. + ### Additional Notes - 6. **State Update**: The action updates the modified entities within Google SecOps - and returns a comprehensive JSON result containing all detected types. + If no IP addresses are provided in the parameters, the action will only process + the `ADDRESS` entities found in the case. capabilities: can_create_case_comments: false can_create_insight: false @@ -413,11 +607,19 @@ Detect IP Type: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: >- - The action updates the 'additional_properties' attribute of ADDRESS entities - to include the detected IP type (IPv4 or IPv6) and persists these changes in - Google SecOps using the update_entities method. + Updates the entity's `additional_properties` with the `IPType` (IPv4/IPv6/UNDETECTED). + reasoning: >- + The action performs a local regex calculation to determine the IP type (IPv4/IPv6) + and updates the entity's additional properties. It does not fetch data from + an external or internal source, so it does not meet the criteria for an Enrichment + Action. It mutates internal data by updating entity properties. categories: enrichment: false + reasoning: >- + The action performs a local regex calculation to determine the IP type (IPv4/IPv6) + and updates the entity's additional properties. It does not fetch data from + an external or internal source, so it does not meet the criteria for an Enrichment + Action. entity_usage: entity_types: - ADDRESS @@ -434,58 +636,80 @@ Detect IP Type: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over `siemplify.target_entities` and filters using `if entity.entity_type + == "ADDRESS"`. This means it targets ADDRESS entities, filtering by entity_type. Extract IOCs: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action is a utility for extracting IOCs from text. It does not match any + of the defined product categories (Enrich IOC, Contain Host, etc.) because it + does not perform external lookups or system modifications. It is a pure data + processing function. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - The **Extract IOCs** action is a utility designed to parse a provided text string - and identify common Indicators of Compromise (IOCs). It specifically identifies - and extracts URLs, domains, IPv4/IPv6 addresses, and email addresses from unstructured - text. This action is typically used to process data from sources like email bodies, - log entries, or threat reports to isolate actionable security identifiers. + This action extracts Indicators of Compromise (IOCs) such as IP addresses, domains, + URLs, and email addresses from a provided input string. It is a utility action + designed to parse unstructured text for security-relevant data. ### Parameters Description | Parameter | Type | Mandatory | Description | - | :--- | :--- | :--- | :--- | - - | Input String | String | Yes | The raw text string from which the action will - attempt to extract IOCs. | - - - ### Additional Notes + | --- | --- | --- | --- | - - This action performs local parsing using regular expressions and specialized - libraries (`URLExtract`, `tld`) and does not interact with external APIs. + | Input String | string | true | The raw text or string content to be parsed for + IOCs. | - - It includes logic to filter out common false positives in URLs (e.g., specific - file extensions like .js, .css, .png) and validates IP addresses to ensure they - are syntactically correct. - - By default, it includes internal/private IP addresses in the extraction results. + ### Flow Description + 1. The action retrieves the `Input String` parameter. - ### Flow Description + 2. It uses regular expressions and parsing libraries to identify URLs, domains, + IP addresses, and email addresses within the string. - 1. **Input Retrieval**: The action retrieves the `Input String` provided as a - parameter. + 3. It cleans and validates the extracted data (e.g., removing invalid URLs or + internal IPs if necessary). - 2. **URL Extraction**: Uses the `URLExtract` library to identify potential URLs, - cleaning them of noise and validating their structure. + 4. It compiles the findings into a structured JSON object and a summary message. - 3. **Domain Extraction**: For every valid URL identified, the action extracts - the First Level Domain (FLD) using the `tld` library. + 5. The results are returned to the SOAR platform for further use. - 4. **IP Extraction**: Scans the text for IPv4 and IPv6 patterns, validating them - using the `ipaddress` module to ensure they are valid network addresses. - 5. **Email Extraction**: Uses a regular expression to identify and extract email - addresses from the text. + ### Additional Notes - 6. **Result Compilation**: Aggregates all identified IOCs into a structured JSON - object and generates a summary message for the action output. + This action is a utility function and does not perform any external API calls + or modifications to the SOAR platform. capabilities: can_create_case_comments: false can_create_insight: false @@ -496,8 +720,15 @@ Extract IOCs: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs text parsing on a provided input string. It does not perform + any external API calls, nor does it modify any internal SOAR data or entities. + It is a utility action. categories: enrichment: false + reasoning: >- + The action does not fetch data from an external source (it processes a local + string), therefore it fails the primary requirement for an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -513,51 +744,53 @@ Extract IOCs: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with `siemplify.target_entities`. It operates solely + on the provided `Input String` parameter. IP to Integer: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action is a utility function that converts IP addresses to integers. It + does not perform any of the defined product category actions (e.g., enrichment, + containment, ticketing). + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description - - This action is a utility function designed to convert IPv4 addresses into their - corresponding integer (long) format. It is primarily used for data normalization - or when interacting with systems that require IP addresses in numeric form rather - than string format. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | IP Addresses | string | Yes | A comma-separated list of IPv4 addresses (e.g., - "192.168.1.1, 10.0.0.1") to be converted into integers. | - - - ### Additional Notes - - - This action does not interact with any external APIs or services. - - - It does not process or modify Google SecOps entities; it operates strictly on - the provided input parameter string. - - - The conversion uses network byte order (big-endian). - - - ### Flow Description - - 1. **Input Parsing**: The action retrieves the `IP Addresses` parameter and splits - the string by commas, removing any leading or trailing whitespace. - - 2. **Conversion**: For each IP address in the list, the script uses the `socket` - and `struct` libraries to convert the string representation into a 32-bit unsigned - integer. - - 3. **Result Compilation**: The results are stored in a JSON dictionary mapping - the original IP to the integer, and also joined into a comma-separated string - for the main result value. - - 4. **Output**: The action returns the converted values and provides a summary - message in the execution log. + General Description: This action converts a comma-separated list of IP addresses + into their corresponding long integer representations. It is a utility function + designed for data transformation within a playbook. Parameters: The action requires + one mandatory parameter: 'IP Addresses' (type: string), which should be a comma-separated + list of IP addresses to be converted. Flow Description: 1. The action retrieves + the 'IP Addresses' parameter. 2. It splits the input string into a list of individual + IP addresses. 3. It iterates through each IP address and converts it to a long + integer using the socket and struct libraries. 4. It stores the mapping of each + IP address to its integer value in a JSON result. 5. It returns the comma-separated + list of integers as the action result value and logs the conversion details. capabilities: can_create_case_comments: false can_create_insight: false @@ -568,8 +801,15 @@ IP to Integer: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a local calculation on input strings provided via parameters. + It does not interact with any external APIs (fetches_data=false) or modify internal + SOAR data such as entities, insights, or case wall logs (can_mutate_internal_data=false). categories: enrichment: false + reasoning: >- + The action is a utility function for data transformation. It does not fetch + data from external sources, which is a requirement for enrichment actions. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -585,44 +825,81 @@ IP to Integer: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not use target_entities. It processes input provided via parameters. Math Arithmetic: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action performs basic arithmetic operations and does not align with any + of the defined security-specific product categories such as enrichment, containment, + or ticketing. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - Performs basic arithmetic operations on two provided numeric arguments. This action - is designed to facilitate mathematical calculations within playbooks, supporting - addition, subtraction, multiplication, division, and modulo operations. + ### General Description + The Math Arithmetic action provides a set of built-in mathematical operators to + perform calculations within a SOAR playbook. It allows users to execute basic + arithmetic operations on two provided numeric arguments. - ### Parameters + + ### Parameters Description | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Function | ddl | Yes | The mathematical operation to perform. Options include: - Plus (addition), Sub (subtraction), Multi (multiplication), Div (division), and - Mod (modulo). | + | Function | ddl | Yes | The arithmetic operation to perform. Options: Plus, Sub, + Multi, Div, Mod. | - | Arg 1 | string | Yes | The first numeric value (integer or float) to be used - in the calculation. | + | Arg 1 | string | Yes | The first numeric argument. | - | Arg 2 | string | Yes | The second numeric value (integer or float) to be used - in the calculation. | + | Arg 2 | string | Yes | The second numeric argument. | ### Flow Description - 1. **Input Retrieval**: The action retrieves the selected mathematical function - and the two input arguments from the configuration. + 1. The action retrieves the Function, Arg 1, and Arg 2 parameters from the configuration. + + 2. It attempts to parse the provided string arguments into numeric values (integer + or float). + + 3. Based on the selected Function, it performs the corresponding arithmetic operation + (addition, subtraction, multiplication, division, or modulo). - 2. **Type Conversion**: It attempts to parse the string inputs for 'Arg 1' and - 'Arg 2' into numeric types, prioritizing integers and falling back to floats if - necessary. + 4. The action returns the calculated result and a descriptive message as the final + output. - 3. **Execution**: The script executes the logic corresponding to the selected - function (e.g., adding the numbers if 'Plus' is selected). - 4. **Completion**: The calculated result is returned as the action's output value, - accompanied by a status message describing the operation performed. + ### Additional Notes + + This action is a utility tool and does not interact with external systems or modify + internal SOAR data. capabilities: can_create_case_comments: false can_create_insight: false @@ -633,8 +910,17 @@ Math Arithmetic: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs local arithmetic calculations based on user-provided input. + It does not interact with external APIs (fetches_data=false), does not mutate + external systems (can_mutate_external_data=false), and does not modify internal + SOAR data or entities (can_mutate_internal_data=false). categories: enrichment: false + reasoning: >- + The action is a utility function for performing math. It does not fetch data + from external sources or enrich entities, therefore it does not meet the criteria + for an Enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -650,54 +936,74 @@ Math Arithmetic: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with the target_entities object or any entity-related + data. It operates solely on user-provided input parameters. Math Functions: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action is a utility script that performs mathematical operations on input + strings. It does not interact with alerts, tickets, identities, or external + systems. It does not match any of the defined product categories. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description - - The **Math Functions** action provides a suite of built-in Python mathematical - operations to process numeric data within a playbook. It allows users to perform - calculations, formatting, and transformations on a list of numbers provided as - a comma-separated string. + The Math Functions action performs various mathematical operations on a provided + list of numbers. It accepts a comma-separated string of numbers and a selected + operation, processes the data, and returns the calculated result. This utility + is designed for data manipulation within a playbook. - ### Parameters Description + ### Parameters | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | **Function** | DDL | Yes | The mathematical operation to execute. Supported - options: `Max` (largest item), `Min` (smallest item), `Round` (rounds numbers), - `Sort` (sorts numbers), `Sum` (totals the items), `Float` (converts to floating - point), `Hex` (converts to hexadecimal), `Int` (converts to integer), `Abs` (absolute - value), and `Display` (adds comma separators). | + | Function | ddl | Yes | The mathematical function to apply (e.g., Max, Min, Sum, + Round, Sort, Float, Hex, Int, Abs, Display). | - | **Numbers** | String | Yes | A comma-separated list of numbers (e.g., "13.5, - -90, 566") to be processed by the selected function. | + | Numbers | string | Yes | A comma-separated list of numbers to process. | - ### Flow Description + ### Flow - 1. **Input Parsing**: The action retrieves the `Numbers` string and splits it - by commas. It attempts to parse each element into a float or integer. + 1. Retrieve the `Function` and `Numbers` parameters from the action configuration. - 2. **Function Execution**: Based on the selected `Function` parameter, the action - applies the corresponding Python logic (e.g., `abs()`, `max()`, `sum()`, or string - formatting for `Display`). + 2. Parse the `Numbers` string into a list of numeric values. - 3. **Result Generation**: The processed numbers are stored in a list. If the `Hex` - function is chosen, the action specifically filters for integer-compatible values. + 3. Apply the selected mathematical function to the list. - 4. **Output**: The action returns the result as a JSON array and sets the script - result value to the processed data (or a single value if only one result exists). + 4. Format the output message and result. + 5. Add the result to the action output using `add_result_json` and `add_json`. - ### Additional Notes - - - This action does not interact with SecOps entities; it operates strictly on - the provided input parameters. - - - The `Hex` function requires integer inputs to function correctly. + 6. Terminate the action with the final output message and result. capabilities: can_create_case_comments: false can_create_insight: false @@ -708,8 +1014,17 @@ Math Functions: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs local mathematical calculations on input parameters provided + by the user. It does not interact with any external APIs, fetch external data, + or modify any internal SOAR data, entities, or alerts. It is a pure utility + action. categories: enrichment: false + reasoning: >- + The action is a utility script for mathematical operations. It does not fetch + data from external sources or perform enrichment on entities. Therefore, it + does not meet the criteria for an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -725,13 +1040,47 @@ Math Functions: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with entities. It only processes input parameters + provided in the configuration. Ping: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + This is a connectivity check action ('Ping'). It does not match any of the functional + categories like enrichment, containment, or ticket management. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - Verifies the connectivity and availability of the Functions integration within - the Google SecOps environment. This action serves as a basic health check to ensure - that the integration is correctly configured and can execute scripts. + Verifies connectivity between the Google SecOps SOAR platform and the integration. + This action is a standard connectivity check used to ensure the integration is + reachable and operational. ### Parameters Description @@ -741,16 +1090,16 @@ Ping: ### Additional Notes - This action is a standard utility used primarily for troubleshooting or initial - setup verification. It does not interact with external APIs or modify any data. + This action is a simple connectivity test and does not perform any functional + operations on alerts, entities, or external systems. ### Flow Description - 1. **Initialization**: The action initializes the Siemplify SDK context. + 1. The action initializes the `SiemplifyAction` module. - 2. **Execution**: The action immediately concludes by returning a success message - ('Siemplify is connected') to the Google SecOps platform. + 2. It immediately terminates the execution with a success message, confirming + that the integration is reachable and operational. capabilities: can_create_case_comments: false can_create_insight: false @@ -761,8 +1110,14 @@ Ping: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a simple connectivity check. It does not interact with external + APIs, modify any data, or perform any operations on entities or alerts. categories: enrichment: false + reasoning: >- + The action is named 'Ping', which is explicitly excluded from being an enrichment + action per the provided guidelines. It performs no data retrieval or modification. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -778,14 +1133,46 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with any entities. Run JSONPath Query: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action is a utility for parsing JSON data. It does not match any of the + specific product categories (Enrich IOC, Ticket creation, etc.). + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - The **Run JSONPath Query** action is a utility designed to parse a JSON string - and extract specific values based on a provided JSONPath expression. It leverages - the `jsonpath-ng` library to navigate complex JSON structures, making it highly - useful for data transformation and extraction within playbooks. + The 'Run JSONPath Query' action is a utility tool that allows users to extract + specific data points from a JSON string using JSONPath expressions. This is useful + for parsing complex JSON outputs from previous playbook actions or API responses. ### Parameters Description @@ -794,37 +1181,26 @@ Run JSONPath Query: | :--- | :--- | :--- | :--- | - | **Json** | Code/String | Yes | The raw JSON string that you want to query. | + | Json | code | Yes | The raw JSON string to be queried. | - | **JSONPath Expression** | String | Yes | The JSONPath expression used to locate - and extract data from the input JSON. | + | JSONPath Expression | string | Yes | The JSONPath expression used to extract + data from the JSON input. | ### Flow Description - 1. **Parameter Extraction**: The action retrieves the input JSON string and the - JSONPath expression from the action parameters. - - 2. **JSON Parsing**: The input string is converted into a Python dictionary or - list structure. - - 3. **Expression Evaluation**: The JSONPath expression is parsed and applied against - the JSON data. - - 4. **Result Compilation**: All matching values found by the expression are collected - into a list under the key `matches`. + 1. The action retrieves the `Json` input string and the `JSONPath Expression` + from the action parameters. - 5. **Output**: The resulting JSON object containing the matches is returned to - the SOAR platform for use in subsequent playbook steps. + 2. It parses the provided `Json` string into a Python object. + 3. It applies the `JSONPath Expression` to the parsed JSON object to locate matching + elements. - ### Additional Notes - - - This action is a pure data processing function and does not interact with external - APIs or Google SecOps entities. + 4. The extracted matches are collected into a result object. - - If the input JSON is malformed or the JSONPath expression is invalid, the action - will fail with an error. + 5. The final result is added to the action output for use in subsequent playbook + steps. capabilities: can_create_case_comments: false can_create_insight: false @@ -835,8 +1211,15 @@ Run JSONPath Query: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs local data processing (parsing JSON and applying a query). + It does not interact with external APIs, mutate external systems, or modify + internal SOAR entities/cases. It is a pure utility function. categories: enrichment: false + reasoning: >- + The action does not fetch data from an external source (Rule 1 of enrichment). + It is a data transformation utility. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -852,62 +1235,88 @@ Run JSONPath Query: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code does not reference `target_entities` or perform any operations on SOAR + entities. It is a generic utility action. SanitizeHTML: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action is a utility script for sanitizing HTML fragments. It does not perform + any of the defined product category actions such as enrichment, containment, + ticketing, or alert management. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description - - The **SanitizeHTML** action is a utility designed to clean and sanitize HTML fragments. - It uses the `bleach` library to parse HTML according to the HTML5 standard, stripping - or escaping tags, attributes, and CSS styles that are not explicitly permitted. - This is primarily used to prevent Cross-Site Scripting (XSS) or to clean up malformed - HTML data retrieved from external sources. + The `SanitizeHTML` action parses an HTML fragment and sanitizes it by removing + disallowed tags, attributes, and styles based on user-defined configurations. + This is useful for cleaning potentially malicious or malformed HTML content before + displaying it in reports or logs. ### Parameters Description + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | **Input HTML** | String | Yes | The HTML fragment that needs to be sanitized. - | + | Tags | string | No | Comma-separated list of allowed HTML tags. Tags not in + this list will be escaped or stripped. | - | **Tags** | String | No | A comma-separated list of allowed HTML tags. Tags not - in this list will be escaped or stripped. Default includes common safe tags like - `a`, `p`, `div`, etc. | + | Attributes | string | No | Comma-separated list of allowed attributes. | - | **Attributes** | String | No | A comma-separated list of allowed HTML attributes. - | + | Styles | string | No | Comma-separated list of allowed CSS styles. | - | **Styles** | String | No | A comma-separated list of allowed CSS properties - (e.g., `color`, `background-color`). | + | Allow All Attributes | boolean | No | If set to True, allows all attributes. + | - | **Allow All Attributes** | Boolean | No | If set to `True`, the action will - allow all attributes on the permitted tags. | + | Input HTML | string | Yes | The HTML fragment that will be sanitized. | ### Additional Notes - - If no `Tags` are provided, the action uses a default set of safe tags defined - in the integration. - - The action logic also checks for `Allow All Tags` and `Allow All Styles` parameters - in the code, though they may not be exposed in all configuration versions. + The `Input HTML` parameter is mandatory. Other parameters (`Tags`, `Attributes`, + `Styles`, `Allow All Attributes`) are optional and allow for fine-grained control + over the sanitization process. ### Flow Description - 1. **Parameter Extraction**: The action retrieves the input HTML and the configuration - for allowed tags, attributes, and styles from the action parameters. - 2. **Sanitization Configuration**: It parses the comma-separated strings into - lists and initializes a CSS sanitizer if specific styles are allowed. + 1. Extracts configuration parameters (`Tags`, `Attributes`, `Styles`, `Allow All + Attributes`) and the `Input HTML` string. + + 2. Configures the `bleach` library with the provided sanitization rules. - 3. **Processing**: It applies the `bleach.clean` method to the input HTML, filtering - it against the defined allow-lists for tags, attributes, and CSS properties. + 3. Processes the `Input HTML` using `bleach.clean` based on the provided configuration. - 4. **Completion**: The sanitized HTML string is returned as the action's result - value, and a success message is logged. + 4. Returns the sanitized HTML string as the action result. capabilities: can_create_case_comments: false can_create_insight: false @@ -918,8 +1327,16 @@ SanitizeHTML: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a local string transformation using the `bleach` library. + It does not interact with external APIs, modify internal SOAR data, or update + entities. Therefore, it does not fetch data or mutate any system state. categories: enrichment: false + reasoning: >- + The action is a utility script that performs local string manipulation (HTML + sanitization). It does not fetch data from external or internal sources, failing + the primary requirement for an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -935,66 +1352,91 @@ SanitizeHTML: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with the `target_entities` list or any entity-specific + identifiers. It is a utility script that processes a raw string input. String Functions: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + This action is a utility for string manipulation and does not perform any of + the defined product-specific operations such as enrichment, containment, ticketing, + or alert management. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - This action provides a suite of Python-based string manipulation utilities designed - to transform, analyze, or format strings within a playbook. It allows users to - perform common operations like case conversion, regex matching, and base64 encoding/decoding - on a provided input string without requiring custom script blocks. + The String Functions action provides a suite of utility operations to manipulate + and transform text strings. It allows users to perform common string processing + tasks such as case conversion, regex replacement, base64 encoding/decoding, and + splitting, directly within a SOAR playbook. - ### Parameters Description - - | Parameter | Type | Mandatory | Description | + ### Flow Description - | :--- | :--- | :--- | :--- | + 1. **Input Retrieval**: The action retrieves the `Input` string, the selected + `Function` to execute, and optional parameters (`Param 1`, `Param 2`) from the + action configuration. - | Input | String | Yes | The source string to be processed. | + 2. **Operation Execution**: Based on the selected `Function`, the action applies + the corresponding Python string method or logic (e.g., `lower()`, `upper()`, `re.sub()`, + `base64.b64encode()`). - | Function | DDL | Yes | The specific string operation to apply. Options include: - Lower, Upper, Count, Find, IsAlpha, IsDigit, Replace, Strip, Title, Regex Replace, - JSON Serialize, Regex, Split, DecodeBase64, EncodeBase64, and RemoveNewLines. - | + 3. **Result Generation**: The processed string is returned as the action result. + For specific functions like `Split`, the result is also added as a JSON object + to the action's result data. - | Param 1 | String | No | The first contextual argument required by some functions - (e.g., the substring to count, the regex pattern, or the delimiter for splitting). - | + 4. **Completion**: The action terminates and returns the final processed string + to the playbook. - | Param 2 | String | No | The second contextual argument required by some functions - (e.g., the replacement string for 'Replace' or the join character for 'Regex'). - | + ### Parameters Description - ### Additional Notes - - - The placeholder `_SPACE_` can be used in `Param 1` and `Param 2` for the 'Replace' - and 'Regex Replace' functions; it will be automatically converted to a literal - space character before processing. + | Parameter | Type | Mandatory | Description | - - For 'DecodeBase64' and 'EncodeBase64', `Param 1` defaults to 'UTF-8' if not - specified or if it doesn't match 'UTF-8' or 'ASCII'. + | :--- | :--- | :--- | :--- | - - The 'Split' function will default to a comma (`,`) delimiter if `Param 1` is - not provided. + | Input | String | Yes | The input string to be processed. | + | Function | DDL | Yes | The specific string manipulation function to execute + (e.g., Lower, Upper, Regex, Base64). | - ### Flow Description + | Param 1 | String | No | The first parameter required by certain functions (e.g., + the pattern for Regex or the delimiter for Split). | - 1. **Parameter Retrieval**: The action fetches the `Input` string, the selected - `Function`, and any optional arguments (`Param 1`, `Param 2`). + | Param 2 | String | No | The second parameter required by certain functions (e.g., + the replacement string for Regex). | - 2. **Placeholder Normalization**: For replacement-based functions, it substitutes - the `_SPACE_` placeholder with actual space characters. - 3. **Logic Execution**: The action executes the specific Python string method - or library function (e.g., `re`, `base64`, `json`) corresponding to the user's - selection. + ### Additional Notes - 4. **Result Output**: The transformed string or boolean result is returned to - the SOAR platform. For the 'Split' function, the resulting list is also attached - as a JSON result. + This action is a pure utility and does not interact with external systems or modify + SOAR case data. It is designed for data transformation within a playbook workflow. capabilities: can_create_case_comments: false can_create_insight: false @@ -1005,8 +1447,18 @@ String Functions: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs local string manipulation on input parameters provided by + the user. It does not make any external API calls (fetches_data=false), does + not interact with external systems (can_mutate_external_data=false), and does + not modify any internal SOAR case data such as entities, insights, or alert + status (can_mutate_internal_data=false). categories: enrichment: false + reasoning: >- + The action is a utility for string manipulation and does not fetch data from + external sources. Therefore, it does not meet the criteria for an enrichment + action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1022,35 +1474,94 @@ String Functions: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not reference or iterate over `target_entities`. It processes + raw string input provided via parameters. Time Duration Calculator: - ai_description: "### General Description\nThe **Time Duration Calculator** is a\ - \ utility action designed to calculate the precise time difference between two\ - \ date-time inputs. It supports various input formats and can dynamically use\ - \ the current system time as one of the comparison points. The action outputs\ - \ the duration in a human-readable format (years, days, hours, minutes, seconds)\ - \ and provides the total duration in seconds as the primary result value.\n\n\ - ### Parameters Description\n| Parameter Name | Type | Mandatory | Description\ - \ |\n| :--- | :--- | :--- | :--- |\n| Input DateTime 1 | String | Yes | The first\ - \ datetime value to compare. Supports specific date strings or the keyword \"\ - now\" for the current UTC time. |\n| Input DateTime 1 Format | String | Yes |\ - \ The `strftime` format used to parse Input DateTime 1 (e.g., `%Y-%m-%dT%H:%M:%S%z`).\ - \ |\n| Input DateTime 2 | String | Yes | The second datetime value to compare.\ - \ Supports specific date strings or the keyword \"now\" for the current UTC time.\ - \ |\n| Input DateTime 2 Format | String | Yes | The `strftime` format used to\ - \ parse Input DateTime 2 (e.g., `%Y-%m-%dT%H:%M:%S%z`). |\n\n### Additional Notes\n\ - - If a provided datetime string does not include timezone information, the action\ - \ automatically localizes it to UTC to ensure accurate calculations.\n- The action\ - \ is purely mathematical and does not interact with external APIs or modify SecOps\ - \ entities.\n\n### Flow Description\n1. **Parameter Extraction:** The action retrieves\ - \ the two input datetime strings and their corresponding format strings from the\ - \ environment.\n2. **Datetime Parsing:** \n - If an input is set to \"now\"\ - , the current UTC time is captured.\n - Otherwise, the string is parsed using\ - \ the provided `strftime` format.\n - Timezone awareness is checked; if the\ - \ object is naive, it is localized to UTC.\n3. **Duration Calculation:** The action\ - \ calculates the delta between the two datetime objects.\n4. **Data Breakdown:**\ - \ The total delta is decomposed into years, days, hours, minutes, and seconds.\n\ - 5. **Output Generation:** The action populates a JSON result with the breakdown\ - \ and sets the total seconds as the main script result." + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action is a utility function for calculating time differences. It does not + perform any security-related operations such as enriching IOCs, updating tickets, + or containing hosts. Therefore, it does not match any of the defined product + categories. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: >- + ### General Description + + The Time Duration Calculator is a utility action that calculates the elapsed time + between two provided datetime values. It supports custom date formats and the + 'now' keyword to represent the current time. The action returns the duration in + years, days, hours, minutes, and seconds, providing both a human-readable string + and a structured JSON result. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Input DateTime 1 | string | Yes | The first input datetime value. Supports either + strftime format or "now" for the current time. | + + | Input DateTime 1 Format | string | Yes | The strftime format of the DateTime + string. | + + | Input DateTime 2 | string | Yes | The second input datetime value. Supports + either strftime format or "now" for the current time. | + + | Input DateTime 2 Format | string | Yes | The strftime format of Input DateTime + 2. | + + + ### Additional Notes + + This action is a pure utility function and does not interact with external systems, + entities, or security alerts. It performs local calculations only. + + + ### Flow Description + + 1. Extract the four input parameters (DateTime 1, DateTime 1 Format, DateTime + 2, DateTime 2 Format). + + 2. Parse the input strings into datetime objects. If "now" is provided, use the + current UTC time. + + 3. Ensure both datetime objects are timezone-aware (localizing to UTC if necessary). + + 4. Calculate the duration between the two datetime objects. + + 5. Format the duration into years, days, hours, minutes, and seconds. + + 6. Return the results as a JSON object and set the action result value to the + total duration in seconds. capabilities: can_create_case_comments: false can_create_insight: false @@ -1061,8 +1572,16 @@ Time Duration Calculator: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a local calculation based on provided inputs. It does not + fetch data from external APIs, mutate external systems, or modify internal SOAR + data (entities, insights, or comments). It simply returns the calculated duration + as a JSON result. categories: enrichment: false + reasoning: >- + The action does not fetch data from an external or internal source (Rule 1). + It is a local utility function. Therefore, it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1078,14 +1597,48 @@ Time Duration Calculator: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not reference `target_entities` or perform any operations on + entities. It is a standalone utility function. XMLtoJson: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action is a utility function for data conversion (XML to JSON). It does + not perform any of the listed security operations (enrichment, containment, + ticketing, etc.). + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - The **XMLtoJson** action is a utility function designed to convert XML-formatted - strings into JSON objects. This is particularly useful for parsing responses from - legacy systems or APIs that return data in XML format, allowing subsequent playbook - steps to easily access the data using JSON path notation. + The XMLtoJson action is a utility designed to convert XML formatted strings into + JSON format. This action is useful for parsing XML data within a playbook, allowing + subsequent steps to process the data as a JSON object. ### Parameters Description @@ -1094,24 +1647,24 @@ XMLtoJson: | :--- | :--- | :--- | :--- | - | **xml** | String | Yes | The XML formatted string that needs to be converted - to JSON. | + | xml | string | Yes | The XML formatted string to be converted to JSON. | ### Flow Description - 1. **Parameter Extraction**: The action retrieves the XML string provided in the - `xml` input parameter. + 1. The action extracts the `xml` parameter from the configuration. + + 2. It parses the provided XML string using the `xmltodict` library. + + 3. The resulting JSON object is added to the action result using `siemplify.result.add_result_json`. - 2. **Parsing**: It utilizes the `xmltodict` library to parse the XML string into - a structured Python dictionary. + 4. The action completes with a success or failure status. - 3. **Result Attachment**: The resulting dictionary is added to the action's execution - results as a JSON object via `add_result_json`. - 4. **Completion**: The action concludes by returning the JSON data and a success - status. If the XML is malformed and cannot be parsed, the action flags an execution - failure and returns the error message. + ### Additional Notes + + This action does not interact with any external systems or entities. It is a pure + data transformation utility. capabilities: can_create_case_comments: false can_create_insight: false @@ -1122,8 +1675,16 @@ XMLtoJson: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action is a utility function that converts an XML string to JSON. It does + not perform any network requests, does not interact with external systems, and + does not modify any internal SecOps data or entities. categories: enrichment: false + reasoning: >- + The action is a data transformation utility. It does not fetch data from external + sources, nor does it modify internal data or entities. Therefore, it does not + meet the criteria for an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1139,3 +1700,6 @@ XMLtoJson: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with any entities. It processes a raw string input + provided as a parameter. diff --git a/content/response_integrations/power_ups/functions/resources/ai/integration_ai_description.yaml b/content/response_integrations/power_ups/functions/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..d68b1f945 --- /dev/null +++ b/content/response_integrations/power_ups/functions/resources/ai/integration_ai_description.yaml @@ -0,0 +1,24 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: false + reasoning: >- + The integration 'functions' is a collection of utility actions designed for data + manipulation, including math, string processing, time conversion, and data parsing + (JSON/XML). It also includes basic entity metadata updates, such as detecting + hash types and IP types. These actions do not interact with external security + systems, fetch threat intelligence, manage assets, or perform security-specific + operations like containment or ticketing. While some actions perform internal + enrichment by updating entity properties (e.g., adding hash type or IP type), + this does not meet the criteria for the defined product categories, which require + specific outcomes like fetching reputation data (Threat Intelligence) or retrieving + asset owner/criticality information (Asset Inventory). Therefore, the integration + does not fit into any of the predefined product categories. + siem: false + threat_intelligence: false + vulnerability_management: false diff --git a/content/response_integrations/power_ups/git_sync/resources/ai/actions_ai_description.yaml b/content/response_integrations/power_ups/git_sync/resources/ai/actions_ai_description.yaml index 2204aaf73..f30446d00 100644 --- a/content/response_integrations/power_ups/git_sync/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/power_ups/git_sync/resources/ai/actions_ai_description.yaml @@ -1,40 +1,56 @@ Ping: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action is a diagnostic tool to verify connectivity. It does not match any + of the provided categories (Enrich IOC, Contain Host, etc.). + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description - - The **Ping** action is a diagnostic tool used to verify the connectivity and configuration - of the GitSync integration. It ensures that the Google SecOps environment can - successfully communicate with both the internal Chronicle SOAR API and the external - Git repository (via SSH or HTTPS) using the provided credentials and settings. - - - ### Parameters Description - - This action does not have any action-specific input parameters. It utilizes the - global integration configuration parameters, such as the Repository URL, Branch, - Git Credentials, and SOAR API credentials, to perform its connectivity tests. - - - ### Flow Description - - 1. **Configuration Loading**: The action retrieves integration-level settings, - including repository details, authentication tokens, and SSL verification preferences. - - 2. **Author Format Validation**: It validates the `Commit Author` string against - a specific regex pattern (`Name `) to ensure future commits - will be valid. - - 3. **SOAR API Connectivity Test**: It attempts to connect to the Chronicle SOAR - API and retrieve the current system version. A failure here indicates incorrect - SOAR credentials or network issues. - - 4. **Git Repository Connectivity Test**: If a `Git Server Fingerprint` is provided, - the action connects to the remote Git server to verify the SSH host key and attempts - to fetch the repository's head tree. This verifies both the network path and the - Git credentials (SSH key or Token). - - 5. **Final Status**: If all checks pass, the action completes successfully, confirming - the integration is ready for use. + ### General Description The Ping action is a diagnostic tool used to verify the + connectivity and configuration of the GitSync integration. It ensures that the + Google SecOps environment can successfully communicate with both the internal + Chronicle SOAR API and the external Git repository (via SSH or HTTPS) using the + provided credentials and settings. ### Parameters Description This action does + not have any action-specific input parameters. It utilizes the global integration + configuration parameters, such as the Repository URL, Branch, Git Credentials, + and SOAR API credentials, to perform its connectivity tests. ### Flow Description + 1. Configuration Loading: The action retrieves integration-level settings, including + repository details, authentication tokens, and SSL verification preferences. 2. + Author Format Validation: It validates the Commit Author string against a specific + regex pattern (Name ) to ensure future commits will be valid. + 3. SOAR API Connectivity Test: It attempts to connect to the Chronicle SOAR API + and retrieve the current system version. A failure here indicates incorrect SOAR + credentials or network issues. 4. Git Repository Connectivity Test: If a Git Server + Fingerprint is provided, the action connects to the remote Git server to verify + the SSH host key and attempts to fetch the repository's head tree. This verifies + both the network path and the Git credentials (SSH key or Token). 5. Final Status: + If all checks pass, the action completes successfully, confirming the integration + is ready for use. capabilities: can_create_case_comments: false can_create_insight: false @@ -45,8 +61,14 @@ Ping: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs connectivity tests (GET requests) to verify the integration + setup. It does not modify any data or state. categories: enrichment: false + reasoning: >- + The action is a diagnostic Ping tool. Per instructions, Actions named Ping must + not be categorized as enrichment actions. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -62,3 +84,4 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: The action does not use entities. diff --git a/content/response_integrations/power_ups/git_sync/resources/ai/integration_ai_description.yaml b/content/response_integrations/power_ups/git_sync/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..520c2bf5b --- /dev/null +++ b/content/response_integrations/power_ups/git_sync/resources/ai/integration_ai_description.yaml @@ -0,0 +1,21 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: false + reasoning: "The git_sync integration is a platform administration and utility tool\ + \ designed for version control, configuration management, and CI/CD of the Google\ + \ SecOps SOAR platform. Its primary function is to synchronize platform assets\u2014\ + such as playbooks, integrations, jobs, and connectors\u2014between the SOAR environment\ + \ and external Git repositories. It does not perform security operations, incident\ + \ response, threat intelligence, asset management, or ITSM ticket management as\ + \ defined by the provided categories. It is strictly an administrative tool for\ + \ platform maintenance and infrastructure-as-code workflows, and therefore does\ + \ not align with any of the specified security product categories." + siem: false + threat_intelligence: false + vulnerability_management: false diff --git a/content/response_integrations/power_ups/git_sync/resources/ai/jobs_ai_description.yaml b/content/response_integrations/power_ups/git_sync/resources/ai/jobs_ai_description.yaml new file mode 100644 index 000000000..4903f402a --- /dev/null +++ b/content/response_integrations/power_ups/git_sync/resources/ai/jobs_ai_description.yaml @@ -0,0 +1,853 @@ +Pull Connector: + ai_description: >- + ### General Description + + This job imports a specific connector from a configured Git repository into the + Google SecOps SOAR platform. It ensures that the SOAR environment is synchronized + with version-controlled connector definitions, and optionally, their associated + visual families and mapping rules, facilitating consistent ingestion configurations + across environments. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Repo URL | String | No | Optional parameter to override the repository URL found + in the integration instance. | + + | Branch | String | No | Optional parameter to override the branch found in the + integration instance. | + + | Git Server Fingerprint | String | No | Optional parameter to override the Git + server fingerprint found in the integration instance. | + + | Connector Name | String | Yes | The name of the connector to pull from the repository. + | + + | Include Visual Families | Boolean | No | Whether to include related visual families + that the connector uses. | + + | Include Mappings | Boolean | No | Whether to include related mappings that the + connector uses. | + + + ### Flow Description + + 1. Initializes the `GitSyncManager` to interface with the Git repository and the + SOAR API. + + 2. Retrieves the specified connector definition from the Git repository. + + 3. Installs the connector into the SOAR platform. + + 4. If `Include Visual Families` is enabled, identifies and installs any missing + visual families associated with the connector. + + 5. If `Include Mappings` is enabled, installs the mapping rules associated with + the connector's integration. +Pull Content: + ai_description: >- + ### General Description + + This job synchronizes content from a Git repository to the Google SecOps (Chronicle) + SOAR platform. It enables the automated deployment and update of various system + components, including integrations, playbooks, jobs, connectors, and configuration + settings. By pulling content from a version-controlled repository, this job ensures + that the SOAR environment remains consistent with the defined infrastructure-as-code + standards. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Repo URL | String | No | Optional parameter to override the repository URL found + in the integration instance. | + + | Branch | String | No | Optional parameter to override the branch name found + in the integration instance. | + + | Git Server Fingerprint | String | No | Optional parameter to override the Git + server fingerprint found in the integration instance. | + + | Integrations | Boolean | Yes | Pull all custom integrations and custom code. + | + + | Playbooks | Boolean | Yes | Pull all playbooks. Will add or update playbooks + based on their name. | + + | Jobs | Boolean | Yes | Pull all jobs. | + + | Connectors | Boolean | Yes | Pull all connectors. | + + | Integration Instances | Boolean | Yes | Pull all integration instances. Passwords + will be overwritten if not uploaded. | + + | Visual Families | Boolean | Yes | Pulls all visual families. | + + | Mappings | Boolean | Yes | Pulls all the mappings. | + + | Environments | Boolean | Yes | Creates or updates all environments. | + + | Dynamic Parameters | Boolean | Yes | Creates or updates all environment dynamic + parameters. | + + | Logo | Boolean | Yes | Pull custom logo. | + + | Case Tags | Boolean | Yes | Pulls all case tags. | + + | Case Stages | Boolean | Yes | Pulls all case stages. | + + | Case Title Settings | Boolean | Yes | Pulls case title settings. | + + | Case Close Reasons | Boolean | Yes | Pulls custom case close reasons. | + + | Networks | Boolean | Yes | Pull networks. | + + | Domains | Boolean | Yes | Pull domains. | + + | Custom Lists | Boolean | Yes | Pull custom lists. | + + | Email Templates | Boolean | Yes | Pull email templates. | + + | Blacklists | Boolean | Yes | Pull blocklists. | + + | SLA Records | Boolean | Yes | Pull SLA Records. | + + | Simulated Cases | Boolean | Yes | Pull simulated cases. | + + + ### Flow Description + + 1. Initializes the `GitSyncManager` using the provided job parameters to establish + a connection with the Git repository. + + 2. Extracts the enabled content features from the job configuration to determine + which components to synchronize. + + 3. Iterates through each enabled feature (e.g., Playbooks, Integrations, Jobs, + etc.). + + 4. For each feature, it retrieves the content from the Git repository and performs + the corresponding API operations (create or update) in the SOAR platform. + + 5. Utilizes an `id_validator` to ensure that existing records are correctly identified + and updated rather than duplicated. + + 6. Logs the progress of each synchronization step and completes the job. +Pull Custom Family: + ai_description: >- + ### General Description + + This job imports a specific custom visual family definition from a configured + Git repository into the Google SecOps (Chronicle) SOAR environment. It ensures + that visual family configurations, which define how entities are visualized and + related, are synchronized from version control to the SOAR platform. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Repo URL | String | No | Optional parameter to override the Git repository URL + found in the integration instance. | + + | Branch | String | No | Optional parameter to override the Git branch found in + the integration instance. | + + | Git Server Fingerprint | String | No | Optional parameter to override the Git + server SSH fingerprint found in the integration instance. | + + | Family Name | String | Yes | The name of the visual family to pull from the + repository. | + + + ### Flow Description + + 1. Initialize the `GitSyncManager` using the integration's configuration and job + parameters. + + 2. Extract the `Family Name` from the job parameters. + + 3. Query the Git repository for the specified visual family definition. + + 4. If the visual family is found, import or update the visual family record in + the SOAR system. + + 5. Log the success or failure of the import operation. +Pull Integration: + ai_description: >- + ### General Description + + This job synchronizes and installs specific integrations from a Git repository + into the Google SecOps SOAR platform. It enables users to maintain version-controlled + integrations and automate the deployment of updates or new integrations based + on a defined whitelist. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Install Whitelist | String | Yes | A comma-separated list of integration names + to pull from the repository. | + + | Repo URL | String | No | The URL of the Git repository. Overrides the value + configured in the integration instance. | + + | Branch | String | No | The Git branch to use. Overrides the value configured + in the integration instance. | + + | Git Server Fingerprint | String | No | The SSH fingerprint for Git server verification. + Overrides the value configured in the integration instance. | + + + ### Flow Description + + 1. Parses the `Install Whitelist` parameter to identify the target integrations. + + 2. Initializes the `GitSyncManager` to establish a connection with the configured + Git repository. + + 3. Iterates through the list of requested integrations. + + 4. Fetches the integration definition from the Git repository. + + 5. Installs or updates the integration in the SOAR platform. + + 6. Logs the status of each installation attempt. +Pull Jobs: + ai_description: >- + ### General Description + + This job is part of the `GitSync` integration, designed to synchronize specific + job configurations from a version-controlled Git repository into the Google SecOps + (Chronicle) SOAR platform. It enables automated deployment and updates of job + definitions, ensuring consistency across environments by pulling the latest configurations + directly from the repository. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Job Whitelist | String | Yes | A comma-separated list of job names to be pulled + from the Git repository. | + + | Repo URL | String | No | The URL of the Git repository. Overrides the value + defined in the integration instance. | + + | Branch | String | No | The Git branch to pull from. Overrides the value defined + in the integration instance. | + + | Git Server Fingerprint | String | No | The SSH fingerprint for the Git server. + Overrides the value defined in the integration instance. | + + + ### Flow Description + + 1. Parses the `Job Whitelist` parameter to identify the specific jobs to be synchronized. + + 2. Initializes the `GitSyncManager` using the current SOAR job context and configuration + parameters. + + 3. Iterates through the list of requested job names. + + 4. Fetches the corresponding job definition from the Git repository using the + `GitContentManager`. + + 5. Installs or updates the job definition within the SOAR platform using the `GitSyncManager`. + + 6. Logs the status of each operation, providing visibility into the synchronization + process. +Pull Mappings: + ai_description: >- + ### General Description + + This job synchronizes ontology mapping rules from a Git repository to the Google + SecOps SOAR platform. It ensures that mapping configurations, including rules + and visual family associations, are kept consistent with the version-controlled + definitions stored in the repository. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Repo URL | String | No | Optional parameter to override the Git repository URL + found in the integration instance. | + + | Branch | String | No | Optional parameter to override the branch name found + in the integration instance. | + + | Git Server Fingerprint | String | No | Optional parameter to override the Git + server SSH fingerprint found in the integration instance. | + + | Source | String | Yes | The mapping source identifier (e.g., integration name + or vendor) to pull from the repository. | + + + ### Flow Description + + 1. Initializes the `GitSyncManager` using the provided configuration and credentials. + + 2. Fetches the mapping definitions (rules and records) for the specified `Source` + from the Git repository. + + 3. Installs or updates the mapping rules and visual family associations in the + SOAR platform based on the fetched data. +Pull Playbook: + ai_description: >- + ### General Description + + The **Pull Playbook** job is a utility within the GitSync integration designed + to synchronize specific automation workflows from a Git repository to the Google + SecOps SOAR platform. It enables users to selectively pull and install playbooks + and their associated blocks, ensuring that automation logic remains consistent + and up-to-date with the version-controlled repository. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Repo URL | String | No | The URL of the Git repository. Overrides the instance-level + setting if provided. | + + | Branch | String | No | The specific Git branch to pull from. Overrides the instance-level + setting if provided. | + + | Git Server Fingerprint | String | No | The SSH fingerprint for the Git server. + Overrides the instance-level setting if provided. | + + | Playbook Whitelist | String | Yes | A comma-separated list of playbook names + to be pulled from the repository. | + + | Include Playbook Blocks | Boolean | Yes | If set to True, the job will also + pull and install any blocks associated with the specified playbooks. | + + + ### Flow Description + + 1. **Initialization**: The job initializes the `GitSyncManager` using the provided + job parameters and integration settings. + + 2. **Parsing**: It parses the `Playbook Whitelist` parameter to identify the target + playbooks. + + 3. **Fetching**: For each playbook in the whitelist: + * Retrieves the playbook definition from the Git repository. + * If `Include Playbook Blocks` is enabled, it recursively identifies and retrieves + all blocks involved in the playbook. + 4. **Installation**: Once all required playbooks and blocks are collected, the + job invokes the `GitSyncManager` to install or update these workflows within the + SOAR platform. +Pull Simulated Cases: + ai_description: >- + ### General Description + + This job imports specific simulated cases from a configured Git repository into + the Google SecOps (SOAR) platform. It enables users to synchronize test or simulation + data stored in version control directly into the SOAR environment for investigation + testing or training purposes. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Simulated Cases | String | Yes | A comma-separated list of simulated case names + to pull from the repository. | + + | Repo URL | String | No | The URL of the Git repository. Overrides the value + configured in the integration instance. | + + | Branch | String | No | The Git branch to use. Overrides the value configured + in the integration instance. | + + | Git Server Fingerprint | String | No | The SSH fingerprint for the Git server. + Overrides the value configured in the integration instance. | + + + ### Flow Description + + 1. Extracts the list of simulated case names from the job parameters. + + 2. Initializes the `GitSyncManager` to establish a connection with the configured + Git repository. + + 3. Iterates through each requested case name provided in the input. + + 4. Retrieves the specific case definition from the Git repository using the `GitContentManager`. + + 5. Imports the retrieved case definition into the SOAR platform via the API. + + 6. Logs the success or failure of each case import operation. +Push Connectors: + ai_description: >- + ### General Description + + This job exports specific connector configurations from Google SecOps to a configured + Git repository. It enables version control for connector definitions, allowing + users to synchronize their connector settings, including optional associated ontology + mappings and visual families, to a remote Git branch. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Commit | String | Yes | The commit message for the Git push operation. | + + | Connectors | String | Yes | A comma-separated list of connector display names + to export. | + + | Branch | String | No | The target Git branch (overrides integration settings). + | + + | Git Server Fingerprint | String | No | The SSH fingerprint for the Git server + (overrides integration settings). | + + | Repo URL | String | No | The URL of the Git repository (overrides integration + settings). | + + | Commit Author | String | No | The author name and email for the commit (overrides + integration settings). | + + | Include Visual Families | Boolean | No | Whether to include related visual families + in the export. | + + | Include Mappings | Boolean | No | Whether to include related ontology mappings + in the export. | + + | Readme Addon | String | No | Markdown content to append to the connector's README + file. | + + + ### Flow Description + + 1. Initializes the GitSyncManager using the provided job parameters and integration + settings. + + 2. Retrieves the list of installed connectors from the SOAR platform. + + 3. Filters the connectors based on the provided Connectors parameter. + + 4. For each matching connector: + * Optionally adds a README addon if provided. + * Pushes the connector definition to the Git repository. + * If Include Mappings is enabled, fetches and pushes associated ontology mappings. + * If Include Visual Families is enabled, fetches and pushes associated visual + families. + 5. Commits the changes to the Git repository with the specified commit message + and pushes them to the remote branch. +Push Content: + ai_description: >- + ### General Description + + This job synchronizes various configuration and content items from the Google + SecOps (Chronicle) SOAR platform to a Git repository. It serves as a version control + and backup mechanism for the platform's assets, ensuring that changes to integrations, + playbooks, jobs, and other settings are tracked and stored in a remote Git repository. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Commit | String | Yes | The commit message for the Git push. | + + | Repo URL | String | No | Optional override for the Git repository URL. | + + | Branch | String | No | Optional override for the Git branch. | + + | Git Server Fingerprint | String | No | Optional override for the Git server + fingerprint. | + + | Commit Author | String | No | Optional override for the commit author. | + + | Commit Passwords | Boolean | Yes | If true, commits passwords to the repository + (use with caution). | + + | Integrations | Boolean | Yes | Push all integrations. | + + | Playbooks | Boolean | Yes | Push all playbooks. | + + | Jobs | Boolean | Yes | Push all defined jobs. | + + | Connectors | Boolean | Yes | Push all defined connectors. | + + | Integration Instances | Boolean | Yes | Push all integration instances. | + + | Visual Families | Boolean | Yes | Push all visual families. | + + | Mappings | Boolean | Yes | Push all mappings. | + + | Environments | Boolean | Yes | Push all environments. | + + | Dynamic Parameters | Boolean | Yes | Push all dynamic parameters. | + + | Logo | Boolean | Yes | Push logo settings. | + + | Case Tags | Boolean | Yes | Push all case tags. | + + | Case Stages | Boolean | Yes | Push Case stages. | + + | Case Title Settings | Boolean | Yes | Push case title settings. | + + | Case Close Reasons | Boolean | Yes | Push all case close reasons. | + + | Networks | Boolean | Yes | Push all networks. | + + | Domains | Boolean | Yes | Push all domain records. | + + | Custom Lists | Boolean | Yes | Push all custom lists. | + + | Email Templates | Boolean | Yes | Push all email templates. | + + | Blacklists | Boolean | Yes | Push all blocklist records. | + + | SLA Records | Boolean | Yes | Push all SLA Records. | + + | Simulated Cases | Boolean | Yes | Push all simulated cases. | + + + ### Flow Description + + 1. Initializes the `GitSyncManager` using the provided job parameters and credentials. + + 2. Iterates through the enabled content types (e.g., Integrations, Playbooks, + Jobs, Connectors, etc.) as specified by the job parameters. + + 3. For each enabled content type, fetches the corresponding data from the SOAR + platform. + + 4. Performs necessary data sanitization, such as removing sensitive information + or adjusting identifiers for integration instances. + + 5. Updates the local Git repository with the fetched and processed content. + + 6. Commits the changes to the Git repository using the provided commit message. + + 7. Pushes the commit to the remote Git repository. +Push Custom Family: + ai_description: >- + ### General Description + + This job exports specific custom visual families from the Google SecOps environment + to a configured Git repository. It facilitates version control for custom visual + families, allowing users to push updates to a remote Git branch with optional + custom readme documentation. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Commit | String | Yes | The commit message for the Git operation. | + + | Family Name | String | Yes | The name(s) of the visual family to push (comma-separated). + | + + | Repo URL | String | No | Optional override for the Git repository URL. | + + | Branch | String | No | Optional override for the target Git branch. | + + | Git Server Fingerprint | String | No | Optional override for the Git server + SSH fingerprint. | + + | Commit Author | String | No | Optional override for the commit author (format: + Name ). | + + | Readme Addon | String | No | Markdown content to append to the visual family's + README.md file. | + + + ### Flow Description + + 1. Initializes the `GitSyncManager` using the provided integration settings. + + 2. Retrieves all custom visual families from the Google SecOps environment. + + 3. Filters the retrieved families to match the names provided in the `Family Name` + parameter. + + 4. If a `Readme Addon` is provided, updates the `GitSync.json` metadata file for + the corresponding visual family. + + 5. Pushes the visual family data (JSON definition and image) to the Git repository. + + 6. Commits the changes to the Git repository with the specified commit message + and pushes them to the remote branch. +Push Integration: + ai_description: >- + ### General Description + + This job synchronizes selected integrations from the Google SecOps environment + to a configured Git repository. It enables automated version control for integrations + by allowing users to specify a whitelist of integrations to push, customize README + documentation, and commit changes to a designated branch. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Commit | String | Yes | The commit message for the Git push operation. | + + | Push Whitelist | String | Yes | A comma-separated list of integration identifiers + to push to the repository. | + + | Repo URL | String | No | The URL of the Git repository (overrides instance settings). + | + + | Branch | String | No | The target Git branch (overrides instance settings). + | + + | Git Server Fingerprint | String | No | The SSH fingerprint for the Git server + (overrides instance settings). | + + | Commit Author | String | No | The author name and email for the commit (overrides + instance settings). | + + | Readme Addon | String | No | Markdown content to append to the README file of + the pushed integrations. | + + + ### Flow Description + + 1. Initializes the `GitSyncManager` using the provided configuration parameters. + + 2. Parses the `Push Whitelist` to identify which integrations to process. + + 3. Retrieves the list of available integrations from the Google SecOps IDE. + + 4. Iterates through the whitelisted integrations: + - Exports the integration package. + - Optionally appends the `Readme Addon` to the integration's metadata file + (`GitSync.json`). + - Pushes the integration files to the Git repository. + 5. Commits the changes to the Git repository with the provided `Commit` message + and pushes them to the remote server. +Push Job: + ai_description: >- + ### General Description + + This job automates the synchronization of specific Google SecOps (Chronicle) jobs + to a remote Git repository. It allows users to select specific jobs via a whitelist, + apply custom documentation (readme addons), and commit these changes to a version-controlled + repository to maintain a backup or version history of job configurations. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Commit | String | Yes | The commit message used for the Git push operation. + | + + | Job Whitelist | String | Yes | A comma-separated list of job names to be pushed + to the repository. | + + | Repo URL | String | No | The URL of the Git repository (overrides the integration + instance setting). | + + | Branch | String | No | The target Git branch (overrides the integration instance + setting). | + + | Git Server Fingerprint | String | No | The SSH fingerprint for the Git server + (overrides the integration instance setting). | + + | Commit Author | String | No | The author name and email for the commit (overrides + the integration instance setting). | + + | Readme Addon | String | No | Markdown content to append to the readme file of + the pushed jobs. | + + + ### Flow Description + + 1. Initializes the `GitSyncManager` using the current job context to handle Git + operations and API communication. + + 2. Extracts configuration parameters, including the commit message, job whitelist, + and optional readme addon. + + 3. Retrieves all installed jobs from the SOAR platform. + + 4. Filters the retrieved jobs against the `Job Whitelist` and a predefined `IGNORED_JOBS` + list, ensuring jobs belonging to the `GitSync` integration itself are excluded. + + 5. For each matching job, optionally updates its metadata with the provided `Readme + Addon` and pushes the job definition to the Git repository. + + 6. Generates a root readme file to reflect the current state of all jobs in the + repository. + + 7. Commits the changes with the provided `Commit` message and pushes them to the + remote Git repository. +Push Mappings: + ai_description: "### General Description\nThe \"Push Mappings\" job is a utility\ + \ designed to export mapping configurations\u2014specifically ontology records\ + \ and their associated rules\u2014from the Google SecOps (Chronicle) SOAR platform\ + \ to a version-controlled Git repository. This job facilitates the synchronization\ + \ and backup of mapping definitions, enabling teams to manage their ingestion\ + \ mappings through Git-based workflows.\n\n### Parameters Description\n| Parameter\ + \ | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| Commit\ + \ | String | Yes | The commit message for the Git push operation. |\n| Repo URL\ + \ | String | No | Optional override for the Git repository URL. |\n| Branch |\ + \ String | No | Optional override for the Git branch name. |\n| Git Server Fingerprint\ + \ | String | No | Optional override for the Git server SSH fingerprint. |\n| Commit\ + \ Author | String | No | Optional override for the commit author. |\n| Source\ + \ | String | Yes | The source name of the mappings to export. |\n| Readme Addon\ + \ | String | No | Markdown content to append to the generated README file for\ + \ these mappings. |\n\n### Flow Description\n1. Initializes the `GitSyncManager`\ + \ using the job's configuration parameters.\n2. Queries the SOAR platform for\ + \ all ontology records and filters them by the specified `Source` parameter.\n\ + 3. Retrieves the associated mapping rules (family and system fields) for the filtered\ + \ records.\n4. Filters the retrieved rules to ensure they match the specified\ + \ `Source`.\n5. If a `Readme Addon` is provided, updates the GitSync metadata\ + \ file with the additional markdown content.\n6. Packages the mapping records\ + \ and rules into a `Mapping` object and pushes them to the Git repository.\n7.\ + \ Commits the changes to the repository using the provided `Commit` message." +Push Playbook: + ai_description: >- + ### General Description + + This job exports selected playbooks and their associated blocks from the Google + SecOps SOAR environment to a configured Git repository. It enables version control + and synchronization of playbook definitions, ensuring that changes made in the + SOAR environment are tracked and stored in a remote Git repository. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Branch | String | No | The target Git branch to push changes to. | + + | Commit | String | Yes | The commit message to be used for the push operation. + | + + | Repo URL | String | No | The URL of the Git repository. | + + | Git Server Fingerprint | String | No | The SSH fingerprint for the Git server + for secure connection verification. | + + | Commit Author | String | No | The author name and email for the commit (format: + Name ). | + + | Folders Whitelist | String | No | A comma-separated list of playbook folders + to include in the sync. | + + | Playbook Whitelist | String | No | A comma-separated list of specific playbook + names to include in the sync. | + + | Readme Addon | String | No | Markdown content to append to the README file of + all playbooks pushed during this run. | + + | Include Playbook Blocks | Boolean | Yes | If true, automatically includes and + pushes all blocks involved in the selected playbooks. | + + + ### Flow Description + + 1. Initializes the `GitSyncManager` using the provided configuration parameters + to establish a connection with the Git repository and the SOAR API. + + 2. Retrieves the list of all installed playbooks from the SOAR environment. + + 3. Filters the retrieved playbooks based on the provided `Playbook Whitelist` + and `Folders Whitelist`. + + 4. Iterates through the filtered playbooks: + * If a `Readme Addon` is provided, it updates the GitSync metadata for the + playbook. + * Updates the instance names within the playbook steps to ensure consistency. + * Pushes the playbook definition to the Git repository. + * If `Include Playbook Blocks` is enabled, identifies all blocks involved + in the playbook and pushes them to the repository as well. + 5. Generates and updates the root README file in the repository to reflect the + current state of the synced content. + + 6. Commits the changes to the local Git repository using the provided `Commit` + message and `Commit Author`. + + 7. Pushes the committed changes to the remote Git repository. +Push Simulated Cases: + ai_description: >- + ### General Description + + This job exports specific simulated cases from Google SecOps to a configured Git + repository. It enables version control for simulated cases by synchronizing them + with a remote Git branch. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Commit | String | Yes | The commit message for the Git push. | + + | Repo URL | String | No | The URL of the Git repository (overrides instance setting). + | + + | Branch | String | No | The target Git branch (overrides instance setting). | + + | Git Server Fingerprint | String | No | The SSH fingerprint for the Git server + (overrides instance setting). | + + | Commit Author | String | No | The author name and email for the commit (overrides + instance setting). | + + | Simulated Cases | String | Yes | A comma-separated list of simulated case names + to export. | + + + ### Flow Description + + 1. Extracts job parameters, including the commit message and the list of simulated + cases to export. + + 2. Initializes the GitSyncManager to handle Git repository interactions. + + 3. Retrieves all available simulated cases from the Google SecOps environment. + + 4. Filters the retrieved cases to match the list provided in the Simulated Cases + parameter. + + 5. Exports the data for each matching case and pushes it to the Git repository. + + 6. Commits the changes to the Git repository with the provided commit message + and pushes them to the remote branch. diff --git a/content/response_integrations/power_ups/image_utilities/resources/ai/actions_ai_description.yaml b/content/response_integrations/power_ups/image_utilities/resources/ai/actions_ai_description.yaml index 78b470c6a..7dc537ce7 100644 --- a/content/response_integrations/power_ups/image_utilities/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/power_ups/image_utilities/resources/ai/actions_ai_description.yaml @@ -1,53 +1,88 @@ Convert File: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action is a file conversion utility that performs local file operations. + It does not match any of the defined categories such as enriching IOCs, containing + hosts, or managing tickets. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - Converts files between PNG and PDF formats on a Remote Agent. This action allows - for the transformation of image and document formats directly on the filesystem - where the Remote Agent is deployed. It is particularly useful for workflows that - require file format standardization before further processing, such as OCR or - report generation. + ### General Description + The Convert File action is a utility that converts files between PNG and PDF formats. + This action is designed to normalize file types for further analysis or reporting + within the SOAR platform. It performs the conversion locally on a Remote Agent. - ### Parameters + + ### Parameters Description | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Input File Format | DDL | Yes | The original format of the file to be converted. - Supported values: PDF, PNG. | + | Input File Format | DDL | Yes | The original format of the file (PNG or PDF). + | + + | Input File Path | String | Yes | The path to the file that the action converts. + | + + | Output File Format | DDL | Yes | The resulting format of the file after the + conversion process (PNG or PDF). | + + + ### Additional Notes + + * This action requires a Remote Agent to function correctly. - | Input File Path | String | Yes | The absolute path to the source file on the - Remote Agent's filesystem. | + * The input and output file formats cannot be the same. - | Output File Format | DDL | Yes | The desired format for the resulting file. - Supported values: PNG, PDF. | + * The action relies on `pdf2image` (which requires `pdftoppm` to be installed) + for PDF to PNG conversion and `PIL` (Pillow) for PNG to PDF conversion. ### Flow Description - 1. **Environment Validation**: Checks if the action is running on a Remote Agent; - if not, it raises an error. + 1. The action validates that it is running on a Remote Agent. - 2. **Parameter Validation**: Verifies that the input file exists at the specified - path and ensures the input and output formats are not the same. + 2. It extracts the `Input File Path`, `Input File Format`, and `Output File Format` + parameters. - 3. **File Conversion**: - - **PDF to PNG**: Uses the `pdf2image` library (requiring `pdftoppm`) to convert - the first page of the PDF into a PNG image. - - **PNG to PDF**: Uses the `PIL` (Pillow) library to convert the PNG image - into a PDF document. - 4. **Result Generation**: Saves the converted file to a temporary directory with - a timestamped filename and returns the new file path and format in the action's - JSON results. + 3. It verifies the existence of the source file at the provided path. + 4. It validates that the input and output formats are different. - ### Additional Notes + 5. It determines the conversion logic based on the requested output format (PDF + to PNG or PNG to PDF). - - This action requires a Remote Agent to function as it interacts with the local - filesystem. + 6. It performs the conversion using the appropriate library (`pdf2image` or `PIL`). - - For PDF to PNG conversion, the `poppler-utils` package (specifically `pdftoppm`) - must be installed on the Remote Agent host. + 7. It saves the converted file to a temporary directory and returns the path of + the new file in the JSON results. capabilities: can_create_case_comments: false can_create_insight: false @@ -58,8 +93,17 @@ Convert File: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs local file conversion on a Remote Agent. It does not interact + with external APIs (no `fetches_data`), does not modify external system states + (no `can_mutate_external_data`), and does not interact with the SOAR case data + (no `can_mutate_internal_data`, `can_update_entities`, etc.). categories: enrichment: false + reasoning: >- + The action does not fetch data from an external source, nor does it enrich entities + or modify the SOAR case. It is a file conversion utility. Therefore, it is not + an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -75,11 +119,47 @@ Convert File: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code does not reference `target_entities` or any entity-specific identifiers. + It operates on a file path provided as a parameter. Therefore, it does not run + on any entity types. OCR Image: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action is a utility that performs OCR on an image. It does not match any + of the defined security-specific product categories such as IOC enrichment, + asset enrichment, ticket management, or containment. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - Extracts text from image files using Optical Character Recognition (OCR). This - action leverages the Tesseract OCR engine to process images provided either as - a Base64 encoded string or via a local file path on a Remote Agent. + The OCR Image action performs optical character recognition (OCR) on an image + file to extract text. This action requires a Remote Agent with the `tesseract-ocr` + package installed. ### Parameters @@ -88,40 +168,34 @@ OCR Image: | :--- | :--- | :--- | :--- | - | Base64 Encoded Image | String | No | The base64 encoded string of the image - file. If provided, this is processed first. | + | Base64 Encoded Image | string | false | The base64 encoded string of the image + file. | - | File Path | String | No | The path to the image file on the Remote Agent's file - system. | + | File Path | string | false | The path to the image file. | ### Additional Notes - - Either **Base64 Encoded Image** or **File Path** must be configured for the - action to run. - - - This action **must** be executed on a Remote Agent. - - - The Remote Agent must have the `tesseract-ocr` package installed (e.g., via - `apt-get install -y tesseract-ocr`). + Either "Base64 Encoded Image" or "File Path" must be provided. If both are provided, + "Base64 Encoded Image" takes precedence. This action must be executed on a Remote + Agent. ### Flow Description - 1. **Environment Validation**: Verifies that the action is executing on a Remote - Agent. + 1. Validate that the action is running on a Remote Agent. + + 2. Extract and validate the input parameters ("Base64 Encoded Image" or "File + Path"). - 2. **Parameter Extraction**: Retrieves the image data (Base64) or the file path - from the action configuration. + 3. If "Base64 Encoded Image" is provided, decode it and save it to a temporary + file. - 3. **Image Preparation**: If a Base64 string is provided, it is decoded and written - to a temporary PNG file. Otherwise, the provided file path is used. + 4. If "File Path" is provided, use the file directly. - 4. **OCR Processing**: Invokes the `pytesseract` library to perform OCR on the - image file and extract text content. + 5. Execute the Tesseract OCR engine on the image file to extract text. - 5. **Result Output**: Trims the extracted text and returns it within the `extracted_text` - field of the JSON result. + 6. Return the extracted text in the action results. capabilities: can_create_case_comments: false can_create_insight: false @@ -132,8 +206,17 @@ OCR Image: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a local computation (OCR) on an image file. It does not + fetch external data, mutate external systems, or modify internal SecOps data + (entities, insights, etc.). categories: enrichment: false + reasoning: >- + The action performs a local computation (OCR) on an image file. It does not + fetch external data, mutate external systems, or modify internal SecOps data + (entities, insights, etc.). Therefore, it does not meet the criteria for an + enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -149,48 +232,69 @@ OCR Image: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code does not reference `target_entities` or perform any operations on entities. + It processes input parameters directly to perform OCR on an image file. Ping: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action is a diagnostic tool for verifying the Remote Agent environment (Tesseract + and Playwright availability). It does not perform any operational tasks like + enrichment, containment, or ticketing. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description - - Tests the connectivity and environment readiness for the Image Utilities integration. - This action specifically validates that the execution environment is a Google - SecOps Remote Agent and checks for the presence of critical local dependencies: - the Tesseract OCR engine and Playwright browser binaries (Chromium). It is used - to ensure that the system is correctly configured to perform image processing - and web content rasterization tasks. - - - ### Parameters Description + The Ping action verifies the environment configuration for the Image Utilities + integration on the Remote Agent. It ensures that the necessary dependencies, specifically + Tesseract OCR and Playwright (with Chromium), are correctly installed and accessible. + This action is used for troubleshooting and validating that the Remote Agent is + ready to perform image processing tasks. - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - | N/A | N/A | N/A | This action does not require any input parameters. | + ### Flow Description + 1. Validates that the action is executing on a Remote Agent. - ### Additional Notes + 2. Checks for the presence and version of the Tesseract OCR engine. - This action must be executed on a Remote Agent. If dependencies are missing, the - action provides specific shell commands in the error message to help administrators - resolve the issues within the container environment. + 3. Attempts to launch a headless Chromium browser via Playwright to verify browser + binary availability. - ### Flow Description + ### Parameters - 1. **Environment Validation**: Verifies that the action is running on a Remote - Agent by checking the environment context. + There are no user-configurable parameters for this action. - 2. **Tesseract Verification**: Attempts to retrieve the Tesseract version using - the `pytesseract` library to confirm the OCR engine is installed and accessible. - 3. **Playwright Verification**: Attempts to launch a headless Chromium instance - using the Playwright library to confirm browser binaries and system dependencies - are correctly installed. + ### Additional Notes - 4. **Result Reporting**: Returns a success message if all checks pass, or raises - an informative error with installation instructions if dependencies are missing. + This action is a diagnostic tool and does not interact with external APIs or Google + SecOps entities. capabilities: can_create_case_comments: false can_create_insight: false @@ -201,8 +305,16 @@ Ping: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs local environment validation (Tesseract and Playwright checks) + on the Remote Agent. It does not interact with external APIs, modify SOAR entities, + or change any system state. categories: enrichment: false + reasoning: >- + The action is a 'Ping' action designed to verify environment configuration. + Per the instructions, 'Actions named Ping must not be categorized as enrichment + actions.' entity_usage: entity_types: [] filters_by_additional_properties: false @@ -218,84 +330,110 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with entities; it is a diagnostic tool for the + Remote Agent environment. Rasterize Content: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action rasterizes content and attaches it to the case. It does not perform + any of the listed actions like enriching IOCs, updating alerts, or managing + tickets. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - The Rasterize Content action converts vector or complex content, such as URLs, - raw HTML, or Email bodies, into fixed bitmap image formats (PNG) or PDF documents. - This action is particularly useful for capturing visual evidence of phishing sites, - rendered emails, or web-based reports directly into a security case. It utilizes - a headless Chromium browser (via Playwright) to ensure accurate rendering of dynamic - content. - + The **Rasterize Content** action converts vector or complex content (URLs, HTML, + or Email bodies) into bitmap image formats (PNG or PDF) using a headless browser + (Playwright). This action is useful for capturing visual evidence of web content + for forensic analysis or documentation. - ### Parameters Description + ### Flow Description - | Parameter | Type | Mandatory | Default | Description | + 1. **Validation**: The action validates all input parameters and ensures it is + running on a Remote Agent. - | :--- | :--- | :--- | :--- | :--- | + 2. **Preparation**: It prepares the input content based on the selected `Input + Type` (URL, HTML, or Email). - | Input Type | DDL | Yes | HTML | Specifies the format of the input: 'URL' (fetches - a webpage), 'HTML' (renders raw HTML), or 'Email' (renders email content). | + 3. **Initialization**: It initializes a Playwright browser instance. - | URLs or Body | String | Yes | N/A | The actual content to process. Provide a - comma-separated list for URLs, or the full text/HTML body for other types. | + 4. **Rendering**: It navigates to the URL or sets the HTML content, waits for + the specified state (e.g., `NETWORK_IDLE`) or a CSS selector, and renders the + page. - | Output Type | DDL | No | PNG | The desired output format: 'PNG', 'PDF', or 'Both'. - | + 5. **Rasterization**: It captures a screenshot (PNG) or generates a PDF based + on the `Output Type`. - | Export Method | DDL | No | Case Attachment | Determines where to save the result: - 'Case Attachment' (adds to the SOAR case), 'File Path' (returns the local path), - or 'Both'. | + 6. **Export**: It exports the generated files based on the `Export Method` (attaching + them to the current case or returning the file path). - | Width | String | Yes | 1920 | The browser viewport width in pixels. | + 7. **Cleanup**: It closes the browser instance. - | Height | String | Yes | 1080 | The browser viewport height in pixels (ignored - if 'Full Screen' is enabled). | - | Full Screen | Boolean | Yes | False | If true, the action captures the entire - scrollable height of the content rather than just the viewport. | + ### Parameters - | Timeout | String | No | 120 | Maximum time in seconds to wait for the page to - render. | + | Parameter | Type | Mandatory | Description | - | Wait For | DDL | No | NETWORK_IDLE | The browser state to reach before capturing: - 'LOAD', 'DOM_CONTENT_LOADED', 'NETWORK_IDLE', or 'COMMIT'. | + | :--- | :--- | :--- | :--- | - | Wait for Selector | String | No | N/A | A CSS selector that must become visible - on the page before the capture occurs. | + | `Input Type` | DDL | Yes | The type of content to rasterize (URL, HTML, Email). + | + | `URLs or Body` | String | Yes | The content to be rasterized (URL list or content + body). | - ### Additional Notes + | `Output Type` | DDL | No | The output format (PNG, PDF, Both). Default: PNG. + | - - **Remote Agent Required:** This action must run on a Remote Agent because it - requires specific browser binaries (Playwright/Chromium) not present in the default - cloud environment. + | `Export Method` | DDL | No | The method to output the content (Case Attachment, + File Path, Both). Default: Case Attachment. | - - **Environment Setup:** Ensure Playwright and Chromium dependencies are installed - on the Remote Agent as described in the action's error messages if execution fails. + | `Width` | String | Yes | The width in pixels. Default: 1920. | + | `Height` | String | Yes | The height in pixels. Default: 1080. | - ### Flow Description + | `Full Screen` | Boolean | Yes | If true, renders the entire page. Default: false. + | - 1. **Validation:** The action verifies it is running on a Remote Agent and validates - all input parameters. + | `Timeout` | String | No | Max time in seconds for rendering. Default: 120. | - 2. **Input Preparation:** Depending on the 'Input Type', it either parses a list - of URLs or wraps HTML/Email content into a renderable format. + | `Wait For` | DDL | No | Browser state to wait for (LOAD, DOM_CONTENT_LOADED, + NETWORK_IDLE, COMMIT). Default: NETWORK_IDLE. | - 3. **Browser Initialization:** Launches a headless Chromium instance using Playwright - with the specified viewport dimensions. + | `Wait for Selector` | String | No | CSS selector to wait for before capturing. + | - 4. **Content Rendering:** Navigates to the URL or loads the HTML content, waiting - for the specified 'Wait For' state and/or the 'Wait for Selector' to appear. - 5. **Capture:** Generates a PNG screenshot and/or a PDF document based on the - 'Output Type'. If 'Full Screen' is active, it calculates the full page height - before capturing. + ### Additional Notes - 6. **Export:** Attaches the generated files to the Google SecOps case and/or provides - the file paths in the action's JSON results. + This action requires a Remote Agent to function, as it relies on Playwright browser + binaries. capabilities: can_create_case_comments: false can_create_insight: false @@ -304,12 +442,19 @@ Rasterize Content: can_mutate_internal_data: true can_update_entities: false external_data_mutation_explanation: null - fetches_data: true + fetches_data: false internal_data_mutation_explanation: >- - The action adds the generated PNG or PDF files as attachments to the current - Google SecOps case. + Adds generated rasterized images (PNG/PDF) as attachments to the current case. + reasoning: >- + The action does not fetch contextual data about entities or alerts (it fetches + web content for rendering, not for enrichment). It does not mutate external + systems. It performs an internal mutation by attaching generated files to the + current case. categories: enrichment: false + reasoning: >- + The action does not fetch contextual data about entities or alerts, nor does + it perform any enrichment. It is a utility action for rasterizing content. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -325,3 +470,6 @@ Rasterize Content: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not operate on entities. It uses input parameters to define + the content to be rasterized. diff --git a/content/response_integrations/power_ups/image_utilities/resources/ai/integration_ai_description.yaml b/content/response_integrations/power_ups/image_utilities/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..5f01ee541 --- /dev/null +++ b/content/response_integrations/power_ups/image_utilities/resources/ai/integration_ai_description.yaml @@ -0,0 +1,23 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: false + reasoning: >- + The image_utilities integration provides utility functions for file manipulation, + including OCR, file format conversion, and content rasterization. These actions + are designed to support playbook workflows by processing data locally on a Remote + Agent. The integration does not perform security-specific tasks such as log analysis + (SIEM), host containment (EDR), network traffic blocking (Network Security), IOC + enrichment (Threat Intelligence), email management (Email Security), identity + management (IAM), cloud resource management (Cloud Security), ticket management + (ITSM), vulnerability scanning (Vulnerability Management), asset inventory management + (Asset Inventory), or collaboration/notification tasks. Therefore, it does not + align with any of the defined product categories. + siem: false + threat_intelligence: false + vulnerability_management: false diff --git a/content/response_integrations/power_ups/insights/resources/ai/actions_ai_description.yaml b/content/response_integrations/power_ups/insights/resources/ai/actions_ai_description.yaml index 24b0af2c1..020ed3532 100644 --- a/content/response_integrations/power_ups/insights/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/power_ups/insights/resources/ai/actions_ai_description.yaml @@ -1,56 +1,74 @@ Create Entity Insight From Enrichment: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action creates an entity insight based on existing entity data. It does + not match any of the specific product categories like enrichment, containment, + or ticketing. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - This action generates entity insights within Google SecOps by populating a template - message with data retrieved from an entity's enrichment fields (`additional_properties`). - It is primarily used to surface specific details from previous enrichment steps - (such as Active Directory attributes or Threat Intelligence scores) directly onto - the entity's insight panel for better visibility during investigation. + This action creates an entity insight for target entities based on a provided + message template. It parses the message template using data found in the entity's + `additional_properties`. - ### Parameters + ### Parameters Description | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Message | string | Yes | A template string containing placeholders in curly - braces (e.g., `{AD_DisplayName}`). These placeholders must match keys found in - the entity's `additional_properties` dictionary. | + | Message | string | Yes | The template string for the insight message. Supports + placeholders (e.g., `{key_path}`). | - | Triggered By | string | No | The name of the integration or source to be displayed - as the creator of the insight. Defaults to "Siemplify". | + | Triggered By | string | No | The name of the integration or source triggering + the insight. Defaults to "Siemplify". | ### Flow Description - 1. **Parameter Retrieval**: The action retrieves the template `Message` and the - `Triggered By` source name from the action configuration. + 1. Retrieve the `Message` template and `Triggered By` parameter. - 2. **Entity Iteration**: The script iterates through all target entities in the - current scope. + 2. Iterate through all `target_entities`. - 3. **Template Parsing**: For each entity, the `parse_raw_message` utility is called. - This utility maps the placeholders defined in the `Message` parameter to the corresponding - values stored in the entity's `additional_properties` attribute. + 3. For each entity, parse the `Message` template by replacing placeholders with + values from the entity's `additional_properties`. - 4. **Insight Creation**: If the message is successfully populated with data, the - action creates an entity insight using the `add_entity_insight` method, attributing - it to the specified trigger source. + 4. If a message is successfully generated, create an entity insight using `siemplify.add_entity_insight`. - 5. **Final Reporting**: The action completes by providing a summary of all entities - that successfully received an insight. + 5. Return the execution result. ### Additional Notes - - This action is dependent on data being present in the `additional_properties` - of the entity. This typically requires a preceding enrichment action (e.g., "Active - Directory Get User Details") to have run in the playbook. - - - If the template parsing results in a valid message, the insight is added; otherwise, - the entity is skipped. + There are no additional notes. capabilities: can_create_case_comments: false can_create_insight: true @@ -61,10 +79,17 @@ Create Entity Insight From Enrichment: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: >- - Creates entity insights within the Google SecOps case based on provided templates - and existing entity enrichment data. + Adds an entity insight to the target entities within the SOAR platform. + reasoning: >- + The action iterates over target entities, parses a message template using the + entity's `additional_properties`, and creates an entity insight. It does not + fetch external data or mutate external systems. It mutates internal SOAR data + by adding an insight. categories: enrichment: false + reasoning: >- + The action does not fetch data from an external source, so it does not meet + the criteria for an enrichment action. entity_usage: entity_types: - ADDRESS @@ -115,65 +140,60 @@ Create Entity Insight From Enrichment: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action iterates over `siemplify.target_entities` without any filtering, + meaning it processes all entity types. Create Entity Insight From JSON: - ai_description: >- - ### General Description - - The **Create Entity Insight From JSON** action allows users to generate custom - entity insights within Google SecOps by processing a provided JSON string. This - utility action is designed to map data from a JSON object (often produced by a - previous playbook step) to specific entities in a case, formatting that data into - a readable insight message. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | **JSON** | String | Yes | The raw JSON string containing the data to be used - for the insight. | - - | **Identifier KeyPath** | String | Yes | The dot-notation path (e.g., `user.email` - or `id`) within the JSON object that corresponds to the entity's identifier for - matching. | - - | **Message** | String | Yes | A template for the insight message. Use curly braces - `{}` to reference keys in the JSON (e.g., `{status}`). Supports pipes for transformations - like `| count()`, `| to_str()`, or `| join()`. | - - | **Triggered By** | String | No | Specifies the integration name to be associated - with the insight. Defaults to 'Siemplify'. | - - - ### Flow Description - - 1. **JSON Parsing**: The action parses the input `JSON` parameter into a structured - object. - - 2. **Entity Matching**: The action iterates through all entities in the current - Google SecOps case. For each entity, it searches the provided JSON data for a - record where the value at the specified `Identifier KeyPath` matches the entity's - identifier (case-insensitive). - - 3. **Message Templating**: If a match is found, the action extracts the relevant - data from the JSON and populates the `Message` template. It resolves placeholders - and applies any specified pipe functions (e.g., `count` to get list length, `join` - to concatenate arrays). - - 4. **Insight Creation**: The final formatted message is added as an entity insight - to the matching entity in the case, attributed to the integration specified in - `Triggered By`. - - - ### Additional Notes - - - The `Identifier KeyPath` supports nested objects using dot notation (e.g., `data.user.id`). - - - The `Message` parameter supports advanced formatting via the `ToolsCommon` library, - allowing for default values and complex data transformations within the insight - text. + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action creates an entity insight based on provided JSON data. It does not + match any of the predefined product categories (e.g., Enrich IOC, Contain Host, + etc.). + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: "Creates entity insights by parsing a provided JSON string and mapping\ + \ it to entities within the case. \n\n### Flow Description\n1. **Load Input**:\ + \ The action loads the provided JSON string from the `JSON` parameter.\n2. **Iterate\ + \ Entities**: It iterates through all target entities in the case.\n3. **Match\ + \ Entities**: For each entity, it attempts to find a matching record in the JSON\ + \ data using the provided `Identifier KeyPath`.\n4. **Parse Message**: If a match\ + \ is found, it parses the `Message` template, replacing placeholders (e.g., `{key_path|function}`)\ + \ with the corresponding values from the matched JSON data.\n5. **Add Insight**:\ + \ It adds the generated message as an entity insight to the matched entity.\n\n\ + ### Parameters Description\n| Parameter | Type | Mandatory | Description |\n|\ + \ :--- | :--- | :--- | :--- |\n| JSON | string | Yes | The JSON string containing\ + \ the data to be used for insights. |\n| Identifier KeyPath | string | Yes | The\ + \ path in the JSON to find the entity identifier for matching. |\n| Message |\ + \ string | Yes | The template string for the insight, supporting placeholders.\ + \ |\n| Triggered By | string | No | The integration name to associate with the\ + \ insight. |\n\n### Additional Notes\n- The action does not perform any external\ + \ API calls; it processes the provided JSON input locally.\n- The `Identifier\ + \ KeyPath` should be provided as a dot-separated path (e.g., `data.user.id`)." capabilities: can_create_case_comments: false can_create_insight: true @@ -183,11 +203,19 @@ Create Entity Insight From JSON: can_update_entities: false external_data_mutation_explanation: null fetches_data: false - internal_data_mutation_explanation: >- - Creates entity insights within the Google SecOps case based on the provided - JSON data. + internal_data_mutation_explanation: Adds entity insights to the SOAR case. + reasoning: >- + The action processes provided JSON data and adds insights to entities within + the SOAR platform. It does not fetch data from external systems (fetches_data=false), + nor does it mutate external systems (can_mutate_external_data=false). It performs + an internal mutation by adding entity insights (can_mutate_internal_data=true, + can_create_insight=true). categories: enrichment: false + reasoning: >- + The action does not fetch data from an external or internal source; it processes + provided JSON input. Therefore, it does not meet the criteria for an Enrichment + action. entity_usage: entity_types: - ADDRESS @@ -230,7 +258,7 @@ Create Entity Insight From JSON: filters_by_case_identifier: false filters_by_creation_time: false filters_by_entity_type: false - filters_by_identifier: false + filters_by_identifier: true filters_by_is_artifact: false filters_by_is_enriched: false filters_by_is_internal: false @@ -238,77 +266,96 @@ Create Entity Insight From JSON: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action iterates over all `siemplify.target_entities` and matches them against + the provided JSON data using the `Identifier KeyPath`. It does not filter by + entity type or any other entity attribute, so it supports all entity types. "Create Entity Insight From Multiple JSONs": + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + This action is a utility for formatting and displaying data as insights. It + does not perform enrichment, containment, ticketing, or alert modification operations, + so it does not match any of the defined product categories. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - This action creates formatted Entity Insights within Google SecOps by parsing - multiple JSON strings provided as input. It is primarily used to transform raw - JSON data (often retrieved from previous enrichment steps in a playbook) into - human-readable tables or lists associated with specific entities in the case. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | + The **Create Entity Insight From Multiple JSONs** action is a utility tool designed + to parse and format structured JSON data into readable HTML insights attached + to target entities within the SOAR platform. It allows analysts to consolidate + information from multiple sources (up to five distinct JSON inputs) and present + them as organized tables or text blocks directly on the entity's insight wall. - | JSON1 - JSON5 | String | No | JSON strings containing lists of objects. Each - object must include an "Entity" key (matching the entity identifier) and an "EntityResult" - key (containing the data to parse). | - | Fields1 - Fields5 | String | No | Extraction logic for the corresponding JSON. - Format: `Label:path.to.key`. Multiple entries are separated by the 'Placeholder - Separator'. Supports advanced pipes like `count()`, `to_str()`, and `join()`. - | - - | Title1 - Title5 | String | No | The title used for the insight section created - from the corresponding JSON/Fields pair. Note: A title must be provided for a - JSON/Fields set to be processed. | + ### Flow Description - | Placeholder Separator | String | No | The character used to separate multiple - field definitions in the 'Fields' parameters. Default is a comma (`,`). | + 1. **Initialization**: The action retrieves the provided JSON strings, field definitions, + and section titles from the action parameters. + 2. **Data Processing**: It iterates through each target entity in the case. - ### Additional Notes + 3. **Extraction**: For each entity, it attempts to locate matching data within + the provided JSON strings by comparing the entity identifier. - - The action expects the input JSON to be a list of dictionaries. + 4. **Parsing**: It parses the JSON content based on the provided field paths (e.g., + `path.to.key`) and applies formatting rules. - - Each dictionary must have an "Entity" key that matches the identifier of an - entity in the current scope. + 5. **Insight Generation**: It constructs an HTML table for each valid JSON input + and attaches the resulting insight to the entity using the `add_entity_insight` + method. - - The "EntityResult" key should contain the actual data structure you wish to - extract values from. - - If a field definition does not contain a colon (`:`), the value is added as - a plain string rather than a table row. + ### Parameters Description + | Parameter | Type | Mandatory | Description | - ### Flow Description + | :--- | :--- | :--- | :--- | - 1. **Initialization**: The action reads up to five sets of JSON data, field mappings, - and titles from the parameters. + | JSON1 - JSON5 | string | No | The JSON strings to be parsed for the insight. + | - 2. **Field Parsing**: It splits the 'Fields' strings into individual mapping instructions - based on the 'Placeholder Separator'. + | Fields1 - Fields5 | string | No | The fields to extract from the corresponding + JSON string. Format: `Display:path.to.key`. | - 3. **Entity Iteration**: The script loops through every entity currently active - in the playbook scope. + | Title1 - Title5 | string | No | The title used for the corresponding entity + section. | - 4. **Data Matching**: For each entity, it searches the provided JSON arrays for - an entry where the "Entity" field matches the entity's identifier. + | Placeholder Separator | string | No | A string used to separate field definitions. + Default is `,`. | - 5. **Extraction**: If a match is found, it uses the 'Fields' logic to extract - specific values from the "EntityResult" object, supporting nested paths and transformation - pipes (e.g., counting list items or joining arrays). - 6. **Formatting**: Extracted data is formatted into HTML tables (for labeled fields) - or text blocks. + ### Additional Notes - 7. **Insight Creation**: The action calls the SOAR API to attach the formatted - message as an Insight to the entity, using the provided 'Title' as the trigger - source. + This action does not perform any external API calls or data fetching. It relies + entirely on the JSON data provided via the action parameters. If no matching data + is found for an entity in the provided JSONs, the action will indicate that data + is missing for that specific section. capabilities: can_create_case_comments: false can_create_insight: true @@ -319,10 +366,19 @@ Create Entity Insight From JSON: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: >- - Creates entity insights within the Google SecOps case based on the provided - JSON data. + The action adds insights to entities within the SOAR platform using the add_entity_insight + method. + reasoning: >- + The action processes provided JSON strings and field definitions to generate + and attach HTML-formatted insights to the target entities within the SOAR platform. + It does not interact with external systems, fetch new data, or modify entity + attributes directly. It strictly creates insights. categories: enrichment: false + reasoning: >- + The action does not fetch data from external sources; it merely formats and + displays provided JSON data as insights. Therefore, it does not meet the criteria + for an Enrichment action, which requires proactive data retrieval. entity_usage: entity_types: - ADDRESS @@ -373,38 +429,59 @@ Create Entity Insight From JSON: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action iterates over all target_entities provided in the context without + filtering by type. Therefore, it supports all entity types. Ping: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action is a connectivity check ('Ping') and does not perform any of the + defined operational tasks (enrichment, containment, ticketing, etc.). + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - The **Ping** action is a diagnostic utility designed to verify the connectivity - between Google SecOps and the Insights integration. It serves as a basic health - check to ensure that the integration environment is correctly configured and that - the action runner can execute scripts within the context of the integration. + This action performs a connectivity check to verify that the integration is properly + configured and communicating with the SOAR platform. It is typically used to test + the integration's health. - ### Parameters Description + ### Parameters There are no parameters for this action. - ### Additional Notes - - This action does not interact with any external APIs or internal data structures. - It is strictly used for connectivity testing. - - ### Flow Description - 1. **Initialization**: The action initializes the `SiemplifyAction` module to - establish the execution context. - - 2. **Connectivity Check**: The script executes a simple termination command without - performing any external network requests. + 1. Initialize the `SiemplifyAction` object. - 3. **Completion**: The action concludes by returning a success message ('Siemplify - is connected') to the Google SecOps workbench, indicating that the integration - is functional. + 2. Terminate the action with a success message indicating the connection is established. capabilities: can_create_case_comments: false can_create_insight: false @@ -415,8 +492,15 @@ Ping: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action is a simple 'Ping' utility. It does not perform any external API + calls, data retrieval, or system mutations. It simply confirms the integration's + connectivity status. categories: enrichment: false + reasoning: >- + The action is a 'Ping' action. According to the instructions, 'Actions named + Ping must not be categorized as enrichment actions.' entity_usage: entity_types: [] filters_by_additional_properties: false @@ -432,3 +516,5 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with any entities. diff --git a/content/response_integrations/power_ups/insights/resources/ai/integration_ai_description.yaml b/content/response_integrations/power_ups/insights/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..0439ac872 --- /dev/null +++ b/content/response_integrations/power_ups/insights/resources/ai/integration_ai_description.yaml @@ -0,0 +1,23 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: false + reasoning: >- + The 'insights' integration is a utility-focused integration designed to format + and display data as 'Entity Insights' within the SOAR platform. Its actions (Create + Entity Insight From Enrichment, Create Entity Insight From JSON, Create Entity + Insight From Multiple JSONs, and Ping) are strictly for internal data presentation + and connectivity testing. It does not perform external data fetching, system mutation, + or specific security operations such as threat intelligence enrichment, network + blocking, identity management, or ITSM ticketing. It does not interact with external + collaboration platforms like Slack or Teams, nor does it perform asset inventory + or vulnerability management tasks. Consequently, it does not align with any of + the defined security product categories. + siem: false + threat_intelligence: false + vulnerability_management: false diff --git a/content/response_integrations/power_ups/lists/resources/ai/actions_ai_description.yaml b/content/response_integrations/power_ups/lists/resources/ai/actions_ai_description.yaml index d31c3e785..0b9c9502a 100644 --- a/content/response_integrations/power_ups/lists/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/power_ups/lists/resources/ai/actions_ai_description.yaml @@ -1,10 +1,42 @@ Add String to Custom List: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action is a generic utility for managing custom lists. It does not specifically + target blocklists, allowlists, or other predefined categories, so all specific + product category flags are set to false. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - Adds a user-defined string to a specific Google SecOps custom list category. This - action is primarily used for managing internal platform lists, such as allowlists, - blocklists, or watchlists, by programmatically inserting new entries. + This action adds a specified string to a custom list within the Google SecOps + SOAR platform. It allows users to dynamically update custom lists, which can be + used for various purposes such as maintaining watchlists, blocklists, or allowlists. ### Parameters Description @@ -13,32 +45,24 @@ Add String to Custom List: | :--- | :--- | :--- | :--- | - | ListItem | String | Yes | The specific string value to be added to the custom - list. | + | ListItem | string | Yes | The list item string to add to the custom list. | - | Category | String | Yes | The name of the custom list category where the string - will be stored. | + | Category | string | Yes | The category of the custom list to which the item + will be added. | ### Flow Description - 1. **Parameter Extraction**: The action retrieves the `ListItem` (the string to - add) and the `Category` (the target list) from the input parameters. + 1. The action retrieves the `Category` and `ListItem` values from the provided + action parameters. - 2. **Object Preparation**: It creates a `CustomList` data object containing the - input string, the target category, and the current environment context. + 2. It initializes a `CustomList` object using the provided string and category. - 3. **Internal Mutation**: The action calls the internal SDK method `add_entities_to_custom_list` - to update the specified Google SecOps custom list with the new string. + 3. The action calls `siemplify.add_entities_to_custom_list` to persist the new + item into the specified custom list within the SOAR platform. - 4. **Finalization**: The action concludes by providing a success message confirming - the addition of the item to the category. - - - ### Additional Notes - - This action does not interact with external APIs; it only modifies internal Google - SecOps data structures. + 4. The action concludes by returning the execution status and an output message + confirming the addition. capabilities: can_create_case_comments: false can_create_insight: false @@ -49,9 +73,17 @@ Add String to Custom List: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: >- - Adds a string entry to an internal Google SecOps custom list category. + Modifies internal SOAR custom lists by adding a new string entry. + reasoning: >- + The action modifies internal SOAR data by adding a string to a custom list. + It does not perform any external API calls (fetches_data=false) and does not + interact with external systems (can_mutate_external_data=false). It does not + update entities, create insights, or modify alert data. categories: enrichment: false + reasoning: >- + The action does not fetch data (it is a push/write operation), therefore it + does not meet the criteria for an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -67,14 +99,49 @@ Add String to Custom List: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over or utilize the `target_entities` list. It processes + a string parameter directly. Is String In Custom List: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action performs a lookup against a custom list to verify the existence of + identifiers. It does not perform any of the defined product-specific actions + such as blocking, ticketing, or asset enrichment. It is a utility lookup action. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - This action checks if a specific set of strings exists within a designated Google - SecOps Custom List category. It is primarily used for whitelist/blacklist validation - or verifying if specific identifiers (like IPs, domains, or usernames) are already - known to the system within a specific context. + This action checks if a list of provided strings exists within a specified Custom + List category in the current environment. It is a utility action designed to verify + the presence of identifiers (e.g., IPs, domains, or file hashes) against predefined + organizational lists. ### Parameters Description @@ -83,41 +150,31 @@ Is String In Custom List: | :--- | :--- | :--- | :--- | - | **IdentifierList** | String | Yes | A list of strings to compare against the - custom list. This can be provided as a comma-separated string (e.g., `1.2.3.4,google.com`) - or a valid JSON array. | + | IdentifierList | string | Yes | A list of strings (e.g., "1.2.3.4,google.com") + to check against the custom list. Can be provided as a JSON-formatted string or + a comma-separated string. | - | **Category** | String | Yes | The name of the Custom List category (e.g., `WhiteList`, - `BlackList`) to search within for the current environment. | - - - ### Additional Notes - - - The action handles both comma-separated strings and JSON-formatted arrays for - the `IdentifierList` parameter. - - - It performs the check specifically for the environment associated with the current - execution context. + | Category | string | Yes | The name of the Custom List category to check against. + | ### Flow Description - 1. **Parameter Retrieval**: The action extracts the `Category` and `IdentifierList` - from the input parameters. + 1. **Initialization**: The action initializes the `SiemplifyAction` and retrieves + the `Category` and `IdentifierList` parameters. - 2. **Parsing**: It attempts to parse the `IdentifierList` as JSON; if that fails, - it splits the string by commas and trims whitespace from each entry. + 2. **Parsing**: The `IdentifierList` is parsed into a list of individual strings, + handling both JSON and comma-separated formats. - 3. **Custom List Lookup**: For each identifier in the list, the action creates - a `CustomList` object and uses the SOAR SDK method `any_entity_in_custom_list` - to verify its existence in the specified category. + 3. **Lookup**: The action iterates through each identifier and queries the internal + Custom List system using `siemplify.any_entity_in_custom_list` for the specified + category. - 4. **Result Aggregation**: It builds a JSON object mapping each identifier to - a boolean value (`true` if found, `false` otherwise) and maintains a counter of - total matches found. + 4. **Result Generation**: A JSON result is constructed mapping each identifier + to a boolean value (`True` if found, `False` otherwise). - 5. **Completion**: The action outputs the total count of found items as the result - value and attaches the detailed mapping as a JSON result. + 5. **Output**: The action adds the result JSON to the execution output and returns + a summary message indicating the number of items found. capabilities: can_create_case_comments: false can_create_insight: false @@ -128,8 +185,17 @@ Is String In Custom List: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action fetches data from the internal Custom List system to verify the existence + of provided identifiers. It does not mutate external systems, nor does it modify + internal SOAR data (entities, insights, or case comments). It is a read-only + lookup operation. categories: - enrichment: false + enrichment: true + reasoning: >- + The action fetches data from an internal source (Custom Lists) to provide context + (existence check) for the provided identifiers. It does not mutate any external + or internal systems, fitting the criteria for an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -145,35 +211,62 @@ Is String In Custom List: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not operate on `siemplify.target_entities`. It processes a list + of strings provided directly via the `IdentifierList` parameter. Therefore, + it does not use or filter any entity types. Ping: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action is a connectivity check ('Ping') and does not perform any functional + operations such as enrichment, containment, ticket management, or alert modification. + It simply confirms the integration's connectivity status. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - Verifies the connectivity between the Google SecOps (Chronicle) platform and the - integration environment. This action serves as a basic health check to ensure - that the integration is correctly configured and reachable. + This action performs a connectivity check to verify that the integration is properly + configured and communicating with the SOAR platform. It is typically used to validate + the integration setup. - ### Parameters Description + ### Parameters There are no parameters for this action. - ### Additional Notes - - This is a standard 'Ping' action used for troubleshooting and configuration validation. - It does not interact with any external APIs or internal data stores. - - ### Flow Description - 1. **Initialization**: The action initializes the Siemplify SDK to establish a - session. + 1. The action initializes the `SiemplifyAction` object. - 2. **Connectivity Check**: The script executes a simple completion command to - confirm the environment is responsive. - - 3. **Termination**: The action ends with a success message: 'Siemplify is connected'. + 2. It immediately terminates the execution with a success message, confirming + that the integration is connected. capabilities: can_create_case_comments: false can_create_insight: false @@ -184,8 +277,15 @@ Ping: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a simple connectivity check by calling `siemplify.end`. + It does not interact with external APIs, modify external systems, or update + any internal SOAR data. categories: enrichment: false + reasoning: >- + The action is named 'Ping', which is explicitly excluded from being an enrichment + action. Furthermore, it does not fetch any data. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -201,14 +301,47 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code does not reference `target_entities` or perform any operations on entities. + Therefore, the entity list is empty and no filters are applied. Remove String from Custom List: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action modifies an internal SOAR custom list. It does not match any of the + provided product categories (e.g., enrichment, containment, ticketing). + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - The **Remove String from Custom List** action is designed to delete a specific - string entry from an internal Google SecOps custom list. This is typically used - for managing allowlists, blocklists, or other reference datasets within the SOAR - platform. + This action removes a specified string item from a custom list category within + the Google SecOps SOAR platform. It is a utility action designed to manage internal + SOAR configuration data by deleting entries from predefined custom lists. ### Parameters Description @@ -217,36 +350,29 @@ Remove String from Custom List: | :--- | :--- | :--- | :--- | - | **Category** | String | Yes | The name of the custom list category (e.g., 'WhiteList') - from which the item should be removed. | + | Category | string | Yes | The name of the custom list category from which the + item should be removed. | - | **ListItem** | String | Yes | The specific string value to be removed from the - custom list. | + | ListItem | string | Yes | The specific string value to be removed from the list. + | ### Additional Notes - - This action operates on internal Google SecOps data (Custom Lists) and does - not interact with external APIs. - - - **Note**: The parameter description for 'ListItem' in the configuration metadata - incorrectly mentions 'adding' the string, but the action logic and name confirm - it performs a removal. + This action does not interact with external systems or entities. It strictly modifies + internal SOAR configuration data. ### Flow Description - 1. **Parameter Retrieval**: The action extracts the 'Category' and 'ListItem' - values from the user input. + 1. Retrieve the `Category` and `ListItem` parameters from the action configuration. - 2. **Object Construction**: It creates a 'CustomList' object using the provided - string, category, and the current environment context. + 2. Initialize a `CustomList` object with the provided category and item. - 3. **Removal Execution**: It invokes the 'remove_entities_from_custom_list' method - to delete the entry from the internal database. + 3. Call the `remove_entities_from_custom_list` method to update the internal SOAR + custom list. - 4. **Completion**: The action returns a success status and an output message confirming - the removal. + 4. Return the execution status and a confirmation message. capabilities: can_create_case_comments: false can_create_insight: false @@ -257,9 +383,16 @@ Remove String from Custom List: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: >- - Removes a string entry from a Google SecOps internal custom list. + Removes a string item from a custom list within the SOAR platform. + reasoning: >- + The action interacts with the internal SOAR `CustomList` object to remove an + item. It does not fetch external data or interact with external APIs. It modifies + internal SOAR configuration data. categories: enrichment: false + reasoning: >- + The action is a utility for managing internal SOAR custom lists. It does not + fetch data, so it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -275,61 +408,55 @@ Remove String from Custom List: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not use `target_entities`. It takes parameters directly from + the action configuration. Search Custom Lists: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action searches custom lists for records. It does not match any of the provided + product categories (e.g., it is not searching events, assets, or alerts). + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description - - Searches for specific strings within Google SecOps Custom Lists. This action allows - users to query internal tracking lists for specific identifiers or categories, - providing a way to programmatically access and filter custom list data within - a playbook. It is primarily used to check if certain values exist within managed - lists or to retrieve the contents of specific list categories. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | String to Search | String | No | The specific string to look for within the - `entityIdentifier` field of the custom list records. This performs a substring - match. | - - | Categories | String | No | A comma-separated list of custom list names (categories) - to restrict the search to. | - - - ### Additional Notes - - - If no `Categories` are provided, the action retrieves records from all available - custom lists. - - - If no `String to Search` is provided, the action returns all records within - the specified categories (or all records if no categories are specified). - - - The action returns a boolean result indicating if any matches were found and - provides the matching records in JSON format. - - - ### Flow Description - - 1. **Parameter Extraction**: The action retrieves the `Categories` and `String - to Search` parameters from the input configuration. - - 2. **Data Retrieval**: It utilizes the internal SOAR API (`get_traking_list_record`) - to fetch records from the custom lists based on the provided categories. - - 3. **Category Filtering**: If specific categories were requested, the action ensures - the results are filtered to only include records belonging to those categories. - - 4. **String Matching**: If a search string is provided, the action iterates through - the retrieved records and filters for those where the `entityIdentifier` contains - the search string. - - 5. **Result Output**: The final set of matching records is added to the action's - JSON result. The action completes with a success message indicating the number - of records found. + ### General Description\nSearches for records within Google SecOps custom lists + based on optional category filtering and string matching. This action allows users + to query custom lists to find specific entries, facilitating the retrieval of + threat intelligence or other stored data.\n\n### Parameters Description\n| Parameter + | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| String to + Search | string | No | The string to search for within the `entityIdentifier` + field of the custom list records. |\n| Categories | string | No | A comma-separated + list of categories to filter the custom list records by. |\n\n### Flow Description\n1. + Extracts `Categories` and `String to Search` parameters.\n2. Retrieves custom + list records using the `get_traking_list_record` utility.\n3. Filters the retrieved + records by the provided categories (if specified).\n4. Filters the remaining records + by the `String to Search` (if specified) against the `entityIdentifier` field.\n5. + Returns the matching records as a JSON result. capabilities: can_create_case_comments: false can_create_insight: false @@ -340,8 +467,16 @@ Search Custom Lists: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action retrieves data from custom lists using `get_traking_list_record`. + It does not modify any external systems or internal SOAR data (entities, insights, + comments). categories: enrichment: false + reasoning: >- + The action retrieves data from custom lists. While it fetches data, it does + not enrich specific entities or alerts within the case context. It is a utility + action for searching custom lists. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -357,58 +492,79 @@ Search Custom Lists: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with `siemplify.target_entities`. It operates independently + of any specific entity. Search Environment Custom Lists: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action searches custom lists within the environment. It does not match any + of the predefined categories (e.g., Enrich IOC, Search Events, etc.) as it is + a general utility for custom list management. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - The **Search Environment Custom Lists** action allows users to query and filter - records stored within the Google SecOps environment's custom lists. It is a utility - action designed to find specific entries (such as indicators, usernames, or identifiers) - across various list categories. If no search criteria are provided, the action - retrieves all available records from the environment. + This action searches for records within the environment's custom lists. It allows + filtering by category and a specific search string to identify relevant entries. - ### Parameters Description + ### Flow Description - | Parameter | Description | Type | Mandatory | + 1. Extract `Categories` and `String to Search` parameters. - | :--- | :--- | :--- | :--- | + 2. Retrieve all custom list records using `get_traking_list_records_filtered`. - | **String to Search** | The specific text string to look for within the `entityIdentifier` - field of the custom list records. | String | No | + 3. Filter the records by the provided `Categories` (if specified). - | **Categories** | A comma-separated list of categories (e.g., "Suspicious IPs, - VIP Users") to narrow the search scope to specific lists. | String | No | + 4. Filter the remaining records by the `String to Search` (if specified) against + the `entityIdentifier` field. + 5. Return the matching records as a JSON result. - ### Additional Notes - - If both parameters are left empty, the action will return all records from all - custom lists in the environment. - - - The search logic is case-sensitive or case-insensitive depending on the underlying - API implementation, but typically matches the string within the `entityIdentifier` - field. + ### Parameters Description + | Parameter | Type | Mandatory | Description | - ### Flow Description + | :--- | :--- | :--- | :--- | - 1. **Parameter Extraction**: The action extracts the `Categories` and `String - to Search` parameters provided by the user. + | String to Search | string | No | The string to search within the `entityIdentifier` + of the custom list records. | - 2. **Data Retrieval**: It fetches custom list records from the internal Google - SecOps database using the `get_traking_list_records_filtered` helper method. + | Categories | string | No | A comma-separated list of categories to filter the + custom list records by. | - 3. **Category Filtering**: If the `Categories` parameter is provided, the action - filters the retrieved records to include only those belonging to the specified - categories. - 4. **String Matching**: If a `String to Search` is provided, the action filters - the records further, keeping only those where the search string is contained within - the `entityIdentifier` attribute. + ### Additional Notes - 5. **Result Finalization**: The matching records are added to the action's JSON - results, and the action completes with a summary of the number of matches found. + If no parameters are provided, the action returns all custom list records. capabilities: can_create_case_comments: false can_create_insight: false @@ -419,8 +575,16 @@ Search Environment Custom Lists: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action fetches data from the environment's custom lists. It does not mutate + external systems or internal SOAR data (entities, insights, comments). It only + outputs the search results as a JSON object. categories: enrichment: false + reasoning: >- + The action is a utility for searching custom lists. It does not operate on entities + or alerts to provide enrichment, nor does it modify any system state. Therefore, + it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -436,3 +600,6 @@ Search Environment Custom Lists: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code does not reference `siemplify.target_entities` or perform any operations + on entities. It operates on global custom list data. diff --git a/content/response_integrations/power_ups/lists/resources/ai/integration_ai_description.yaml b/content/response_integrations/power_ups/lists/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..3cea743c9 --- /dev/null +++ b/content/response_integrations/power_ups/lists/resources/ai/integration_ai_description.yaml @@ -0,0 +1,20 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: false + reasoning: >- + The 'lists' integration is a utility tool designed for managing custom lists within + the Google SecOps SOAR platform. Its actions (Add, Remove, Search, Check existence) + are administrative in nature, focusing on internal SOAR configuration data rather + than performing specific security operations. It does not provide SIEM log analysis, + EDR host-level visibility, Threat Intelligence reputation data (risk scores/malware + families), or any other capabilities defined in the provided product categories. + Consequently, it does not align with any of the specified security product categories. + siem: false + threat_intelligence: false + vulnerability_management: false diff --git a/content/response_integrations/power_ups/template_engine/resources/ai/actions_ai_description.yaml b/content/response_integrations/power_ups/template_engine/resources/ai/actions_ai_description.yaml index 785f4f049..6c0356689 100644 --- a/content/response_integrations/power_ups/template_engine/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/power_ups/template_engine/resources/ai/actions_ai_description.yaml @@ -1,87 +1,115 @@ Entity Insight: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action is a generic template engine used to create entity insights. It does + not perform any specific product-related tasks like enriching IOCs, enriching + assets, or containing hosts. Therefore, it does not match any of the predefined + product categories. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description + This action renders a Jinja2 template using a provided JSON object and entity + data to create entity insights. It is a utility action that allows for dynamic + generation of insights based on custom templates. - This action transforms a provided JSON object into human-readable entity insights - using a Jinja2 template. It is designed to take raw data (typically from a previous - integration action) and format it into a structured, analyst-friendly layout within - the Google SecOps case. It supports a wide range of custom Jinja filters for data - manipulation, such as date formatting, regex operations, and converting JSON to - HTML tables. + ### Flow Description - ### Parameters Description + 1. Extracts action parameters: `JSON Object`, `Template`, `Triggered By`, `Remove + BRs`, and `Create Insight`. - | Parameter | Type | Mandatory | Description | + 2. Iterates through the target entities, excluding those with the type "ALERT". - | :--- | :--- | :--- | :--- | + 3. Parses the input `JSON Object`. - | **JSON Object** | content | Yes | The raw JSON object containing the data to - be rendered. It must contain a list of entries where each entry specifies an 'Entity' - and its 'EntityResult'. | + 4. Initializes a Jinja2 environment, loading custom filters and helper functions. - | **Template** | email_content | Yes | The Jinja2 template used to format the - data. This can be a simple string or a complex HTML template. | + 5. Renders the template for each entity using the provided JSON data and the entity's + properties. - | **Triggered By** | string | Yes | The name of the integration or process that - triggered the insight, which will be displayed in the insight header. | + 6. Adds the rendered result as an entity JSON result. - | **Remove BRs** | boolean | No | If set to `true`, the action will strip all - `
` tags from the rendered template output. Default is `false`. | + 7. Optionally creates an entity insight in the SOAR platform if `Create Insight` + is enabled. - | **Create Insight** | boolean | No | If set to `true`, the action will generate - an Entity Insight in the SOAR platform. Default is `true`. | + ### Parameters Description - ### Flow Description + | Parameter | Type | Mandatory | Description | - 1. **Parameter Extraction**: The action retrieves the input JSON, the Jinja2 template, - and configuration flags (Remove BRs, Create Insight). + | :--- | :--- | :--- | :--- | - 2. **Environment Setup**: It initializes a Jinja2 environment and loads a comprehensive - set of filters from `JinjaFilters` and `CustomFilters` (if available). + | JSON Object | content | Yes | The raw JSON object that will be used to render + the template. | - 3. **Entity Processing**: It iterates through the target entities in the current - context, excluding any entities that are internally flagged as 'ALERT' types via - their additional properties. + | Template | email_content | No | The Jinja2 template to display. Can be a HTML + template from "Settings->Environment" or added in content box. | - 4. **Data Matching**: For each valid entity, the action searches the input JSON - for a matching 'Entity' identifier. + | Triggered By | string | Yes | The name of the integration that triggered this + entity insight. | - 5. **Template Rendering**: If a match is found, the action combines the entity's - properties with the result data and renders the Jinja2 template. + | Remove BRs | boolean | No | Remove all
tags from the rendered template. + Default is false. | - 6. **Result Attachment**: The rendered output is attached to the entity as a JSON - result. If 'Create Insight' is enabled, it also creates a formal Entity Insight. + | Create Insight | boolean | No | When enabled, the action will create entity + insights. Default is true. | ### Additional Notes - - **Mandatory Discrepancy**: While the integration metadata (YAML) lists the 'Template' - parameter as optional, the underlying Python code treats it as mandatory (`is_mandatory=True`). - Users should ensure a template is provided to avoid execution errors. - - - **Entity Result Format**: The input JSON is expected to be a list of dictionaries, - each containing an 'Entity' key (matching the entity identifier) and an 'EntityResult' - key (containing the data to render). + This action is a generic template engine and does not perform any specific external + system interactions. It is primarily used for internal data formatting and insight + creation. capabilities: can_create_case_comments: false can_create_insight: true can_modify_alert_data: false can_mutate_external_data: false can_mutate_internal_data: true - can_update_entities: false + can_update_entities: true external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: >- - Creates entity insights and attaches JSON results to entities within the Google - SecOps case. + Creates entity insights and adds entity JSON results within the SOAR platform. + reasoning: >- + The action processes input data and entity properties to render a template. + It does not fetch data from external systems (fetches_data=false) or mutate + external systems (can_mutate_external_data=false). It performs internal mutations + by adding entity JSON results and creating entity insights (can_mutate_internal_data=true). categories: - enrichment: false + enrichment: true + reasoning: >- + The action creates entity insights, which is an allowed internal mutation for + enrichment actions. It does not fetch data from external systems or mutate external + data, and it does not perform any prohibited actions. entity_usage: entity_types: - ADDRESS - - ALERT - APPLICATION - CHILDHASH - CHILDPROCESS @@ -120,7 +148,7 @@ Entity Insight: filters_by_case_identifier: false filters_by_creation_time: false filters_by_entity_type: false - filters_by_identifier: true + filters_by_identifier: false filters_by_is_artifact: false filters_by_is_enriched: false filters_by_is_internal: false @@ -128,14 +156,48 @@ Entity Insight: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action iterates over all `siemplify.target_entities` and processes them + if their `additional_properties['Type']` is not 'ALERT'. It uses `entity.additional_properties` + to access entity data. Ping: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action is a connectivity check ('Ping'). It does not perform any of the + defined functional operations (enrichment, containment, ticketing, etc.). + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - Verifies the connectivity between Google SecOps and the TemplateEngine integration. - This action is a standard health check used to confirm that the integration environment - is correctly configured and that the SOAR platform can successfully execute scripts - within this integration context. + This action performs a connectivity check to verify that the integration is properly + configured and communicating with the SOAR platform. It is a utility action used + to confirm the environment is ready for use. ### Parameters Description @@ -143,18 +205,13 @@ Ping: There are no parameters for this action. - ### Additional Notes - - This action does not interact with any external APIs or internal case data; it - simply returns a success status to indicate the integration is 'Up'. - - ### Flow Description - 1. The action initializes the Siemplify API object. + 1. Initialize the `SiemplifyAction` object. + + 2. Execute the connectivity check. - 2. The action immediately concludes by calling the end method with a success message - 'Siemplify is connected' and a result value of True. + 3. Terminate the action with a success message. capabilities: can_create_case_comments: false can_create_insight: false @@ -165,8 +222,16 @@ Ping: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action is a simple 'Ping' utility. It does not fetch data from external + sources, nor does it modify any internal or external data. It is strictly used + for verifying connectivity. categories: enrichment: false + reasoning: >- + The action is named 'Ping'. According to the guidelines, actions named 'Ping' + must not be categorized as enrichment actions. It also does not perform any + data retrieval or modification. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -182,72 +247,58 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with any entities. It is a standalone connectivity + check. Render Template: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action is a utility for rendering templates. It does not fit into any of + the specific product categories like enrichment, ticketing, or containment. + It is a general-purpose transformation action. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description - - This action renders a Jinja2 template using a provided JSON object as the data - source. It is designed to transform raw data into formatted strings or HTML, which - can then be used in subsequent playbook steps, such as sending emails or creating - reports. The action supports custom Jinja filters for advanced data manipulation, - including JSON-to-HTML table conversion, regex operations, and date formatting. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | **JSON Object** | JSON Object | No | The raw JSON object or list that will be - used as the context for the Jinja template. This data is accessible via the `input_json` - variable within the template. Defaults to `{}`. | - - | **Jinja** | Code | No | The Jinja2 template code to be rendered. If provided, - this value takes precedence over the 'Template' parameter. | - - | **Include Case Data** | Boolean | No | If enabled, the action injects current - alert events and target entities into the template context under `input_json['SiemplifyEvents']` - and `input_json['SiemplifyEntities']`. | - - | **Template** | Email Content | No | A pre-defined Jinja2 template (e.g., from - Environment Settings). This is used only if the 'Jinja' parameter is empty. | - - - ### Additional Notes - - - Either the **Jinja** or **Template** parameter should be configured for the - action to produce meaningful output. - - - The action includes a robust set of built-in filters such as `json2tbl` (converts - JSON to HTML tables), `regex_match`, `filter_datetime`, and `to_nice_json`. - - - If the **JSON Object** is a list, the action will iterate through the list and - append the rendered output for each item into a single result string. - - - ### Flow Description - - 1. **Initialization**: The action extracts the input parameters and parses the - provided **JSON Object**. - - 2. **Context Preparation**: If **Include Case Data** is true, the action retrieves - security events (additional properties) and target entities from the current SecOps - alert context and merges them into the input data. - - 3. **Environment Setup**: A Jinja2 environment is initialized with auto-escaping - enabled. It loads standard filters from `JinjaFilters.py` and attempts to load - any user-defined filters from `CustomFilters.py`. - - 4. **Template Selection**: The action determines which template to use, prioritizing - the raw **Jinja** code block over the **Template** selection. - - 5. **Rendering**: The template is rendered using the prepared JSON context. If - the input is a list, it renders the template for each element and concatenates - the results. - - 6. **Output**: The final rendered string is saved to the action's JSON result - under the key `html_output` and returned as the main result value. + General description: This action renders a Jinja2 template using a provided JSON + object as input. It is a utility action designed to transform data into a formatted + string (e.g., HTML or text).\n\nFlow description:\n1. The action parses the provided + JSON object.\n2. If 'Include Case Data' is enabled, it retrieves security events + and entity information from the current alert.\n3. It initializes a Jinja2 environment, + loading standard and custom filters.\n4. It renders the template using the input + JSON (and case data if included).\n5. The final rendered output is returned as + a JSON result.\n\nParameters description:\n| Parameter | Type | Mandatory | Description + |\n| --- | --- | --- | --- |\n| JSON Object | content | No | The raw JSON object + used to render the template. Available as 'input_json' in the template. |\n| Template + | email_content | No | The Jinja template code to be rendered. |\n| Jinja | code + | No | Alternative Jinja template code. |\n| Include Case Data | boolean | No + | If true, includes case events and entities in the template context. |\n\nAdditional + notes: Either 'Template' or 'Jinja' should be configured to provide the template + content. capabilities: can_create_case_comments: false can_create_insight: false @@ -258,8 +309,16 @@ Render Template: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action is a utility that processes input data (JSON and templates) to generate + a rendered string. It does not interact with external systems (no external mutation + or fetching) and does not modify internal SOAR data (no internal mutation). categories: enrichment: false + reasoning: >- + The action is a utility/transformation tool. It does not fetch data from external + sources, nor does it perform any of the allowed internal mutations (comments, + insights, entity updates). Therefore, it is not an enrichment action. entity_usage: entity_types: - ADDRESS @@ -310,78 +369,57 @@ Render Template: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over `siemplify.target_entities` and collects data if `Include + Case Data` is enabled. It filters entities by their `additional_properties` + attribute (specifically checking for 'ALERT' type). It does not filter by entity + type, so it supports all entity types. Render Template from Array: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action is a utility for template rendering and does not perform any of the + listed operations such as enrichment, containment, or ticketing. It does not + interact with external systems or modify alert data, therefore it does not match + any of the product categories. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description - - The **Render Template from Array** action is a utility designed to process a list - of data objects and transform them into a formatted string using the Jinja2 templating - engine. It is particularly useful for generating HTML reports, summaries, or formatted - logs from arrays of data produced by previous playbook steps. The action iterates - through each item in a provided JSON array, applies a user-defined Jinja template - to that item, and then joins the resulting strings together with a specified separator. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | **Array input** | Content | No | A JSON-formatted string representing an array - of objects. If a single object is provided, it will be treated as a single-item - array. Default is `[]`. | - - | **Jinja** | Code | No | The Jinja2 template code used to render each item in - the array. Within the template, the current item is accessible via the `row` variable - or directly by its keys. Default is a simple template showing `row.name`. | - - | **join** | String | No | The character or string used to join the rendered output - of each array item (e.g., a comma, a newline, or an HTML break tag). Default is - a comma. | - - | **prefix** | String | No | A string to be prepended to the final aggregated - output. | - - | **suffix** | String | No | A string to be appended to the final aggregated output. - | - - - ### Additional Notes - - - The action includes a robust set of custom Jinja filters (e.g., `json2tbl`, - `regex_match`, `filter_datetime`, `epochTimeToHuman`) to assist in complex data - formatting. - - - If the `Array input` is not a valid JSON list, the action attempts to treat - it as a single JSON object and wraps it in a list automatically. - - - The output is provided both as a simple result value and as a JSON object containing - `html_output`. - - - ### Flow Description - - 1. **Initialization**: The action extracts the input parameters, including the - JSON array, the Jinja template, and formatting options (join, prefix, suffix). - - 2. **JSON Parsing**: The `Array input` string is parsed into a Python list. If - parsing fails, the action terminates with an error. - - 3. **Environment Setup**: A Jinja2 environment is initialized, and a comprehensive - suite of custom filters (for regex, date parsing, and HTML table conversion) is - loaded into the environment. - - 4. **Template Rendering**: The action loops through each element in the input - list. For each element, it renders the provided Jinja template, passing the element - as the context. - - 5. **Aggregation**: All rendered strings are joined using the `join` parameter. - The `prefix` and `suffix` are then added to the start and end of the resulting - string. - - 6. **Completion**: The final formatted string is returned as the action result - and stored in the `html_output` JSON field. + This action renders a Jinja2 template for each item in a provided JSON array. + It is useful for formatting data into custom strings, HTML, or reports. Parameters + description: Array input (Optional): A JSON array string to be processed. Jinja + (Optional): The Jinja2 template string. join (Optional): The separator string + used to join the rendered items. prefix (Optional): A string to prepend to the + final output. suffix (Optional): A string to append to the final output. Flow + description: 1. Parse the Array input parameter as a JSON object/list. 2. Initialize + a Jinja2 environment with available filters. 3. Iterate through each item in the + input array. 4. Render the provided Jinja template for each item. 5. Concatenate + the rendered results using the join parameter. 6. Apply prefix and suffix to the + final string. 7. Return the result in the html_output field. capabilities: can_create_case_comments: false can_create_insight: false @@ -392,8 +430,15 @@ Render Template from Array: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs local string manipulation and template rendering. It does + not interact with external APIs, modify internal SOAR data, or update entities. categories: enrichment: false + reasoning: >- + The action is a utility for data transformation (templating) and does not fetch + data from external sources or perform enrichment. Therefore, it is not an enrichment + action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -409,3 +454,6 @@ Render Template from Array: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with siemplify.target_entities or any entity-specific + logic. It operates on raw input data provided via parameters. diff --git a/content/response_integrations/power_ups/template_engine/resources/ai/integration_ai_description.yaml b/content/response_integrations/power_ups/template_engine/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..2e7d01b00 --- /dev/null +++ b/content/response_integrations/power_ups/template_engine/resources/ai/integration_ai_description.yaml @@ -0,0 +1,22 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: false + reasoning: >- + The template_engine integration is a utility-based tool designed to provide Jinja2 + template rendering capabilities. It does not interact with external security systems, + perform data enrichment, manage security infrastructure, or execute security-specific + operations such as blocking, scanning, or ticketing. While it can be used to format + data for other integrations (e.g., formatting an email body or a ticket description), + the integration itself does not fulfill the functional requirements of any of + the defined product categories (SIEM, EDR, Network Security, Threat Intelligence, + Email Security, IAM, Cloud Security, ITSM, Vulnerability Management, Asset Inventory, + or Collaboration). Therefore, all product category flags are set to false. + siem: false + threat_intelligence: false + vulnerability_management: false diff --git a/content/response_integrations/power_ups/tools/resources/ai/actions_ai_description.yaml b/content/response_integrations/power_ups/tools/resources/ai/actions_ai_description.yaml index 835e0d859..f10ddd119 100644 --- a/content/response_integrations/power_ups/tools/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/power_ups/tools/resources/ai/actions_ai_description.yaml @@ -1,4 +1,36 @@ Add Alert Scoring Information: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action updates the alert's severity and score context properties, which + directly modifies the alert's state within the SecOps platform. This aligns + with the 'Update Alert' category. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: true + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description @@ -65,12 +97,22 @@ Add Alert Scoring Information: can_mutate_internal_data: true can_update_entities: false external_data_mutation_explanation: null - fetches_data: false + fetches_data: true internal_data_mutation_explanation: >- - The action updates alert context properties (ALERT_SCORE_INFO, ALERT_SCORE, - and ALERT_SEVERITY) to store and aggregate risk scoring data within the alert. + Updates alert context properties `ALERT_SCORE_INFO`, `ALERT_SCORE`, and `ALERT_SEVERITY`. + reasoning: >- + The action retrieves existing scoring information from the alert's context property + `ALERT_SCORE_INFO` (fetches_data=true). It then performs internal mutations + by updating the alert's context properties `ALERT_SCORE_INFO`, `ALERT_SCORE`, + and `ALERT_SEVERITY` (can_mutate_internal_data=true). It does not interact with + external systems, update entities, create insights, or add case comments. categories: enrichment: false + reasoning: >- + The action does not meet the criteria for an enrichment action. While it retrieves + internal data, it performs significant internal mutations (updating alert context + properties) that are not limited to the allowed list (insights, entities, comments). + Therefore, it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -86,7 +128,42 @@ Add Alert Scoring Information: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with entities. It operates solely on alert context + properties. Add Comment to Entity Log: + action_product_categories: + add_alert_comment: true + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action adds a comment to the entity log, which is an internal annotation. + This matches the 'Add Alert Comment' category as it appends notes to the entity's + activity timeline. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description @@ -131,7 +208,7 @@ Add Comment to Entity Log: This action does not modify the entity's attributes (like reputation or tags) but rather adds a historical log entry visible in the Entity Explorer. capabilities: - can_create_case_comments: false + can_create_case_comments: true can_create_insight: false can_modify_alert_data: false can_mutate_external_data: false @@ -140,10 +217,14 @@ Add Comment to Entity Log: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: >- - Adds a comment to the entity log for each entity in scope within the Google - SecOps platform. + Adds a comment to the entity's log within the Google SecOps platform. + reasoning: >- + The action adds a comment to the entity log, which is an internal mutation. + It does not fetch data, nor does it mutate external systems. categories: enrichment: false + reasoning: >- + The action does not fetch data, which is a requirement for enrichment actions. entity_usage: entity_types: - ADDRESS @@ -194,35 +275,69 @@ Add Comment to Entity Log: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over `siemplify.target_entities` without any filtering logic, + meaning it processes all entities provided in the scope. Add Or Update Alert Additional Data: - ai_description: "### General Description\nThis action allows for the dynamic addition\ - \ or updating of information within the 'Additional Data' field of a Google SecOps\ - \ alert. It is designed to act as a temporary or persistent storage mechanism\ - \ for data collected during a playbook's execution, enabling subsequent actions\ - \ to access this accumulated context. The action supports structured JSON (dictionaries\ - \ and lists) as well as plain text.\n\n### Parameters Description\n| Parameter\ - \ | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| Json Fields\ - \ | string | Yes | The data to be added to the alert. This can be a raw string,\ - \ a JSON-formatted dictionary, or a JSON-formatted list. If a dictionary is provided,\ - \ it is merged into the existing 'dict' key. If a list is provided, it is appended\ - \ to the 'list' key. Any other input is stored in the 'data' key. |\n\n### Additional\ - \ Notes\n- The action automatically initializes a structured schema within the\ - \ alert's additional data if it doesn't exist, containing 'dict', 'list', and\ - \ 'data' keys.\n- If the input string is not valid JSON, it will be treated as\ - \ a standard string and stored in the 'data' field.\n\n### Flow Description\n\ - 1. **Input Parsing**: The action retrieves the 'Json Fields' parameter and attempts\ - \ to parse it as a JSON object (dictionary or list). If parsing fails, it treats\ - \ the input as a raw string.\n2. **Data Retrieval**: It fetches the current alert's\ - \ existing 'additional_data' content.\n3. **Structure Normalization**: If the\ - \ existing data is empty or lacks the standard keys ('dict', 'list', 'data'),\ - \ the action initializes them to ensure a consistent data structure.\n4. **Data\ - \ Merging**: \n - If the input is a **List**, it extends the existing list\ - \ in the alert data.\n - If the input is a **Dictionary**, it updates the existing\ - \ dictionary in the alert data with the new key-value pairs.\n - If the input\ - \ is a **String**, it overwrites the 'data' field with the new value.\n5. **Internal\ - \ Update**: The action calls the Google SecOps API to update the alert's metadata\ - \ with the newly merged JSON structure.\n6. **Output**: The final accumulated\ - \ data is returned as a JSON result for use in the playbook." + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action modifies the alert's additional data, which is a form of alert modification. + While it does not change status, severity, or assignee, it is an update to the + alert's internal data. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: >- + This action allows for the dynamic addition or updating of information within + the 'Additional Data' field of a Google SecOps alert. It is designed to act as + a temporary or persistent storage mechanism for data collected during a playbook's + execution, enabling subsequent actions to access this accumulated context. The + action supports structured JSON (dictionaries and lists) as well as plain text. + ### Parameters Description | Parameter | Type | Mandatory | Description | | :--- + | :--- | :--- | :--- | | Json Fields | string | Yes | The data to be added to + the alert. This can be a raw string, a JSON-formatted dictionary, or a JSON-formatted + list. If a dictionary is provided, it is merged into the existing 'dict' key. + If a list is provided, it is appended to the 'list' key. Any other input is stored + in the 'data' key. | ### Additional Notes - The action automatically initializes + a structured schema within the alert's additional data if it doesn't exist, containing + 'dict', 'list', and 'data' keys. - If the input string is not valid JSON, it will + be treated as a standard string and stored in the 'data' field. ### Flow Description + 1. Input Parsing: The action retrieves the 'Json Fields' parameter and attempts + to parse it as a JSON object (dictionary or list). If parsing fails, it treats + the input as a raw string. 2. Data Retrieval: It fetches the current alert's existing + 'additional_data' content. 3. Structure Normalization: If the existing data is + empty or lacks the standard keys ('dict', 'list', 'data'), the action initializes + them to ensure a consistent data structure. 4. Data Merging: - If the input is + a List, it extends the existing list in the alert data. - If the input is a Dictionary, + it updates the existing dictionary in the alert data with the new key-value pairs. + - If the input is a String, it overwrites the 'data' field with the new value. + 5. Internal Update: The action calls the Google SecOps API to update the alert's + metadata with the newly merged JSON structure. 6. Output: The final accumulated + data is returned as a JSON result for use in the playbook. capabilities: can_create_case_comments: false can_create_insight: false @@ -233,10 +348,15 @@ Add Or Update Alert Additional Data: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: >- - Updates the 'additional_data' field of the current alert within Google SecOps - to store or update contextual information. + Updates the 'additional_data' field of the current alert within Google SecOps. + reasoning: >- + The action modifies the internal state of the alert by updating its 'additional_data' + field. It does not interact with external systems or fetch external data. It + performs an internal mutation of the alert metadata. categories: enrichment: false + reasoning: >- + The action does not fetch external data, so it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -252,7 +372,42 @@ Add Or Update Alert Additional Data: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over or process entities. It operates on the current + alert object. Append to Context Value: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action is a utility for managing context properties. It does not match any + of the defined product categories (e.g., enrichment, ticket management, alert + modification). + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: "### General Description\nAppends a specified string value to an\ \ existing context property or creates a new context property if the key does\ \ not already exist. This action is designed to facilitate data accumulation across\ @@ -267,31 +422,40 @@ Append to Context Value: \ append to the existing property or to set as the initial value. |\n| **Delimiter**\ \ | String | Yes | The character or string used to separate the existing value\ \ from the new value when appending. Default is a comma (','). |\n\n### Flow Description\n\ - 1. **Parameter Extraction:** The action retrieves the `Scope`, `Key`, `Value`,\ - \ and `Delimiter` from the input configuration.\n2. **Context Retrieval:** Based\ - \ on the selected `Scope`, the action attempts to fetch the current value of the\ - \ specified `Key` from the internal Google SecOps context storage.\n3. **Value\ - \ Processing:** \n * If the key already contains data, the action concatenates\ - \ the existing value, the provided delimiter, and the new value.\n * If the\ - \ key is empty or does not exist, the action initializes it with the provided\ - \ value.\n4. **Context Update:** The updated string is saved back into the corresponding\ - \ context scope (Alert, Case, or Global).\n5. **Completion:** The action returns\ - \ a success message indicating whether the value was appended to an existing key\ - \ or a new key was created." + 1. **Parameter Extraction:** The action retrieves the Scope, Key, Value, and Delimiter\ + \ from the input configuration.\n2. **Context Retrieval:** Based on the selected\ + \ Scope, the action attempts to fetch the current value of the specified Key from\ + \ the internal Google SecOps context storage.\n3. **Value Processing:** \n \ + \ * If the key already contains data, the action concatenates the existing value,\ + \ the provided delimiter, and the new value.\n * If the key is empty or does\ + \ not exist, the action initializes it with the provided value.\n4. **Context\ + \ Update:** The updated string is saved back into the corresponding context scope\ + \ (Alert, Case, or Global).\n5. **Completion:** The action returns a success message\ + \ indicating whether the value was appended to an existing key or a new key was\ + \ created." capabilities: can_create_case_comments: false can_create_insight: false - can_modify_alert_data: true + can_modify_alert_data: false can_mutate_external_data: false can_mutate_internal_data: true can_update_entities: false external_data_mutation_explanation: null - fetches_data: false + fetches_data: true internal_data_mutation_explanation: >- - Updates or creates context properties within the Alert, Case, or Global scopes - of the Google SecOps environment. + Updates or creates context properties within the Google SecOps environment (Alert, + Case, or Global scope). + reasoning: >- + The action fetches existing context data from the Google SecOps environment + (fetches_data=true) and then updates or creates new context properties (can_mutate_internal_data=true). + It does not interact with external systems or modify entities, insights, or + alert metadata. categories: enrichment: false + reasoning: >- + The action is a utility for managing context properties. It does not perform + enrichment (it modifies internal state, which is not an allowed mutation for + enrichment actions) and does not fetch external data. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -307,37 +471,106 @@ Append to Context Value: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with entities. It operates on context properties + (Alert, Case, or Global scope) and does not use the target_entities list. Assign Case to User: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action assigns a user to a case. This is an internal SOAR operation. It + does not match any of the specific IOC/Asset/Ticket/Containment categories. + It is an administrative/workflow action within the platform. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description This action assigns a specific user to a case within Google - SecOps. It is primarily used for workflow orchestration to ensure that cases are - routed to the correct analysts or administrators for investigation. ### Parameters - Description | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- - | :--- | | Case Id | String | Yes | The unique identifier of the case that needs - to be assigned. | | Assign To | String | Yes | The username or identifier of the - user to whom the case will be assigned (e.g., '@Admin'). | | Alert Id | String - | Yes | The unique identifier of the alert associated with the case. | ### Additional - Notes - This action performs an internal state change within the Google SecOps - SOAR platform by updating the case ownership. - It does not interact with external - third-party APIs. ### Flow Description 1. Parameter Extraction: The action retrieves - the Case Id, Assign To user, and Alert Id from the input parameters. 2. API Call: - It utilizes the assign_case_to_user utility from the TIPCommon library to communicate - with the internal SOAR API. 3. Assignment: The internal API updates the case record - to reflect the new assignee. 4. Completion: The action logs the result and terminates - successfully. + ### General Description + + This action assigns a specific user to a case within Google SecOps. It is primarily + used for workflow orchestration to ensure that cases are routed to the correct + analysts or administrators for investigation. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Case Id | String | Yes | The unique identifier of the case that needs to be + assigned. | + + | Assign To | String | Yes | The username or identifier of the user to whom the + case will be assigned (e.g., '@Admin'). | + + | Alert Id | String | Yes | The unique identifier of the alert associated with + the case. | + + + ### Additional Notes + + - This action performs an internal state change within the Google SecOps SOAR + platform by updating the case ownership. + + - It does not interact with external third-party APIs. + + + ### Flow Description + + 1. Parameter Extraction: The action retrieves the Case Id, Assign To user, and + Alert Id from the input parameters. + + 2. API Call: It utilizes the assign_case_to_user utility from the TIPCommon library + to communicate with the internal SOAR API. + + 3. Assignment: The internal API updates the case record to reflect the new assignee. + + 4. Completion: The action logs the result and terminates successfully. capabilities: can_create_case_comments: false can_create_insight: false - can_modify_alert_data: true + can_modify_alert_data: false can_mutate_external_data: false can_mutate_internal_data: true can_update_entities: false external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: >- - Updates the assignee/owner of a case within the Google SecOps SOAR platform. + Updates the case ownership within the Google SecOps SOAR platform. + reasoning: >- + The action uses the TIPCommon library's assign_case_to_user function to modify + the case ownership within the Google SecOps platform. It does not fetch external + data or interact with external systems. It performs an internal mutation of + the case record. categories: enrichment: false + reasoning: >- + The action does not fetch data (not enrichment). It modifies internal SOAR data + (case assignment). It is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -353,15 +586,47 @@ Assign Case to User: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over target_entities. It uses parameters provided + in the configuration. Attach Playbook to Alert: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action modifies the alert by attaching workflows, which aligns with the + 'Update Alert' category. It does not perform any other listed actions. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: true + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - This action attaches one or more playbooks (or blocks) to a specific alert within + This action attaches one or more playbooks or blocks to a specific alert within Google SecOps. It is primarily used to dynamically trigger additional automated - workflows based on the logic or findings of a parent playbook. The action can - handle multiple playbook names provided as a comma-separated list and includes - logic to prevent or allow duplicate attachments. + workflows based on the logic or findings of a parent playbook. ### Parameters Description @@ -407,10 +672,16 @@ Attach Playbook to Alert: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - The action attaches playbooks to an alert, which modifies the alert's workflow - state and execution history within Google SecOps. + Attaches new workflows/playbooks to the alert within the SOAR platform. + reasoning: >- + The action fetches existing workflow data from the internal SOAR API to check + for duplicates and then modifies the alert by attaching new workflows. It does + not interact with external systems or update entities. categories: enrichment: false + reasoning: >- + The action modifies internal SOAR data (attaching workflows) and does not fetch + external context for enrichment. Therefore, it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -426,7 +697,40 @@ Attach Playbook to Alert: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not process or iterate over `target_entities`. Attach Playbook to All Case Alerts: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action modifies the alert by attaching a workflow to it, which aligns with + the 'Update Alert' category. It does not perform any other listed actions. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: true + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description @@ -471,10 +775,17 @@ Attach Playbook to All Case Alerts: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: >- - Attaches a playbook to all alerts within the current case, which modifies the - workflow and automation state of the alerts inside Google SecOps. + Attaches a playbook (workflow) to all alerts within the current case. + reasoning: >- + The action iterates through all alerts in the current case and uses the internal + `attach_workflow_to_case` method to link a specified playbook. This modifies + the internal state of the alerts within the SOAR platform. It does not fetch + external data or interact with external systems. categories: enrichment: false + reasoning: >- + The action does not fetch data from an external source, so it is not an enrichment + action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -490,7 +801,42 @@ Attach Playbook to All Case Alerts: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action iterates over `siemplify.case.alerts` to perform operations on alerts, + not on entities. Therefore, it does not use any entity types. Buffer: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action is a utility tool for data transformation and flow control within + a playbook. It does not perform any of the defined product-specific operations + such as enriching IOCs, managing tickets, or modifying alerts. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description\n\nThe **Buffer** action is a utility tool within the Tools integration designed to facilitate data handling and flow control within @@ -526,8 +872,16 @@ Buffer: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action parses a provided JSON string and sets a result value. It does not + perform any external API calls, nor does it modify any internal SecOps entities, + alerts, or case data. It is a pure utility action. categories: enrichment: false + reasoning: >- + The action does not fetch data from any external or internal source; it only + processes provided input parameters. Therefore, it does not meet the criteria + for an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -543,7 +897,42 @@ Buffer: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code does not reference `target_entities` or perform any operations on entities. + It is a utility action that operates on input parameters. Change Case Name: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action renames a case within the SecOps platform. It does not match any + of the provided categories (Enrichment, Ticket, Alert, IOC, Identity, Host, + Email, etc.). + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description @@ -559,7 +948,9 @@ Change Case Name: | :--- | :--- | :--- | :--- | - | New Name | String | No | The new title to be assigned to the case. | + | New Name | String | No | The new title to be assigned to the case. While marked + as not mandatory in the configuration, the action logic expects a value to perform + the rename operation. | | Only If First Alert | Boolean | No | If set to `True`, the action will only rename the case if it is being executed in the context of the chronologically @@ -571,9 +962,6 @@ Change Case Name: - If `Only If First Alert` is enabled and the action is triggered by a subsequent alert, the case name will remain unchanged. - - While `New Name` is marked as not mandatory in the configuration, the action - logic expects a value to perform the rename operation. - ### Flow Description @@ -602,10 +990,17 @@ Change Case Name: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: >- - Updates the case title (name) within the Google SecOps platform using the internal - SOAR API. + Updates the case title within the Google SecOps platform. + reasoning: >- + The action modifies the case title within the Google SecOps platform using the + `rename_case` function. It does not interact with external systems or modify + entity/alert data directly. It is a case management operation. categories: enrichment: false + reasoning: >- + The action is a case management utility that modifies internal case metadata. + It does not fetch external data or perform enrichment, so it is not an enrichment + action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -621,7 +1016,43 @@ Change Case Name: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action operates on the case and its alerts, not on specific entities. It + does not iterate over `target_entities`. Check Entities Fields In Text: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action does not fetch external threat intelligence (not `enrich_ioc`) nor + does it retrieve contextual metadata from an external source (not `enrich_asset`). + It performs internal data processing and entity property updates. Therefore, + it does not match any of the predefined product categories. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description @@ -697,10 +1128,16 @@ Check Entities Fields In Text: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: >- - Updates entity additional properties with a match flag if the 'ShouldEnrichEntity' - parameter is provided and a match is found. + Updates entity `additional_properties` when a match is found. + reasoning: >- + The action processes internal entity data and updates entity properties (`additional_properties`) + if a match is found. It does not interact with external systems. categories: - enrichment: false + enrichment: true + reasoning: >- + The action is an enrichment action because it updates entity fields/attributes + (enriching the entity's profile) based on internal data comparison. It does + not mutate external systems. entity_usage: entity_types: - ADDRESS @@ -738,7 +1175,7 @@ Check Entities Fields In Text: - DestinationURL - USB - USERUNIQNAME - filters_by_additional_properties: false + filters_by_additional_properties: true filters_by_alert_identifier: false filters_by_case_identifier: false filters_by_creation_time: false @@ -751,7 +1188,42 @@ Check Entities Fields In Text: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action iterates over all `target_entities` without filtering by type. It + accesses the `additional_properties` attribute of the entities to perform comparisons. Check List Subset: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action is a utility tool for comparing two lists. It does not perform any + of the defined product-specific operations such as enrichment, containment, + ticketing, or alert management. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: "### General Description\nThe **Check List Subset** action is a\ \ utility tool designed to compare two lists and determine if one (the 'Subset')\ \ is entirely contained within the other (the 'Original'). This is particularly\ @@ -783,8 +1255,17 @@ Check List Subset: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a local set comparison on provided input parameters. It + does not interact with any external APIs, modify internal SOAR data, or update + entities. It simply returns a boolean result and a message based on the input + comparison. categories: enrichment: false + reasoning: >- + The action is a utility script for list comparison. It does not fetch data from + external sources, nor does it modify any internal or external state. Therefore, + it does not meet the criteria for an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -800,7 +1281,42 @@ Check List Subset: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with entities. It operates solely on input parameters + provided by the user and does not reference the `target_entities` attribute. Convert Into Simulated Case: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action performs data transformation and internal SOAR operations (importing + a case, adding an attachment). It does not match any of the defined product + categories like enrichment, ticketing, or containment. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: "### General Description\nConverts alert data into a format suitable\ \ for the Google SecOps Case Simulator. This action extracts raw event data from\ \ an entity's additional properties, transforms it into a standardized case JSON\ @@ -845,10 +1361,17 @@ Convert Into Simulated Case: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: >- - Adds a .case file attachment to the case wall and imports a custom case into - the Google SecOps Simulator. + Adds an attachment to the case wall and imports a case into the simulator. + reasoning: >- + The action does not fetch external data (fetches_data=false). It does not mutate + external systems (can_mutate_external_data=false). It mutates internal SOAR + data by adding an attachment to the case wall and importing a case into the + simulator (can_mutate_internal_data=true). It does not update entities, create + insights, modify alert data, or create case comments. categories: enrichment: false + reasoning: >- + The action does not fetch external data, so it is not an enrichment action. entity_usage: entity_types: - ADDRESS @@ -886,7 +1409,7 @@ Convert Into Simulated Case: - DestinationURL - USB - USERUNIQNAME - filters_by_additional_properties: false + filters_by_additional_properties: true filters_by_alert_identifier: false filters_by_case_identifier: false filters_by_creation_time: false @@ -899,7 +1422,44 @@ Convert Into Simulated Case: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code accesses the first entity of the current alert (`siemplify.current_alert.entities[0]`) + and checks its `additional_properties` for the `SourceFileContent` key. It does + not filter by entity type, so it supports all entity types. Create Entities with Separator: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action creates new entities within the alert. It does not fit the specific + categories like 'Enrich IOC' (no external fetch), 'Contain Host' (no external + mutation), or 'Update Alert' (no status/severity change). It is a utility action + for case management. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description @@ -978,12 +1538,16 @@ Create Entities with Separator: can_update_entities: true external_data_mutation_explanation: null fetches_data: false - internal_data_mutation_explanation: >- - This action creates new entity objects within the Google SecOps case and alert. - It also populates the 'additional_properties' field of these entities with data - provided in the 'Enrichment JSON' parameter. + internal_data_mutation_explanation: Adds new entities to the case/alert. + reasoning: >- + The action interacts with the internal SOAR case/alert data to create new entities. + It does not fetch external data or mutate external systems. It performs internal + mutations by adding entities to the case. categories: enrichment: false + reasoning: >- + The action does not fetch data from an external source, which is a requirement + for an enrichment action. It is a utility action for case management. entity_usage: entity_types: - ADDRESS @@ -1026,7 +1590,7 @@ Create Entities with Separator: filters_by_case_identifier: false filters_by_creation_time: false filters_by_entity_type: false - filters_by_identifier: true + filters_by_identifier: false filters_by_is_artifact: false filters_by_is_enriched: false filters_by_is_internal: false @@ -1034,7 +1598,44 @@ Create Entities with Separator: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action retrieves existing entities from the alert to check for duplicates + using `get_alert_entities`. It does not filter by specific entity types in the + code logic, but rather accepts the type as a parameter, meaning it can operate + on any entity type. Create Entity Relationships: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action creates entity relationships and updates entity properties. It does + not match any of the specific product categories like 'Enrich IOC', 'Contain + Host', or 'Create Ticket'. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description @@ -1122,18 +1723,62 @@ Create Entity Relationships: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: >- - Creates new entities and establishes relationships (Source, Destination, or - Linked) between entities within the Google SecOps case. It also updates entity - attributes (additional_properties) if an Enrichment JSON is provided. + Creates new entities and updates existing entities' additional properties within + the Google SecOps case. + reasoning: >- + The action creates new entities and establishes relationships between them and + existing entities within the Google SecOps case. It also updates entity properties + (enrichment) using the 'Enrichment JSON' parameter. It does not fetch external + data, nor does it mutate external systems. It performs internal mutations by + creating/updating entities within the SOAR platform. categories: enrichment: false + reasoning: >- + The action does not fetch external data, which is a requirement for the Enrichment + category. It performs internal mutations (creating/updating entities), but does + not meet the criteria for an Enrichment action. entity_usage: - entity_types: [] + entity_types: + - ADDRESS + - ALERT + - APPLICATION + - CHILDHASH + - CHILDPROCESS + - CLUSTER + - CONTAINER + - CREDITCARD + - CVE + - CVEID + - DATABASE + - DEPLOYMENT + - DESTINATIONDOMAIN + - DOMAIN + - EMAILSUBJECT + - EVENT + - FILEHASH + - FILENAME + - GENERICENTITY + - HOSTNAME + - IPSET + - MacAddress + - PARENTHASH + - PARENTPROCESS + - PHONENUMBER + - POD + - PROCESS + - SERVICE + - SOURCEDOMAIN + - THREATACTOR + - THREATCAMPAIGN + - THREATSIGNATURE + - DestinationURL + - USB + - USERUNIQNAME filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false filters_by_creation_time: false - filters_by_entity_type: false + filters_by_entity_type: true filters_by_identifier: false filters_by_is_artifact: false filters_by_is_enriched: false @@ -1142,14 +1787,53 @@ Create Entity Relationships: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action iterates over the alert's entities to identify targets based on the + 'Target Entity Type' parameter. It does not filter by other attributes like + 'is_internal' or 'is_suspicious'. Since the entity type is dynamic based on + user input, it supports all entity types. Create Siemplify Task: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action creates a task within the SOAR platform. It does not match any of + the provided categories (e.g., it is not an external ticket, not an alert update, + not an enrichment, not an IOC action). + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- + ### General Description + This action creates and assigns a new task to a specific user or role within the context of the current Google SecOps case. It is used to manage manual workflows or follow-up actions by setting clear instructions and deadlines. - ### Parameters + ### Parameters Description | Parameter | Type | Mandatory | Description | @@ -1203,9 +1887,17 @@ Create Siemplify Task: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: >- - Creates a new task record associated with the current case in Google SecOps. + Creates a new task within the Google SecOps case. + reasoning: >- + The action interacts with the internal SOAR API to create a task within a case. + It does not fetch external data, nor does it mutate external systems. It mutates + internal SOAR data by adding a task. categories: enrichment: false + reasoning: >- + The action creates a task within the SOAR platform. It does not fetch data, + nor does it perform any of the allowed enrichment mutations (add comment, insight, + update entity). Therefore, it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1221,7 +1913,44 @@ Create Siemplify Task: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over `target_entities` or use entity-specific identifiers. + It operates on the case level, and the `SimulationDataJson` indicates no entities + are processed. DNS Lookup: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action performs DNS lookups for IP and Hostname entities, which provides + contextual information (reputation/intelligence) about the indicator. This aligns + with the 'Enrich IOC' category. It does not modify external systems or internal + case data, so it is not a mutation or containment action. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- Performs DNS lookups for IP Address and Hostname entities using specified DNS servers. This action allows analysts to retrieve various DNS record types (such @@ -1267,16 +1996,6 @@ DNS Lookup: 6. **Finalization**: All gathered DNS information is aggregated into a JSON result. The action completes with a success status if at least one record was found. - - - ### Additional Notes - - - - If multiple DNS servers are provided, the action will attempt to query each - one for every applicable entity. - - - The action does not modify the entities themselves but provides the lookup results - as raw JSON for downstream playbook tasks. capabilities: can_create_case_comments: false can_create_insight: false @@ -1287,8 +2006,18 @@ DNS Lookup: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs DNS queries (fetches data). It does not perform any write + operations to external systems (can_mutate_external_data=false) or internal + systems (can_mutate_internal_data=false). It does not update entities, create + insights, or modify alert data. categories: enrichment: true + reasoning: >- + The action fetches data (DNS records) from external DNS servers. It does not + mutate external systems (no POST/PUT/DELETE) and does not modify internal Google + SecOps data (no entity updates, insights, or comments). Therefore, it qualifies + as an enrichment action. entity_usage: entity_types: - ADDRESS @@ -1306,7 +2035,43 @@ DNS Lookup: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over `siemplify.target_entities` and filters using `entity.entity_type + == EntityTypes.ADDRESS` and `entity.entity_type == EntityTypes.HOSTNAME`. This + means it targets ADDRESS and HOSTNAME entities, filtering by entity_type. Delay Playbook: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + This action is a utility for playbook flow control (pausing execution). It does + not match any of the defined product categories (Enrichment, Containment, Ticket + management, etc.). + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description @@ -1370,8 +2135,15 @@ Delay Playbook: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs no external API calls, does not fetch data, and does not + modify any external or internal system state (entities, alerts, comments). It + purely manages the execution state of the playbook itself. categories: enrichment: false + reasoning: >- + The action does not fetch data, nor does it perform any enrichment or mutation. + It is a flow control utility. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1387,7 +2159,41 @@ Delay Playbook: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with entities. Delay Playbook Synchronous: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + This action is a utility for controlling playbook execution flow (pausing). + It does not perform any of the listed product-specific operations such as enrichment, + containment, ticketing, or alert management. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description @@ -1440,8 +2246,16 @@ Delay Playbook Synchronous: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a local `time.sleep` to pause execution. It does not interact + with external APIs, modify internal SOAR data, or update entities. Therefore, + it does not fetch data, mutate external or internal data, or perform any SOAR-specific + data modifications. categories: enrichment: false + reasoning: >- + The action is a utility for playbook flow control. It does not fetch data, so + it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1457,7 +2271,42 @@ Delay Playbook Synchronous: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not operate on entities. It is a utility action that runs independently + of any specific entity context. Delay Playbook V2: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action is a utility for pausing playbook execution. It does not perform + any of the defined product-specific tasks such as enrichment, ticketing, or + containment. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: "### General Description\nThis action pauses the execution of a\ \ playbook for a specified duration or until a specific time defined by a cron\ \ expression. It is an asynchronous action that allows for precise control over\ @@ -1497,8 +2346,16 @@ Delay Playbook V2: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action is a utility for controlling playbook execution flow. It does not + fetch data, mutate external systems, or modify internal SOAR data (entities, + alerts, insights). It simply manages the execution state of the playbook by + returning either an 'INPROGRESS' or 'COMPLETED' status. categories: enrichment: false + reasoning: >- + The action does not fetch data from external sources, nor does it perform any + enrichment tasks. It is a control flow utility. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1514,7 +2371,43 @@ Delay Playbook V2: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with entities. It is a utility action for controlling + playbook execution flow. Extract URL Domain: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: true + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action parses strings to extract domains and updates entities with this + information. It does not fetch data from external systems, so it is not an enrichment + action. It updates entity metadata, which aligns with 'Enrich Asset' as it adds + contextual information to the asset. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description @@ -1574,10 +2467,17 @@ Extract URL Domain: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: >- - Updates the 'siemplifytools_extracted_domain' field within the 'additional_properties' - of processed entities. + Updates entity `additional_properties` with the extracted domain. + reasoning: >- + The action parses strings to extract domains and updates entities with this + information. It does not fetch data from external systems, so `fetches_data` + is false. It updates entity `additional_properties`, which is an internal mutation + and an entity update. categories: enrichment: false + reasoning: >- + The action parses strings to extract domains. It does not fetch data from external + sources, so it does not meet the criteria for an Enrichment action. entity_usage: entity_types: - ADDRESS @@ -1628,7 +2528,42 @@ Extract URL Domain: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over `siemplify.target_entities` without any type-based filtering. + Therefore, it processes all supported entity types. Find First Alert: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action performs internal logic to compare alert timestamps within a case. + It does not interact with external systems, fetch external data, or modify case/alert + data. It does not fit any of the provided categories. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description @@ -1669,8 +2604,16 @@ Find First Alert: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs internal logic to compare the current alert's creation time + against other alerts in the case. It does not interact with external APIs, modify + external systems, or update internal SOAR data (entities, insights, comments). categories: enrichment: false + reasoning: >- + The action does not fetch external data, nor does it perform any allowed internal + mutations (comments, insights, entity updates). It is a utility script for internal + logic. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1686,7 +2629,43 @@ Find First Alert: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over `target_entities` or use entity-specific identifiers. + It operates on the case's alert list. Get Case Data: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves comprehensive case information from the internal SOAR platform. + It does not interact with 3rd party products or perform specific enrichment + on IOCs/assets, nor does it mutate any data. Therefore, it does not fit into + the provided product-specific categories. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description @@ -1761,8 +2740,16 @@ Get Case Data: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action retrieves comprehensive case information (comments, entities, insights, + alerts) from the internal SOAR API. It does not modify any external or internal + systems. It returns the data as a JSON result for use in playbooks. categories: enrichment: true + reasoning: >- + The action fetches case data to provide context for playbooks. It does not mutate + any external or internal systems, satisfying the requirements for an enrichment + action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1778,7 +2765,43 @@ Get Case Data: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code uses `siemplify.case_id` to fetch case data and does not iterate over + or filter `target_entities`. Therefore, it does not run on any specific entity + types. Get Case SLA: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: true + reasoning: >- + The action retrieves case-level SLA information from the Google SecOps platform. + This aligns with the 'Get Alert Information' category, as it fetches metadata + about the current case/alert. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description @@ -1835,8 +2858,17 @@ Get Case SLA: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action fetches case overview details from the internal Google SecOps API + (fetches_data=true). It does not perform any mutations on external systems or + internal data, nor does it update entities, create insights, or modify alert + data. categories: enrichment: false + reasoning: >- + The action fetches case-level metadata (SLA information) rather than enriching + specific alerts or entities with external threat intelligence. Therefore, it + does not meet the criteria for an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1852,7 +2884,43 @@ Get Case SLA: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action operates on the current case context using `siemplify.case_id` and + does not iterate over or filter any `target_entities`. Get Certificate Details: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves SSL certificate details for a given URL. It does not match + any of the provided product categories (e.g., Enrich IOC, Enrich Asset, etc.) + because it does not operate on entities or alerts, and it is not a containment + or ticketing action. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description @@ -1909,8 +2977,17 @@ Get Certificate Details: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action connects to an external host to retrieve certificate data (fetches_data=true). + It does not modify any external systems (can_mutate_external_data=false) or + internal SOAR data (can_mutate_internal_data=false). It does not update entities, + create insights, or modify alerts. categories: - enrichment: true + enrichment: false + reasoning: >- + The action does not operate on entities or alerts, and it does not meet the + criteria for an enrichment action as defined (which requires operating on entities/alerts + to gather context). It is a utility action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1926,7 +3003,42 @@ Get Certificate Details: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not use any entities from the SOAR environment. It operates + solely on a provided URL parameter. Get Context Value: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves internal context data. It does not perform IOC enrichment, + asset enrichment, ticket management, or any other specific product category + operations. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description @@ -1943,7 +3055,7 @@ Get Context Value: | :--- | :--- | :--- | :--- | - | **Scope** | DDL | Yes | Specifies the context level to search. Options: 'Alert' + | **Scope** | String | Yes | Specifies the context level to search. Options: 'Alert' (current alert context), 'Case' (current case context), or 'Global' (system-wide context). | @@ -1985,8 +3097,17 @@ Get Context Value: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action retrieves data from the internal SecOps context (Alert, Case, or + Global). It does not perform any external API calls, nor does it modify any + internal or external data. It is a read-only operation. categories: enrichment: true + reasoning: >- + The action fetches data from an internal source (SecOps context). According + to the definition, an enrichment action must proactively fetch or retrieve data + from an external or internal source. Since this action retrieves data from an + internal source, it qualifies as an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -2002,15 +3123,51 @@ Get Context Value: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with entities. It operates on global, case, or + alert context properties. Get Current Time: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action is a utility that returns a formatted timestamp. It does not perform + any of the defined product category operations (e.g., enrichment, containment, + ticketing). + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - Returns the current system date and time formatted according to a user-provided - string. This utility action is primarily used within playbooks to generate timestamps - for logging, reporting, or for use in subsequent logic steps that require a specific - time format. + ### General Description + This action returns the current system date and time formatted according to a + user-provided string. It is a utility action used to generate timestamps for logging, + reporting, or subsequent playbook logic. - ### Parameters + + ### Parameters Description | Parameter | Type | Mandatory | Description | @@ -2020,7 +3177,12 @@ Get Current Time: to format the current date and time (e.g., '%d/%m/%Y %H:%M'). | - ### Flow + ### Additional Notes + + This action does not require any entities to run. + + + ### Flow Description 1. **Parameter Extraction**: The action retrieves the 'Datetime Format' string from the input parameters. @@ -2032,7 +3194,7 @@ Get Current Time: 'Datetime Format'. 4. **Completion**: The formatted time string is returned as the action's result - value, and the execution state is set to completed. + value. capabilities: can_create_case_comments: false can_create_insight: false @@ -2043,8 +3205,15 @@ Get Current Time: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action retrieves the current system time and formats it based on user input. + It does not perform any network requests, external API calls, or modifications + to internal/external data. categories: enrichment: false + reasoning: >- + The action does not fetch data from an external source; it generates a timestamp + locally. Therefore, it does not meet the criteria for an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -2060,7 +3229,42 @@ Get Current Time: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not operate on entities. It is a utility action that does not + require any entity input. Get Email Templates: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves email templates from the SOAR platform. It does not match + any of the defined categories (e.g., Enrich IOC, Enrich Asset, Update Alert, + etc.) as it is a utility action for retrieving system configuration. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description @@ -2110,8 +3314,16 @@ Get Email Templates: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action fetches email template data from the internal SOAR platform. It does + not mutate any external or internal data, nor does it update entities, create + insights, or modify alert data. categories: enrichment: false + reasoning: >- + The action retrieves system configuration (email templates) from the SOAR platform. + It does not gather context about alerts or entities, so it is not an enrichment + action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -2127,7 +3339,41 @@ Get Email Templates: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not operate on entities. It retrieves system-wide email templates. Get Integration Instances: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves a list of integration instances. It does not match any + of the provided categories, which are focused on IOC enrichment, ticketing, + identity management, or host containment. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- Retrieves a list of all installed integration instances for the current environment and the global environment. This action is useful for programmatically identifying @@ -2165,8 +3411,16 @@ Get Integration Instances: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a read-only operation to retrieve integration metadata from + the SOAR platform. It does not modify any external or internal data, nor does + it update entities or create insights. categories: enrichment: false + reasoning: >- + The action is a utility action that retrieves system configuration data (integration + instances). It does not perform enrichment on entities or alerts, nor does it + modify any state. Therefore, it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -2182,7 +3436,41 @@ Get Integration Instances: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with any entities. It operates on the system level + to retrieve integration instances. Get Original Alert Json: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: true + reasoning: >- + The action retrieves the raw alert JSON, which aligns with the 'Get Alert Information' + category. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description @@ -2231,10 +3519,17 @@ Get Original Alert Json: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null - fetches_data: false + fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action retrieves the raw alert JSON from the `additional_properties` of + the first entity. It does not mutate any external or internal data, nor does + it update entities or create insights. It simply reads and returns the data. categories: enrichment: false + reasoning: >- + The action is a utility for retrieving raw alert data. It does not perform enrichment + (adding context to entities) or any other state-changing operation. entity_usage: entity_types: - ADDRESS @@ -2285,45 +3580,59 @@ Get Original Alert Json: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action accesses the first entity in the alert's entity list (`siemplify.current_alert.entities[0]`). + It does not filter entities by any criteria; it simply processes the first one + available. Therefore, it supports all entity types. Get Siemplify Users: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves a list of users from the system. It does not match any + of the provided security-specific categories (e.g., IOC enrichment, ticket management, + containment). + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description - - Retrieves a comprehensive list of all users configured within the Google SecOps - (formerly Siemplify) environment. This utility action is primarily used for auditing - system access or identifying specific user accounts to be used in downstream playbook - logic. - - - ### Parameters Description - - | Parameter Name | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Hide Disabled Users | Boolean | No | Determines whether to exclude inactive - user accounts from the results. Defaults to `true`. | - - - ### Flow Description - - 1. **Configuration**: The action retrieves the `Hide Disabled Users` parameter - to set the filtering scope. - - 2. **Data Retrieval**: It calls the internal SOAR API to fetch user details, including - account status and metadata. - - 3. **Data Transformation**: The raw user objects are processed and converted into - a structured JSON format. - - 4. **Completion**: The action outputs the list of users to the `JsonResult` and - terminates with a success message. - - - ### Additional Notes - - This action does not process or interact with case entities (e.g., IP addresses, - Hostnames). It provides global system-level information. + ### General Description\nRetrieves a comprehensive list of all users configured + within the Google SecOps (formerly Siemplify) environment. This utility action + is primarily used for auditing system access or identifying specific user accounts + to be used in downstream playbook logic.\n\n### Parameters Description\n| Parameter + Name | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| Hide + Disabled Users | Boolean | No | Determines whether to exclude inactive user accounts + from the results. Defaults to `true`. |\n\n### Flow Description\n1. **Configuration**: + The action retrieves the `Hide Disabled Users` parameter to set the filtering + scope.\n2. **Data Retrieval**: It calls the internal SOAR API to fetch user details, + including account status and metadata.\n3. **Data Transformation**: The raw user + objects are processed and converted into a structured JSON format.\n4. **Completion**: + The action outputs the list of users to the `JsonResult` and terminates with a + success message.\n\n### Additional Notes\nThis action does not process or interact + with case entities (e.g., IP addresses, Hostnames). It provides global system-level + information. capabilities: can_create_case_comments: false can_create_insight: false @@ -2334,8 +3643,16 @@ Get Siemplify Users: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action fetches user data from the internal SOAR API. It does not modify + any external systems, nor does it modify internal case data, entities, or alerts. + It is a read-only utility action. categories: enrichment: false + reasoning: >- + The action retrieves system-level user information. It does not operate on alerts + or entities, nor does it provide supplemental context for them. Therefore, it + does not meet the criteria for an Enrichment Action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -2351,29 +3668,59 @@ Get Siemplify Users: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with any entities. It fetches global system data. Lock Playbook: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action is a control flow mechanism for playbook execution order. It does + not perform enrichment, containment, or ticket management. It does not match + any of the predefined categories. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: "Pauses the execution of the current playbook until all playbooks\ \ associated with the chronologically preceding alert in the same case have finished.\ \ This action is used to enforce sequential processing of alerts within a single\ \ case, ensuring that automation logic for one alert does not overlap with or\ - \ precede the completion of a previous alert's logic.\n\n### Parameters\n| Parameter\ - \ Name | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| None\ - \ | N/A | N/A | This action does not take any input parameters. |\n\n### Additional\ - \ Notes\n- This action is asynchronous (`is_async: true`), allowing it to remain\ - \ in an 'In Progress' state until the dependency is met.\n- It relies on the `creation_time`\ - \ of alerts within a case to determine the execution order.\n\n### Flow Description\n\ - 1. **Alert Retrieval:** Fetches all alerts associated with the current case and\ - \ sorts them by their creation timestamp.\n2. **Position Identification:** Determines\ - \ the index of the current alert within the sorted list.\n3. **First Alert Check:**\ - \ If the current alert is the first one in the case (index 0), the action completes\ - \ immediately to allow the playbook to proceed.\n4. **Dependency Check:** If the\ - \ current alert is not the first, the action identifies the immediately preceding\ - \ alert and queries the SOAR API for the status of its workflow instances.\n5.\ - \ **State Management:** \n - If any playbooks for the previous alert are still\ - \ running (not in a 'Completed' state), the action returns an 'In Progress' status,\ - \ effectively locking the current playbook.\n - Once all playbooks for the\ - \ previous alert are confirmed as 'Completed', the action returns a 'Completed'\ - \ status, releasing the lock and allowing the current playbook to continue." + \ precede the completion of a previous alert's logic.\n\n### Parameters\nThere\ + \ are no parameters for this action.\n\n### Flow Description\n1. **Alert Retrieval:**\ + \ Fetches all alerts associated with the current case and sorts them by their\ + \ creation timestamp.\n2. **Position Identification:** Determines the index of\ + \ the current alert within the sorted list.\n3. **First Alert Check:** If the\ + \ current alert is the first one in the case (index 0), the action completes immediately\ + \ to allow the playbook to proceed.\n4. **Dependency Check:** If the current alert\ + \ is not the first, the action identifies the immediately preceding alert and\ + \ queries the SOAR API for the status of its workflow instances.\n5. **State Management:**\ + \ \n - If any playbooks for the previous alert are still running (not in a\ + \ 'Completed' state), the action returns an 'In Progress' status, effectively\ + \ locking the current playbook.\n - Once all playbooks for the previous alert\ + \ are confirmed as 'Completed', the action returns a 'Completed' status, releasing\ + \ the lock and allowing the current playbook to continue." capabilities: can_create_case_comments: false can_create_insight: false @@ -2384,8 +3731,16 @@ Lock Playbook: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action fetches workflow status from the SOAR API to determine if it should + pause execution. It does not mutate external or internal data, update entities, + create insights, or modify alert data. categories: enrichment: false + reasoning: >- + The action is a control flow mechanism. It does not fetch supplemental context + about alerts or entities for enrichment purposes, nor does it modify internal + data or entities. Therefore, it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -2401,14 +3756,51 @@ Lock Playbook: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over `case.alerts` and uses `siemplify.alert_id` to identify + the current alert. It does not interact with `target_entities`. Therefore, it + does not run on entities. Look-A-Like Domains: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action identifies look-alike domains, which provides threat intelligence + and reputation context for the domain entity. This matches the 'Enrich IOC' + expected outcome. It does not perform any other actions like blocking, ticketing, + or alert modification. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description Identifies potential typosquatting or look-alike domain attacks by comparing DOMAIN - entities in a case against a list of authorized internal domains defined for the - environment. It uses the Levenshtein edit distance algorithm to determine similarity - and flag suspicious entities. + entities against a list of authorized internal domains defined for the environment. + It uses the Levenshtein edit distance algorithm to determine similarity and flag + suspicious entities. ### Parameters Description @@ -2463,10 +3855,21 @@ Look-A-Like Domains: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates DOMAIN entities by setting the 'is_suspicious' flag to true and adding - the 'look_a_like_domain' property to the entity's additional properties. + Updates the entity's suspicious status and adds the matching internal domain + to the entity's additional properties. + reasoning: >- + The action fetches internal domain data from the SOAR environment (fetches_data=true). + It does not mutate any external systems (can_mutate_external_data=false). It + updates entity properties and suspicious status within the SOAR platform (can_mutate_internal_data=true, + can_update_entities=true). It does not create insights, modify alert data, or + create case comments. categories: enrichment: true + reasoning: >- + The action fetches internal domain data from the SOAR environment and enriches + DOMAIN entities by updating their properties and suspicious status. It does + not mutate any external systems, and its internal mutations are limited to updating + entities, which is permitted for enrichment actions. entity_usage: entity_types: - DOMAIN @@ -2483,55 +3886,65 @@ Look-A-Like Domains: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over `siemplify.target_entities` and filters using `if entity.entity_type + == "DOMAIN"`. This means it targets DOMAIN entities, filtering by entity_type. Normalize Entity Enrichment: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action is a utility for normalizing entity data. It does not perform any + of the defined product category actions (enrichment, containment, ticketing, + etc.). + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description - - The **Normalize Entity Enrichment** action is a utility designed to standardize - the naming of enrichment data stored within an entity's `additional_properties`. + General Description: The **Normalize Entity Enrichment** action is a utility designed + to standardize the naming of enrichment data stored within an entity's `additional_properties`. It allows users to map existing, potentially inconsistent field names (e.g., from different threat intelligence providers) to a unified schema within the Google - SecOps SOAR environment. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | **Normalization Data** | string | Yes | A JSON-formatted string containing a - list of mapping objects. Each object must include `entitiy_field_name` (the current - key in the entity's additional properties) and `new_name` (the target normalized - key name). | - - - ### Flow Description - - 1. **Input Parsing**: The action retrieves the `Normalization Data` parameter - and parses it from a JSON string into a Python list of dictionaries. - - 2. **Entity Iteration**: The script iterates through all `target_entities` currently - in the action's scope. - - 3. **Property Mapping**: For each entity, it checks if the specified `entitiy_field_name` - exists within the entity's `additional_properties` dictionary. - - 4. **Value Assignment**: If the source key is found, its value is copied to a - new key defined by `new_name`. If the source key is missing, the action initializes + SecOps SOAR environment. Parameters Description: The action requires one parameter: + **Normalization Data** (string, mandatory). This is a JSON-formatted string containing + a list of mapping objects. Each object must include `entitiy_field_name` (the + current key in the entity's additional properties) and `new_name` (the target + normalized key name). Flow Description: 1. Input Parsing: The action retrieves + the `Normalization Data` parameter and parses it from a JSON string into a Python + list of dictionaries. 2. Entity Iteration: The script iterates through all `target_entities` + currently in the action's scope. 3. Property Mapping: For each entity, it checks + if the specified `entitiy_field_name` exists within the entity's `additional_properties` + dictionary. 4. Value Assignment: If the source key is found, its value is copied + to a new key defined by `new_name`. If the source key is missing, the action initializes the `new_name` key with an empty string (provided the key does not already exist). - - 5. **Internal Update**: The action collects all processed entities and uses the - `update_entities` method to commit the changes back to the SOAR case. - - - ### Additional Notes - - - This action does not delete or replace the original keys; it creates new keys - with the mapped names, effectively duplicating the data under a normalized header. - - - If the `new_name` already exists on the entity, it will be overwritten by the - value from `entitiy_field_name` if that source field is present. + 5. Internal Update: The action collects all processed entities and uses the `update_entities` + method to commit the changes back to the SOAR case. Additional Notes: This action + does not delete or replace the original keys; it creates new keys with the mapped + names, effectively duplicating the data under a normalized header. If the `new_name` + already exists on the entity, it will be overwritten by the value from `entitiy_field_name` + if that source field is present. capabilities: can_create_case_comments: false can_create_insight: false @@ -2542,10 +3955,18 @@ Normalize Entity Enrichment: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: >- - The action updates the 'additional_properties' dictionary of entities within - the Google SecOps case to normalize field names based on user-provided mapping. + Updates entity `additional_properties` within the SOAR case. + reasoning: >- + The action reads `additional_properties` from entities and updates them with + new keys. It does not fetch external data or mutate external systems. It performs + an internal mutation by updating entity attributes. categories: enrichment: false + reasoning: >- + The action is a utility for data transformation (normalizing entity fields) + rather than an enrichment action that gathers new context from external or internal + sources. It does not meet the criteria for an enrichment action as it does not + fetch data. entity_usage: entity_types: - ADDRESS @@ -2596,7 +4017,41 @@ Normalize Entity Enrichment: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action iterates over all `target_entities` without applying any filters. + Therefore, it supports all entity types defined in the metadata. Ping: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action is a connectivity check ('Ping') and does not perform any of the + listed functional operations (enrichment, containment, ticket management, etc.). + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description @@ -2633,8 +4088,16 @@ Ping: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a simple connectivity check by initializing the SDK and + terminating with a success message. It does not interact with external APIs, + modify internal data, or process entities. categories: enrichment: false + reasoning: >- + The action is a 'Ping' action, which is explicitly excluded from being an enrichment + action per the provided guidelines. It does not fetch data or perform any meaningful + operations. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -2650,7 +4113,41 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not reference target_entities or perform any operations on entities. Re-Attach Playbook: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action is a utility for resetting/re-running playbooks. It does not match + any of the provided categories (Enrichment, Containment, Ticket management, + etc.). + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description @@ -2712,15 +4209,20 @@ Re-Attach Playbook: can_mutate_internal_data: true can_update_entities: false external_data_mutation_explanation: >- - Executes SQL DELETE commands on the PostgreSQL databases (siemplify_orchestration_db - and siemplify_system_db) to remove records from the 'WorkflowInstances' and - 'ActionResults' tables. + Modifies the PostgreSQL database to remove previous playbook execution state + and action results. fetches_data: true internal_data_mutation_explanation: >- - Uses the SOAR API to re-attach a playbook to a case, which modifies the case - state and initiates a new automated workflow execution. + Re-attaches the playbook to the case, triggering a new execution. + reasoning: >- + The action queries and modifies the PostgreSQL database (external system interaction) + to clear playbook state and then uses the SOAR API to re-attach the playbook + to the case (internal SOAR mutation). categories: enrichment: false + reasoning: >- + The action is a management/utility action for playbook orchestration. It does + not fetch context for entities or alerts, nor does it perform standard enrichment. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -2736,7 +4238,42 @@ Re-Attach Playbook: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action operates on the case level using `siemplify.case_id` and does not + iterate over or filter `target_entities`. Search Text: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action is a utility for text processing (string/regex matching) and does + not interact with external systems or modify SecOps data. It does not match + any of the defined product categories. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description @@ -2804,8 +4341,15 @@ Search Text: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs local string and regex processing on input text provided + as a parameter. It does not interact with external APIs, modify external systems, + or update internal SecOps data (entities, alerts, etc.). categories: enrichment: false + reasoning: >- + The action does not fetch data from an external source, which is a requirement + for enrichment actions. It is a local utility action for text processing. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -2821,7 +4365,42 @@ Search Text: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not reference `target_entities` and processes raw text input + parameters instead. Set Context Value: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action modifies the alert context, which is an internal SecOps operation. + It does not match any of the predefined product categories (e.g., enrichment, + ticket management, containment, etc.). + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: "### General Description\nThe **Set Context Value** action allows\ \ users to store and manage data dynamically within a Google SecOps playbook by\ \ setting key-value pairs in a specific context scope. This is primarily used\ @@ -2852,10 +4431,17 @@ Set Context Value: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: >- - The action modifies internal context properties (metadata) associated with an - Alert, Case, or the Global environment within Google SecOps. + Modifies the internal context of the alert, case, or global system by setting + a key-value pair. + reasoning: >- + The action modifies internal SecOps data by setting context properties (Alert, + Case, or Global). It does not fetch external data or interact with external + systems. It modifies alert data (context). categories: enrichment: false + reasoning: >- + The action does not fetch data; it only sets internal context values. Therefore, + it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -2871,7 +4457,41 @@ Set Context Value: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with entities. It operates on the context of the + alert, case, or global system. Spell Check String: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action is a utility for text analysis. It does not perform any of the defined + product-specific tasks like enriching IOCs, updating tickets, or modifying alerts. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description @@ -2932,8 +4552,16 @@ Spell Check String: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs local text processing using the `spellchecker` library. + It does not interact with external APIs, modify external systems, or update + internal SOAR data (entities, insights, comments). categories: enrichment: false + reasoning: >- + The action does not fetch data from an external source (it uses a local library) + and does not modify any internal or external state. Therefore, it is not an + enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -2949,7 +4577,42 @@ Spell Check String: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with entities. Unflatten JSON: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + This action is a utility for transforming data formats (flattened JSON to nested + JSON). It does not perform any security operations, such as enriching IOCs, + managing tickets, or modifying alerts. Therefore, it does not match any of the + defined product categories. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description @@ -3010,8 +4673,15 @@ Unflatten JSON: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action is a data transformation utility. It does not interact with external + APIs (fetches_data=false), does not mutate external systems, and does not modify + internal SOAR data (entities, insights, comments). categories: enrichment: false + reasoning: >- + The action is a data transformation utility. It does not fetch data from external + sources, which is a requirement for the Enrichment category. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -3027,15 +4697,48 @@ Unflatten JSON: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with entities. It processes a raw JSON string provided + as an input parameter. Update Alert Score: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action updates the alert score within the SecOps platform, which matches + the 'Update Alert' category. It does not perform any other listed operations. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: true + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description The **Update Alert Score** action is a utility designed to dynamically modify the numerical score associated with an alert in Google SecOps. This is typically used within playbooks to adjust the priority or risk level of an alert based on - logic-driven findings (e.g., increasing the score if a file is found to be malicious - or decreasing it if an IP is internal). + logic-driven findings. ### Parameters Description @@ -3083,10 +4786,16 @@ Update Alert Score: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: >- - Updates the 'ALERT_SCORE' context property of the current alert by adding or - subtracting the provided input value. + Updates the 'ALERT_SCORE' property within the alert's context. + reasoning: >- + The action retrieves the current alert score from the internal context and updates + it by adding the provided input value. It does not interact with external systems + or fetch external data. categories: enrichment: false + reasoning: >- + The action modifies internal alert data (the score) and does not fetch external + data. Therefore, it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -3102,7 +4811,41 @@ Update Alert Score: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with entities, as it operates directly on the alert + context. Update Case Description: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action updates the case description, which is a modification of the alert/case + metadata. This aligns with the 'Update Alert' category. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: true + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description @@ -3121,6 +4864,11 @@ Update Case Description: description for the current case. | + ### Additional Notes + + There are no additional notes for this action. + + ### Flow Description 1. **Parameter Extraction:** The action retrieves the 'Case Description' string @@ -3136,16 +4884,23 @@ Update Case Description: capabilities: can_create_case_comments: false can_create_insight: false - can_modify_alert_data: false + can_modify_alert_data: true can_mutate_external_data: false can_mutate_internal_data: true can_update_entities: false external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: >- - Updates the description field of the current case within Google SecOps. + Updates the description of the current case within the Google SecOps platform. + reasoning: >- + The action modifies the case description, which is an internal SOAR operation. + It does not fetch data from external systems, nor does it mutate external systems. + It modifies internal case data. categories: enrichment: false + reasoning: >- + The action is not an enrichment action as it does not fetch data. It is a mutation + action that updates the case description. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -3161,7 +4916,43 @@ Update Case Description: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with entities. It operates on the case level using + the `case_id` attribute. Wait for Playbook to Complete: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + This action is a control flow mechanism within the SOAR platform to synchronize + playbook execution. It does not perform enrichment, ticket creation, containment, + or any of the listed product-specific operations. It fetches internal workflow + status, which does not qualify as 'alert information from a 3rd party product'. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: "### General Description\nThis action synchronizes playbook execution\ \ by pausing the current playbook until another specified playbook or block, running\ \ on the same alert, reaches a terminal state. It is primarily used to manage\ @@ -3191,8 +4982,17 @@ Wait for Playbook to Complete: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action fetches workflow instance status from the SOAR platform to determine + if a specific playbook has finished. It does not mutate external systems, nor + does it modify internal case data (entities, insights, comments). It is a control + flow action. categories: enrichment: false + reasoning: >- + The action is a control flow mechanism used to synchronize playbook execution. + It does not gather supplemental context about alerts or entities for enrichment + purposes, nor does it meet the criteria for an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -3208,3 +5008,6 @@ Wait for Playbook to Complete: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with entities. It operates on the alert level to + check workflow statuses. diff --git a/content/response_integrations/power_ups/tools/resources/ai/integration_ai_description.yaml b/content/response_integrations/power_ups/tools/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..d5976cbbb --- /dev/null +++ b/content/response_integrations/power_ups/tools/resources/ai/integration_ai_description.yaml @@ -0,0 +1,24 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: true + network_security: false + reasoning: >- + The 'tools' integration provides a collection of utility actions for data manipulation, + context management, and case orchestration within the Google SecOps platform. + It supports 'Threat Intelligence' by providing enrichment actions for external + indicators, such as 'DNS Lookup' (IP/Hostname), 'Look-A-Like Domains' (Domain), + and 'Get Certificate Details' (URL), which help determine reputation. It supports + 'ITSM' by providing case management and task orchestration capabilities, including + 'Create Siemplify Task', 'Assign Case to User', and automated jobs like 'Close + Cases Based On Search' and 'Tag Untouched Cases'. It does not meet the criteria + for SIEM (as it does not search logs or find activity), EDR (no host-level activity), + Network Security (no blocking/firewall logs), Email Security, IAM, Cloud Security, + Vulnerability Management, Asset Inventory, or Collaboration. + siem: false + threat_intelligence: true + vulnerability_management: false diff --git a/content/response_integrations/power_ups/tools/resources/ai/jobs_ai_description.yaml b/content/response_integrations/power_ups/tools/resources/ai/jobs_ai_description.yaml new file mode 100644 index 000000000..4e397bec8 --- /dev/null +++ b/content/response_integrations/power_ups/tools/resources/ai/jobs_ai_description.yaml @@ -0,0 +1,83 @@ +Close Cases Based On Search: + ai_description: >- + ### General Description + + This job automates the bulk closure of cases in Google SecOps based on a specific + search query. It identifies open cases matching the provided search criteria and + closes them using the specified reason, root cause, and comment. This is useful + for cleaning up large volumes of cases (e.g., false positives) that meet specific + criteria. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Search Payload | String | No | The JSON payload used in the 'CaseSearchEverything' + API call to identify cases to close. | + + | Close Comment | String | Yes | The comment to be added to the closed cases. + | + + | Close Reason | Integer | Yes | The reason for closing the case (0 = Malicious, + 1 = Not Malicious). | + + | Root Cause | String | Yes | The root cause category for the closed cases (must + match settings in Case Data). | + + + ### Flow Description + + 1. Parses the 'Search Payload' parameter and ensures the search is restricted + to open cases by setting 'isCaseClosed' to 'False'. + + 2. Executes a search query using the 'CaseSearchEverything' API to retrieve a + list of matching case IDs. + + 3. If matching cases are found, it proceeds to perform a bulk closure operation. + + 4. Closes the identified cases using the provided 'Close Reason', 'Root Cause', + and 'Close Comment'. + + 5. Logs the outcome, including the number of cases successfully closed or a message + if no cases were found. +Tag Untouched Cases: + ai_description: >- + ### General Description + + This job automates case management by identifying "stale" or "untouched" open + cases. It scans for cases that have not been updated within a specified timeframe + and applies custom tags to them, facilitating better case prioritization and workflow + management. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Tags | String | Yes | The tags to apply to the identified cases. Multiple tags + can be provided as a comma-separated list. | + + | Unmodified Time | Integer | Yes | The duration in hours since the last case + update that triggers the tagging action. | + + + ### Flow Description + + 1. Calculates the cutoff timestamp based on the current time minus the configured + `Unmodified Time`. + + 2. Queries Google SecOps for all open cases that have not been updated since the + calculated cutoff time. + + 3. If matching cases are found, parses the provided `Tags` parameter into a list. + + 4. Iterates through each identified case and applies the specified tags using + the `add_tag` method. + + 5. Logs the outcome, including the number of cases tagged or a message indicating + no stale cases were found. diff --git a/content/response_integrations/third_party/community/abuse_ipdb/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/abuse_ipdb/resources/ai/actions_ai_description.yaml index 14d8de464..ccb949d1d 100644 --- a/content/response_integrations/third_party/community/abuse_ipdb/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/abuse_ipdb/resources/ai/actions_ai_description.yaml @@ -1,53 +1,88 @@ Check IP Reputation: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves reputation and threat intelligence for IP addresses from + AbuseIPDB and updates the entity with this information. This aligns perfectly + with the 'Enrich IOC' category. It does not perform any containment, ticketing, + or alert modification actions. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - Checks the reputation of IP address entities using the AbuseIPDB API. This action - retrieves detailed threat intelligence, including abuse confidence scores, country - information, ISP details, and recent report history. It enriches the entities - within Google SecOps by adding these details as attributes and can automatically - mark entities as suspicious if they exceed a user-defined confidence threshold. + ### General Description + This action enriches IP Address entities by querying the AbuseIPDB service to + retrieve reputation data, such as confidence scores, ISP information, and report + history. It helps analysts quickly identify potentially malicious IP addresses + within their environment. - ### Parameters + + ### Parameters Description | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Exclude Internal Addresses | Boolean | No | If set to `true` (default), the - action will skip any IP addresses marked as internal to save API quota. | + | Exclude Internal Addresses | Boolean | No | If true, skips internal IP addresses + to save API quota. | - | Suspicious Threshold | String | Yes | An abuse confidence score (0-100). If - the IP's score is equal to or higher than this value, the entity is marked as - suspicious in the platform. Set to 0 to disable this logic. | + | Suspicious Threshold | String | Yes | The confidence score threshold (0-100) + above which an IP is marked as suspicious. Set to 0 to disable. | - | Create Insight | Boolean | No | If `true` (default), creates a formatted insight - on the entity containing key reputation data. | + | Create Insight | Boolean | No | If true, generates a case insight with the retrieved + IP reputation details. | - | Max Age in Days | String | Yes | Specifies the time range (in days) for which - AbuseIPDB should check for reports. Default is 90. | + | Max Age in Days | String | Yes | The maximum age of reports to consider when + checking the IP reputation. | ### Flow Description - 1. **Filter Entities:** The action identifies all `ADDRESS` entities in the current - scope. If `Exclude Internal Addresses` is enabled, it filters out entities where - `is_internal` is true. + 1. **Initialization**: The action initializes the AbuseIPDB manager using the + provided API key. + + 2. **Filtering**: It filters the target entities to include only ADDRESS types. + If the 'Exclude Internal Addresses' parameter is set to true, it further filters + out entities marked as internal. - 2. **API Query:** For each valid IP, the action sends a GET request to the AbuseIPDB - `/check` endpoint, passing the IP and the `Max Age in Days` parameter. + 3. **Enrichment**: For each valid IP entity, the action queries the AbuseIPDB + API for reputation data. - 3. **Data Enrichment:** The retrieved data (e.g., ISP, Domain, Country, Confidence - Score) is mapped to the entity's additional properties with the prefix `AbuseIPDB_`. + 4. **Data Processing**: If data is retrieved, it updates the entity's additional + properties with the AbuseIPDB report details. - 4. **Suspicious Evaluation:** The action compares the `abuseConfidenceScore` against - the `Suspicious Threshold`. If the threshold is met, the entity's `is_suspicious` - flag is set to true. + 5. **Risk Assessment**: If the abuse confidence score meets or exceeds the configured + 'Suspicious Threshold', the entity is marked as suspicious. - 5. **Insight Generation:** If enabled, a detailed HTML insight is created for - the entity, summarizing the reputation findings. + 6. **Insight Creation**: If 'Create Insight' is enabled, the action generates + a case insight containing the reputation summary. - 6. **Update:** The action updates the entities in the Google SecOps case and returns - the raw JSON data for further use in the playbook. + 7. **Update**: Finally, the action updates the entities in the SOAR platform with + the new enrichment data. capabilities: can_create_case_comments: false can_create_insight: true @@ -58,10 +93,20 @@ Check IP Reputation: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates entity attributes with reputation data, sets the suspicious status based - on the confidence score, and creates case insights. + Updates entity properties (is_enriched, is_suspicious, additional_properties) + and creates case insights. + reasoning: >- + The action fetches data from an external API (AbuseIPDB) to enrich IP entities. + It does not mutate external data (only performs GET requests). It mutates internal + data by updating entity properties (is_enriched, is_suspicious, additional_properties) + and creating insights. It does not modify alert data or create case comments. categories: enrichment: true + reasoning: >- + The action is designed to fetch reputation data for IP addresses and update + the entity profile within the SOAR platform. It does not mutate external systems, + and the internal mutations (updating entities, creating insights) are permitted + under the enrichment criteria. entity_usage: entity_types: - ADDRESS @@ -78,25 +123,78 @@ Check IP Reputation: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action iterates over `siemplify.target_entities` and filters them based + on `entity.entity_type == EntityTypes.ADDRESS`. It also optionally filters by + `entity.is_internal` based on the 'Exclude Internal Addresses' parameter. Ping: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action is a connectivity test ('Ping'). It does not perform enrichment, + containment, or any other operational task on entities or alerts. It does not + match any of the specific product categories. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description Tests the connectivity to the AbuseIPDB service to verify - that the provided API key and configuration are valid. This action is typically - used during the initial setup or troubleshooting of the integration. ### Parameters - Description | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- - | :--- | | Api Key | String | Yes | The API key required to authenticate with - the AbuseIPDB API. This is an integration configuration parameter. | | Verify - SSL | Boolean | No | If enabled, the action will verify the SSL certificate of - the AbuseIPDB API endpoint. This is an integration configuration parameter. Default - is False. | ### Flow Description 1. **Initialization**: The action retrieves the - API Key and SSL verification preference from the integration settings. 2. **Connectivity - Test**: It attempts to query the AbuseIPDB 'check' endpoint using a dummy IP address - (1.1.1.1). 3. **Validation**: The response is checked for success. If the API - key is invalid, a specific error is caught and reported. 4. **Completion**: The - action returns 'true' and a success message if the connection is established, - or 'false' with an error message if the connection fails. ### Additional Notes - There are no action-specific parameters; it relies entirely on the integration's - configuration. This action does not process or affect any entities in the environment. + Validates connectivity to the AbuseIPDB service. This action performs a test API + call to ensure the provided API key is valid and the service is reachable. + + + ### Flow + + 1. Extracts configuration parameters: 'Api Key' and 'Verify SSL'. + + 2. Initializes the AbuseIPDBManager with the provided credentials. + + 3. Executes the 'test_connectivity' method, which performs a GET request to the + AbuseIPDB API using a dummy IP address. + + 4. Returns a success message if the connection is established, or a failure message + if the API key is invalid or another error occurs. + + + ### Parameters + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Api Key | String | Yes | The API key for authenticating with the AbuseIPDB service. + | + + | Verify SSL | Boolean | No | Whether to verify SSL certificates for API requests. + Defaults to False. | + + + ### Additional Notes + + This action is a connectivity test and does not perform any data enrichment or + system mutations. capabilities: can_create_case_comments: false can_create_insight: false @@ -107,8 +205,14 @@ Ping: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to verify connectivity to the AbuseIPDB API. + It does not modify external systems, update internal entities, or create insights. categories: enrichment: false + reasoning: >- + The action is a 'Ping' action, which is explicitly excluded from being an enrichment + action per the instructions. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -124,3 +228,6 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not use 'target_entities'. It performs a hardcoded connectivity + test. diff --git a/content/response_integrations/third_party/community/abuse_ipdb/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/abuse_ipdb/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..0b5ac1f3d --- /dev/null +++ b/content/response_integrations/third_party/community/abuse_ipdb/resources/ai/integration_ai_description.yaml @@ -0,0 +1,21 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: false + reasoning: >- + The abuse_ipdb integration is designed to query the AbuseIPDB service to retrieve + reputation data for IP addresses. Its primary action, 'Check IP Reputation', performs + enrichment on IP entities by fetching risk scores and report history, which directly + aligns with the 'Threat Intelligence' category definition of using external indicators + to determine reputation. The integration does not perform SIEM log analysis, EDR + host containment, network security gateway blocking, email security, IAM management, + cloud security operations, ITSM ticketing, vulnerability management, asset inventory + tracking, or collaboration/notification tasks. + siem: false + threat_intelligence: true + vulnerability_management: false diff --git a/content/response_integrations/third_party/community/air_table/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/air_table/resources/ai/actions_ai_description.yaml index 77aa731fb..a61dd2748 100644 --- a/content/response_integrations/third_party/community/air_table/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/air_table/resources/ai/actions_ai_description.yaml @@ -1,66 +1,50 @@ AddOrUpdate: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action performs data synchronization (insert/update) with an external Airtable + database. It does not match any of the predefined categories (e.g., IOC enrichment, + ticket creation, identity management, etc.). + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description - - This action allows users to synchronize data with an Airtable table by either - adding new records or updating existing ones. It is designed to handle batch operations - provided via a JSON-formatted string. The action searches for existing records - based on a user-defined unique field; if a match is found, the record is updated - with the new data; if no match is found, a new record is created. - - - ### Parameters Description - - | Parameter | Description | Type | Mandatory | Notes | - - | :--- | :--- | :--- | :--- | :--- | - - | **Base id** | The unique identifier for the Airtable base where the table resides. - | String | Yes | Found in the Airtable API documentation for the specific base. - | - - | **Table name** | The name of the table within the specified base to perform - operations on. | String | Yes | Must match the table name in Airtable exactly. - | - - | **Field name** | The name of the field (column) used to identify existing records - for updates. | String | Yes | This field acts as the unique key for the 'search' - logic. | - - | **Json fields** | A JSON-formatted string representing a list of record objects - to be processed. | String | Yes | Expected format is a list of dictionaries, e.g., - `[{"Email": "test@example.com", "Status": "Active"}]`. | - - - ### Additional Notes - - - The action expects the `Json fields` parameter to be a valid JSON array of objects. - - - If multiple records in Airtable match the `Field name` value, all matching records - will be updated with the provided data. - - - ### Flow Description - - 1. **Initialization**: The action retrieves the Airtable API key from the integration - configuration and extracts the Base ID, Table Name, Field Name, and JSON data - from the action parameters. - - 2. **Data Parsing**: The `Json fields` string is parsed into a Python list of - dictionaries. - - 3. **Search and Match**: For each dictionary in the list, the action performs - a search in the specified Airtable table where the column defined by `Field name` - matches the value provided in the input data. - - 4. **Update Logic**: If the search returns one or more existing records, the action - iterates through them and updates each record using the provided data. - - 5. **Insert Logic**: If no records are found during the search, the action inserts - a new record into the table using the provided data. - - 6. **Completion**: The action concludes by providing a summary message indicating - the total number of records inserted and updated. + This action synchronizes data with an Airtable database by adding new records + or updating existing ones based on a specified field identifier. Flow: 1. Extracts + configuration parameters (API key, Base ID, Table Name, Field Name, JSON fields). + 2. Parses the Json fields input string into a list of dictionaries. 3. Iterates + through each record in the list. 4. Searches for existing records in the specified + Airtable table using the provided Field name as a key. 5. If a record is found, + it updates the existing record with the new data. 6. If no record is found, it + inserts a new record into the table. 7. Returns a summary of the total records + inserted and updated. Parameters: Base id (string, mandatory): The ID of the Airtable + base. Table name (string, mandatory): The name of the table within the base. Field + name (string, mandatory): The field name used to identify existing records for + update. Json fields (string, mandatory): A JSON string representing the records + to be added or updated. capabilities: can_create_case_comments: false can_create_insight: false @@ -69,12 +53,20 @@ AddOrUpdate: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - The action performs 'update' and 'insert' operations on the target Airtable - table, modifying the state of the external database. + Updates existing records or inserts new records into the specified Airtable + table. fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a search (GET) on Airtable to check for existing records, + thus fetching data. It then performs updates or inserts (POST/PATCH) to modify + external data in Airtable. It does not modify internal Google SecOps data or + entities. categories: enrichment: false + reasoning: >- + The action mutates external data (Airtable records) and does not meet the criteria + for an enrichment action, which must be read-only regarding external systems. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -90,14 +82,49 @@ AddOrUpdate: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code does not reference siemplify.target_entities or any entity objects. + It processes raw JSON input provided via parameters. Create: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action creates records in an external database (Airtable). It does not match + the specific definitions of the provided categories (e.g., it is not an ITSM + ticket, not an alert update, not an IOC blocklist, etc.). Therefore, all categories + are false. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - The **Create** action allows users to programmatically insert new records into - a specific table within an AirTable base. It is designed to handle bulk operations - by accepting a JSON array of field-value pairs, making it suitable for logging, - tracking, or synchronizing data from Google SecOps to AirTable. + Creates new records in a specific Airtable base and table. This action allows + users to push structured data into Airtable by providing the base ID, table name, + and a JSON array of fields to be inserted. ### Parameters Description @@ -106,38 +133,32 @@ Create: | :--- | :--- | :--- | :--- | - | **Base id** | string | Yes | The unique identifier for the AirTable base (database). - This can be found in the URL of the AirTable API page for the specific base. | + | Base id | string | Yes | The ID of the Airtable base. This can be found in the + URL of the API page of the base. | - | **Table name** | string | Yes | The name of the specific table within the base - where the records should be inserted. | + | Table name | string | Yes | The name of the table within the base. | - | **Json fields** | content | Yes | A JSON-formatted array of objects. Each object - represents a single row to be created, with keys matching the AirTable column - names and values matching the desired cell content. | + | Json fields | content | Yes | A JSON array of objects representing the rows + to be created. | - ### Flow Description + ### Additional Notes + + The action requires the 'Api key' to be configured in the integration settings. + The 'Json fields' parameter must be a valid JSON array of objects. + - 1. **Configuration Retrieval**: The action extracts the AirTable API key from - the integration settings and the Base ID, Table Name, and JSON fields from the - action parameters. + ### Flow Description - 2. **Connection Initialization**: It initializes the AirTable client using the - provided credentials and base/table identifiers. + 1. Extract configuration parameters (API Key, Base ID, Table Name, JSON fields). - 3. **Data Parsing**: The action parses the `Json fields` string into a list of - Python dictionaries. + 2. Initialize the Airtable client. - 4. **Record Creation**: It iterates through each dictionary in the list and performs - an `insert` operation into the target AirTable table. + 3. Parse the provided JSON fields string into a list of records. - 5. **Result Compilation**: The action collects the unique IDs and field data of - the successfully created records. + 4. Iterate through the records and insert them into the specified Airtable table. - 6. **Finalization**: It outputs a summary message indicating the number of records - added and attaches the full JSON response of the created records to the action - results. + 5. Return the result of the insertion (IDs and fields) to the SOAR platform. capabilities: can_create_case_comments: false can_create_insight: false @@ -146,11 +167,18 @@ Create: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - This action creates new records (rows) in a specified AirTable table. + Creates new records in the specified Airtable base and table. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a POST/Insert operation to an external system (Airtable) + to create records. It does not fetch data, nor does it modify internal SOAR + entities or case data. categories: enrichment: false + reasoning: >- + The action does not fetch data (it pushes data), so it is not an enrichment + action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -166,67 +194,91 @@ Create: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with entities. Delete: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action deletes records from an external database (Airtable). This does not + align with any of the provided security-specific categories (e.g., IOC enrichment, + ticket management, identity management, host containment). + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description - - The **Delete** action allows users to remove records from a specific Airtable - table based on a matching field value. It searches for records where a designated - column (field) contains a specific value and deletes the resulting records up - to a defined limit. - + Deletes records from an Airtable database based on a specified field and value. + This action automates the cleanup of structured data within Airtable by searching + for records that match a given field-value pair and removing them. - ### Parameters Description - | Parameter | Description | Type | Mandatory | Notes | + ### Flow Description - | :--- | :--- | :--- | :--- | :--- | + 1. **Configuration Extraction**: The action retrieves the Airtable API key from + the integration configuration. - | **Field value** | The specific value to search for within the designated field. - | String | Yes | Records containing this value will be targeted for deletion. - | + 2. **Parameter Parsing**: It extracts the Base ID, Table Name, Field Name, Field + Value, and Max Records limit from the action parameters. - | **Field name** | The name of the column (field) in the Airtable table to search. - | String | Yes | This identifies which column to check for the 'Field value'. - | + 3. **Search**: It connects to the specified Airtable base and table, searching + for records where the provided field matches the specified value. - | **Table name** | The name of the table within the Airtable base. | String | - Yes | Specifies the target table for the operation. | + 4. **Deletion**: It iterates through the retrieved records and deletes them from + the Airtable table. - | **Base id** | The unique identifier for the Airtable base (database). | String - | Yes | Found in the Airtable API documentation URL for the specific base. | + 5. **Completion**: It returns a summary message indicating the number of records + successfully deleted. - | **Max records** | The maximum number of records to be deleted in a single execution. - | String | Yes | Default is 100. This limits the scope of the deletion to prevent - accidental mass data loss. | + ### Parameters - ### Additional Notes + | Parameter | Type | Mandatory | Description | - * **Warning:** This action performs a destructive operation by deleting entire - records (rows) from Airtable, not just clearing specific cell values. + | :--- | :--- | :--- | :--- | - * The action first performs a search to identify record IDs and then iterates - through those IDs to execute the deletion. + | Field value | string | Yes | The value of a specific field in a table to match + for deletion. | + | Field name | string | Yes | The name of the field (column) in the table to search. + | - ### Flow Description + | Table name | string | Yes | The name of the table within the base. | - 1. **Configuration Extraction:** Retrieves the Airtable API key from the integration - settings and the Base ID, Table Name, and search criteria from the action parameters. + | Base id | string | Yes | The ID of the Airtable base where the data is stored. + | - 2. **Search Phase:** Connects to the Airtable API and searches the specified - table for records where the `Field name` matches the `Field value`, limited by - the `Max records` parameter. + | Max records | string | Yes | The maximum number of records (rows) that will + be affected by the action. | - 3. **Deletion Phase:** Iterates through the list of matching records retrieved - in the search phase. - 4. **Execution:** For each matching record, it calls the Airtable delete method - using the unique record ID. + ### Additional Notes - 5. **Reporting:** Returns a summary message to the Google SecOps platform indicating - the total number of records successfully deleted. + This action performs a destructive operation (deletion) on external data. Ensure + that the `Field name` and `Field value` are correctly specified to avoid accidental + data loss. capabilities: can_create_case_comments: false can_create_insight: false @@ -235,12 +287,18 @@ Delete: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - The action deletes records from an Airtable table based on search criteria provided - in the parameters. + Deletes records from the specified Airtable table based on the search criteria. fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a search (fetch) and then a delete (mutate) on an external + Airtable database. It does not interact with SOAR entities or internal case + data. categories: enrichment: false + reasoning: >- + The action mutates external data (deletes records), therefore it is not an enrichment + action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -256,53 +314,80 @@ Delete: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not use or reference any SOAR entities. Delete All Records: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action deletes records from an external Airtable database. It does not match + any of the provided specific categories (e.g., IOC enrichment, host containment, + ticket management, email management). + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description + Deletes all records from a specified table in an Airtable base. - Deletes all records from a specified table within an Airtable base. This action - is useful for clearing out temporary data or resetting a table's state as part - of an automated workflow. + ### Flow Description - ### Parameters Description + 1. The action extracts the `Api key`, `Base Id`, and `Table name` from the integration + configuration and action parameters. - | Parameter Name | Description | Type | Mandatory | Notes | + 2. It initializes the Airtable client using the provided credentials and base + information. - | :--- | :--- | :--- | :--- | :--- | + 3. It retrieves all existing records from the specified table. - | Base Id | The unique identifier for the Airtable base (database). This can be - found in the Airtable API documentation for the specific base. | string | Yes - | Required to locate the correct database. | + 4. It collects the unique identifiers for all retrieved records. - | Table name | The name of the table within the specified base from which all - records will be deleted. | string | Yes | Required to target the specific data - set. | + 5. It performs a batch deletion operation to remove all collected records from + the Airtable table. + 6. It returns a success message indicating the total count of deleted records. - ### Additional Notes - **Warning:** This is a destructive action. It retrieves all record IDs currently - in the table and performs a batch delete. Ensure the correct Base ID and Table - Name are provided to avoid accidental data loss. + ### Parameters + | Parameter | Type | Mandatory | Description | - ### Flow Description + | :--- | :--- | :--- | :--- | - 1. **Authentication:** The action retrieves the Airtable API key from the integration - configuration. + | Base Id | string | Yes | The unique identifier for the Airtable base, found + in the API URL. | - 2. **Data Retrieval:** It connects to the specified Airtable base and table to - fetch all existing records. + | Table name | string | Yes | The name of the table within the base to clear. + | - 3. **ID Extraction:** The action iterates through the retrieved records to collect - their unique identifiers. - 4. **Batch Deletion:** It uses the collected IDs to perform a batch delete operation, - removing all records from the table. + ### Additional Notes - 5. **Reporting:** The action concludes by reporting the total number of records - successfully deleted. + This action performs a destructive operation by deleting all records in the specified + table. Ensure the correct `Base Id` and `Table name` are provided before execution. capabilities: can_create_case_comments: false can_create_insight: false @@ -311,12 +396,18 @@ Delete All Records: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - The action performs a batch delete operation on the specified Airtable table, - permanently removing all records found within it. + Deletes all records from the specified Airtable table. fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action fetches data (records) from Airtable to identify them, then performs + a batch delete operation (mutation) on the external system. It does not interact + with internal SOAR entities or case data. categories: enrichment: false + reasoning: >- + The action is not an enrichment action because it performs a destructive mutation + on an external system (Airtable). entity_usage: entity_types: [] filters_by_additional_properties: false @@ -332,59 +423,108 @@ Delete All Records: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The script does not use `siemplify.target_entities`. It operates on external + Airtable data based on provided parameters. Enrich Entities From Table: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: true + enrich_ioc: true + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves contextual metadata from an external database (Airtable) + and adds it to the entity. This matches the definition of 'Enrich IOC' (if the + entity is an IOC) and 'Enrich Asset' (if the entity is an asset). + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - Enriches entities by searching for matching records within a specified Airtable - table. This action allows users to map entity identifiers or specific entity properties - to columns in Airtable to retrieve supplemental context. + ### General Description + Enriches entities by searching for their identifiers or specific properties in + an Airtable database. This action retrieves structured data from a specified Airtable + base and table, then updates the entity's additional properties with the retrieved + information, allowing analysts to correlate case data with external Airtable records. - ### Parameters - | Parameter | Type | Mandatory | Description | + ### Flow Description - | :--- | :--- | :--- | :--- | + 1. **Configuration Extraction**: The action retrieves the Airtable API key, Base + ID, Table Name, Field Name, and optional parameters (Entity Field, Max Records, + Enrichment Prefix) from the integration settings. - | Base id | String | Yes | The unique identifier for the Airtable base (database). - | + 2. **Entity Iteration**: The action iterates through all target entities provided + in the case. - | Table name | String | Yes | The name of the table within the base to search. - | + 3. **Search Value Determination**: For each entity, it determines the search value. + If an `Entity Field` is specified, it attempts to retrieve that property from + the entity's `additional_properties`. If not specified or if the property is missing, + it defaults to the entity's `identifier`. - | Field name | String | Yes | The specific column name in the Airtable table to - match against. | + 4. **Airtable Query**: It performs a search against the specified Airtable table + using the determined search value. - | Enrichment Prefix | String | No | A prefix added to the keys of the retrieved - data when stored in entity properties (default: 'AT_'). | + 5. **Data Enrichment**: If a match is found, the action flattens the retrieved + record, applies the configured `Enrichment Prefix` to the keys, and updates the + entity's `additional_properties`. - | Max records | String | No | The maximum number of records to consider for the - search (default: '100'). | + 6. **Entity Update**: Finally, the action updates the enriched entities within + the SOAR platform and returns the count of successful and failed enrichments. - | Entity Field | String | No | The entity property to use for the search. If not - provided, the entity's identifier is used. | + ### Parameters Description - ### Flow Description + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Base id | string | Yes | The ID of the Airtable base where the data is stored. + | + + | Table name | string | Yes | The name of the specific table within the Airtable + base. | - 1. **Initialization**: The action retrieves the Airtable API key from the integration - configuration and extracts the user-provided parameters (Base ID, Table Name, - Field Name, etc.). + | Field name | string | Yes | The column name in the Airtable table to search + against. | - 2. **Entity Processing**: For each target entity, the action determines the search - value. It uses either a specific property defined in 'Entity Field' or the entity's - identifier. + | Entity Field | string | No | The entity property to use for the search. If left + empty, the entity's identifier is used. | - 3. **Airtable Query**: It performs a search in the specified Airtable table, matching - the 'Field name' column against the search value. It also attempts a case-insensitive - (lowercase) search if the initial search yields no results. + | Max records | string | No | The maximum number of records to retrieve from Airtable. + Defaults to 100. | - 4. **Data Enrichment**: If a matching record is found, the action flattens the - record's data structure and updates the entity's additional properties with this - data, applying the specified prefix. + | Enrichment Prefix | string | No | A prefix to prepend to the keys of the added + enrichment fields. Defaults to 'AT_'. | - 5. **Finalization**: The action updates all successfully enriched entities in - Google SecOps and provides a summary of the results, including any errors encountered - during the process. + + ### Additional Notes + + - The action does not filter entities by type; it attempts to process all entities + provided in the target list. + + - If the `Entity Field` parameter is provided but the property does not exist + on the entity, the enrichment for that specific entity will fail. capabilities: can_create_case_comments: false can_create_insight: false @@ -395,10 +535,19 @@ Enrich Entities From Table: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates entity additional properties with flattened data retrieved from Airtable - records. + Updates the entity's additional_properties with data retrieved from Airtable. + reasoning: >- + The action fetches data from an external system (Airtable) via API calls (fetches_data=true). + It does not mutate external data (can_mutate_external_data=false). It updates + internal SOAR entities with the retrieved data (can_mutate_internal_data=true, + can_update_entities=true). It does not create insights, modify alert data, or + create case comments. categories: enrichment: true + reasoning: >- + The action fetches data from an external source (Airtable) and updates internal + entities with that data. It does not mutate external systems, nor does it perform + forbidden internal mutations. Therefore, it qualifies as an enrichment action. entity_usage: entity_types: - ADDRESS @@ -449,65 +598,83 @@ Enrich Entities From Table: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action iterates over all `siemplify.target_entities` without filtering by + type, so it supports all entity types. It uses the `additional_properties` attribute + of the entity if the `Entity Field` parameter is provided. Get All Records: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves records from an Airtable database. It does not match any + of the specific product categories defined (e.g., IOC enrichment, asset enrichment, + containment, ticketing, etc.). It is a general-purpose data retrieval utility. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description - - The **Get All Records** action retrieves a specified number of records from a - designated table within an Airtable base. It allows for sorting the results based - on a specific column in either ascending or descending order. This action is primarily - used for data retrieval and synchronization tasks between Airtable and Google - SecOps. + Retrieves records from a specified table within an Airtable database. This action + allows users to query data by providing the Base ID and Table name, with optional + sorting capabilities. The action fetches the requested records and returns them + as a JSON result for further analysis or reporting within the SOAR platform. - ### Parameters Description + ### Parameters | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | **Base Id** | string | Yes | The unique ID of the Airtable base (database). - Found in the API documentation URL for the base. | - - | **Table name** | string | Yes | The name of the specific table within the base - from which to fetch records. | - - | **Max Records** | string | Yes | The maximum number of rows/records to be retrieved - by the action. | - - | **Sort by** | string | No | The name of the column to use for sorting the retrieved - records. | - - | **Sort Direction** | ddl | Yes | Specifies whether the records should be sorted - in 'Ascending' or 'Descending' order. | + | Base Id | string | Yes | The ID of the Airtable base (database) to query. Found + in the API URL. | + | Table name | string | Yes | The name of the table within the base to retrieve + records from. | - ### Additional Notes + | Max Records | string | Yes | The maximum number of rows to return. | - - This action does not operate on SecOps entities; it is a utility action for - database interaction. + | Sort by | string | No | The column name to sort the results by. | - - If **Sort by** is not provided, the records will be returned in the default - order provided by the Airtable API. + | Sort Direction | ddl | Yes | The direction of the sort (Descending or Ascending). + | ### Flow Description - 1. **Configuration Extraction**: The action retrieves the Airtable API key from - the integration configuration and the user-provided parameters (Base ID, Table - Name, Max Records, Sort By, and Sort Direction). + 1. The action extracts the configuration (API Key) and input parameters (Base + ID, Table name, Max Records, Sort by, Sort Direction). - 2. **Client Initialization**: An Airtable client is initialized using the provided - Base ID, Table Name, and API Key. + 2. It initializes the Airtable client using the provided credentials. - 3. **Sort Logic**: The action maps the user-friendly 'Ascending/Descending' input - to the API-required 'asc/desc' values. + 3. It constructs the query, applying sorting logic if a 'Sort by' column is provided. - 4. **Data Retrieval**: The action calls the Airtable API to fetch the records, - applying the limit and sorting criteria if specified. + 4. It executes the retrieval request to Airtable. - 5. **Result Processing**: The retrieved records are counted and formatted into - a JSON result, which is then attached to the action output in Google SecOps. + 5. The retrieved records are output as a JSON result and a summary message is + returned to the SOAR platform. capabilities: can_create_case_comments: false can_create_insight: false @@ -518,8 +685,17 @@ Get All Records: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a read-only operation (GET) to retrieve data from an external + Airtable database. It does not modify any external systems, nor does it update + internal SOAR entities, insights, or alert data. It simply returns the fetched + data as a result. categories: enrichment: false + reasoning: >- + The action fetches data from an external system (Airtable), but it does not + operate on SOAR entities or alerts to provide enrichment context. It is a general-purpose + data retrieval action, not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -535,52 +711,82 @@ Get All Records: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with or filter any SOAR entities. It operates on + generic database records. Ping: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action is a connectivity test ('Ping') and does not perform any of the defined + operational tasks (e.g., enrichment, ticketing, containment). Therefore, it + does not match any of the provided categories. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - The **Ping** action is designed to verify the connectivity between Google SecOps - and the AirTable service. It ensures that the provided credentials and configuration - details (API Key, Base ID, and Table Name) are valid and that the service is reachable. + This action tests the connectivity between the SOAR platform and the AirTable + service. It verifies that the provided credentials and identifiers are valid by + attempting to retrieve records from the specified table. ### Parameters Description - | Parameter Name | Type | Mandatory | Description | + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | | Api key | String | Yes | The API key used to authenticate with the AirTable - API. This is extracted from the integration configuration. | + service. | - | Base id | String | Yes | The unique identifier for the AirTable base. This is - extracted from the integration configuration. | + | Base id | String | Yes | The unique identifier for the AirTable base. | - | Table name | String | Yes | The name of the specific table within the base to - test connectivity against. This is extracted from the integration configuration. + | Table name | String | Yes | The name of the table within the base to query. | - ### Additional Notes + ### Flow Description - This action does not process any entities and is strictly used for health checks - of the integration configuration. It does not accept any action-specific input - parameters. + 1. Extracts the required configuration parameters (`Api key`, `Base id`, `Table + name`) from the integration settings. + 2. Initializes the AirTable client using the provided credentials and identifiers. - ### Flow Description + 3. Executes a `get_all` request to the specified AirTable base and table to verify + that the connection is active and authenticated. - 1. **Configuration Extraction**: The action retrieves the API Key, Base ID, and - Table Name from the integration's configuration settings. + 4. Returns a success message indicating the connection status. - 2. **Client Initialization**: An AirTable client is initialized using the retrieved - credentials. - 3. **Connectivity Test**: The action attempts to fetch a single record from the - specified table using the `get_all` method with `maxRecords=1`. + ### Additional Notes - 4. **Result Reporting**: If the request is successful, the action concludes with - a success message indicating that AirTable is connected. + This is a connectivity test action and does not perform any data modification + or enrichment. capabilities: can_create_case_comments: false can_create_insight: false @@ -591,8 +797,14 @@ Ping: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a read-only request (get_all) to verify connectivity. It + does not modify any external or internal data. categories: enrichment: false + reasoning: >- + The action is named 'Ping'. According to the instructions, actions named 'Ping' + are explicitly excluded from being categorized as enrichment actions. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -608,30 +820,80 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with any entities. It is a global connectivity + test. Search: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action performs a search in an external database (Airtable). It does not + match any of the predefined categories like 'Enrich IOC', 'Enrich Asset', 'Search + Events', 'Search Email', 'Search Asset', or 'Get Alert Information'. It is a + general-purpose search action. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description The **Search** action allows users to query an Airtable - base for specific records. It searches a designated table and column (field) for - a matching value and retrieves the corresponding row data. This is useful for - looking up asset information, user details, or threat intelligence stored within - Airtable. ### Parameters Description | Parameter | Type | Mandatory | Description - | | :--- | :--- | :--- | :--- | | **Base id** | string | Yes | The unique identifier - for the Airtable base (found in the API URL). | | **Table name** | string | Yes - | The name of the table within the base where the search will be performed. | - | **Field name** | string | Yes | The name of the column to search in. | | **Field - value** | string | Yes | The specific value to search for within the specified - field. | | **Max records** | string | No | The maximum number of records to return - (default is 100). | ### Flow Description 1. **Initialization**: The action retrieves - the Airtable API key from the integration configuration and extracts the search - parameters (Base ID, Table Name, Field Name, Field Value, and Max Records) from - the input. 2. **Client Setup**: An Airtable client is initialized using the provided - Base ID and API Key. 3. **Execution**: The action performs a search query against - the specified table, filtering by the provided field name and value. 4. **Output**: - The matching records are returned as a JSON object, and a summary message indicates - the number of records found. ### Additional Notes - This action does not process - SOAR entities; it operates strictly based on the provided input parameters. - - The Max records parameter is converted to an integer; if an invalid value is provided, - the script logic defaults to 5. + Searches for records in an Airtable database. This action allows users to query + specific tables within an Airtable base by providing a field name and a corresponding + value. It retrieves matching records up to a specified limit and returns them + as a JSON result. + + + ### Flow + + 1. Extracts configuration (API key) and parameters (Base ID, Table Name, Field + Name, Field Value, Max Records). + + 2. Initializes the Airtable client using the provided credentials and base ID. + + 3. Executes a search query on the specified table to find records matching the + provided field name and value. + + 4. Returns the matching records as a JSON result in the action output. + + + ### Parameters + + | Parameter | Type | Mandatory | Description | + + | --- | --- | --- | --- | + + | Field value | string | Yes | The value to search for in the specified field. + | + + | Field name | string | Yes | The column name to search within. | + + | Table name | string | Yes | The name of the table in the Airtable base. | + + | Base id | string | Yes | The ID of the Airtable base. | + + | Max records | string | No | The maximum number of records (rows) that will be + affected by the action. Default is 100. | capabilities: can_create_case_comments: false can_create_insight: false @@ -642,8 +904,17 @@ Search: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a search (GET-like operation) on an external system (Airtable). + It does not modify external data, nor does it modify internal SOAR data (entities, + insights, comments). categories: enrichment: false + reasoning: >- + The action is a generic search tool for an external database (Airtable). It + does not target specific entities or alerts for enrichment, nor does it meet + the criteria for an enrichment action as it does not operate on entities or + alerts. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -659,66 +930,90 @@ Search: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with `siemplify.target_entities`. It uses user-provided + parameters to perform a search. Update: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action performs a generic update on records in an Airtable database. It + does not match the specific expected outcomes for ITSM ticket updates, alert + updates, or other predefined categories. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - Updates specific records in an Airtable table based on a search criterion. This - action allows for bulk updates of records that share a common field value, enabling - automated data management within Airtable bases. + This action updates specific records within an Airtable database. It allows users + to search for records based on a field-value pair and apply updates to those records + using a provided JSON object containing the new field values. - ### Parameters + ### Parameters Description | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Base id | string | Yes | The unique identifier for the Airtable base, found - in the API URL. | + | Base id | string | Yes | The ID of the Airtable base where the data is stored. + This can be found in the URL of the API page for the base. | - | Table name | string | Yes | The name of the table within the base where the - update will occur. | + | Table name | string | Yes | The name of the table within the Airtable base to + be updated. | - | Field name | string | Yes | The name of the column used to filter/search for - records to be updated. | + | Field name | string | Yes | The name of the column (field) to use as the search + criteria. | - | Field value | string | Yes | The specific value to search for in the 'Field - name' column. | + | Field value | string | Yes | The value to search for within the specified Field + name. | - | Json fields | content | Yes | A JSON-formatted string representing a dictionary - of field names and the new values to be applied (e.g., `{"Status": "Closed", "Priority": - "Low"}`). | + | Json fields | content | Yes | A JSON-formatted string representing the fields + and their new values to be applied to the matching records. | - | Max records | string | Yes | The maximum number of records that the action will - attempt to search for and update in a single execution. | + | Max records | string | Yes | The maximum number of records (rows) that will + be affected by the update operation. | ### Flow Description - 1. **Initialization**: The action extracts the API key from the integration configuration - and parameters from the action input. - - 2. **Search**: It connects to the specified Airtable base and table to search - for records where the `Field name` matches the `Field value`. - - 3. **Limit**: The search result is limited by the `Max records` parameter to prevent - accidental bulk changes beyond the intended scope. + 1. The action initializes the Airtable client using the provided Base ID and API + Key. - 4. **Update**: The action iterates through each record found in the search results - and performs an update operation using the key-value pairs provided in the `Json - fields` parameter. + 2. It searches the specified table for records where the provided Field name matches + the Field value. - 5. **Completion**: It returns a summary message indicating the total number of - records that were successfully updated. - - - ### Additional Notes + 3. The search results are limited to the number specified in the Max records parameter. - - The `Json fields` parameter must be a valid JSON object string. + 4. For each matching record found, the action performs an update operation using + the provided Json fields. - - The action performs a search-then-update flow; if no records match the search - criteria, no updates will be performed. + 5. The action concludes by returning a summary message indicating the number of + records successfully updated. capabilities: can_create_case_comments: false can_create_insight: false @@ -727,12 +1022,20 @@ Update: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates existing records in an Airtable table with new values provided in the - 'Json fields' parameter. + Updates records in the specified Airtable table based on the provided search + criteria and field values. fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action interacts with an external Airtable database. It performs a search + (fetches data) and then executes an update operation on the records found (mutates + external data). It does not interact with internal SOAR entities or case data. categories: enrichment: false + reasoning: >- + The action mutates external data (Airtable records), which violates the 'External + State Preservation' rule for enrichment actions. Therefore, it is not an enrichment + action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -748,3 +1051,7 @@ Update: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not reference `target_entities` or perform any operations on + SOAR entities. It relies entirely on configuration parameters provided by the + user. diff --git a/content/response_integrations/third_party/community/air_table/resources/ai/connectors_ai_description.yaml b/content/response_integrations/third_party/community/air_table/resources/ai/connectors_ai_description.yaml new file mode 100644 index 000000000..7cd3ab683 --- /dev/null +++ b/content/response_integrations/third_party/community/air_table/resources/ai/connectors_ai_description.yaml @@ -0,0 +1,61 @@ +AirTable Connector: + ai_description: >- + ### General Description + + The Airtable Connector facilitates the ingestion of records from a specified Airtable + base and table into Google SecOps. It transforms Airtable records into security + cases, enabling users to monitor and respond to data stored in Airtable within + the SOAR environment. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Alert name field | String | No | Airtable column name to use for the alert name. + | + + | Alert name prefix | String | No | Prefix to prepend to the alert name. | + + | Alert type | String | Yes | The alert type/rule generator name. | + + | Api key | Password | Yes | Airtable API key. | + + | Base id | String | Yes | The ID of the Airtable base. | + + | DeviceProductField | String | Yes | Field name used to determine the device + product. | + + | EventClassId | String | Yes | Field name used to determine the event name. | + + | Field name | String | No | Airtable field name to filter by. | + + | Field value | String | No | Value to search for in the specified field. | + + | Max records | String | Yes | Maximum number of records to fetch. | + + | PythonProcessTimeout | String | Yes | Timeout limit for the script execution. + | + + | Table name | String | Yes | The name of the table within the base. | + + + ### Flow Description + + 1. The connector initializes and retrieves configuration parameters, including + authentication credentials and target Airtable details. + + 2. It establishes a connection to the Airtable API using the provided API key, + Base ID, and Table Name. + + 3. If a specific `Field name` and `Field value` are provided, the connector queries + the table for matching records; otherwise, it fetches all records up to the configured + `Max records` limit. + + 4. For each retrieved record, the connector maps the Airtable fields to case extensions + and generates a new security case. + + 5. The generated cases, including relevant event data, are packaged and ingested + into the Google SecOps platform for further analysis. diff --git a/content/response_integrations/third_party/community/air_table/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/air_table/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..dbd440a72 --- /dev/null +++ b/content/response_integrations/third_party/community/air_table/resources/ai/integration_ai_description.yaml @@ -0,0 +1,22 @@ +product_categories: + asset_inventory: true + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: true + network_security: false + reasoning: >- + The Airtable integration provides capabilities to ingest external data into the + SOAR platform as security cases (via the Airtable Connector) and to manage records + in an external database (via Add, Update, Delete, and Search actions). The 'Enrich + Entities From Table' action allows for the enrichment of internal assets with + contextual data from Airtable, which directly aligns with the 'Asset Inventory' + category. Furthermore, Airtable is commonly used for task management and project + planning, and the ability to create and update records in this system aligns with + the 'ITSM' category. The integration does not perform log analysis or IOC reputation + checks, so it does not qualify as 'SIEM' or 'Threat Intelligence'. + siem: false + threat_intelligence: false + vulnerability_management: false diff --git a/content/response_integrations/third_party/community/arcanna_ai/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/arcanna_ai/resources/ai/actions_ai_description.yaml index 33e46e9af..ca19aa4fb 100644 --- a/content/response_integrations/third_party/community/arcanna_ai/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/arcanna_ai/resources/ai/actions_ai_description.yaml @@ -1,50 +1,66 @@ Export full event: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: true + reasoning: >- + The action fetches specific event details from the Arcanna.ai platform. This + aligns with 'Get Alert Information' (fetching details about an event/alert). + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - The **Export full event** action retrieves the complete data structure of a specific - event processed by Arcanna.ai. This action is primarily used to gather the full - context and raw data of an event that has been analyzed by an Arcanna AI job, - making the detailed results available for further processing or investigation - within the SOAR platform. + Exports a full event from the Arcanna.ai platform for a specified job and event + ID. This action retrieves detailed event data from the external system and provides + it as a JSON result within the SOAR platform. - ### Parameters + ### Parameters Description | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | **Job ID** | String | Yes | The unique identifier of the Arcanna job associated - with the event. Note: The code converts this value to an integer internally. | + | Job ID | string | Yes | The unique identifier of the job to fetch the event + from. | - | **Event ID** | String | Yes | The unique identifier of the specific event to - be exported from Arcanna. | + | Event ID | string | Yes | The unique identifier of the event to be exported. + | ### Flow Description - 1. **Configuration Extraction**: The action retrieves the Arcanna base URL, API - Key, and SSL verification settings from the integration's global configuration. - - 2. **Input Parsing**: It extracts the `Job ID` and `Event ID` from the action - parameters. + 1. Initialize the `ArcannaClient` using the configured API key and URL. - 3. **API Request**: The action initializes the Arcanna client and performs a GET - request to the `/api/v1/events/{job_id}/{event_id}/export` endpoint. + 2. Extract the `Job ID` and `Event ID` from the action parameters. - 4. **Result Processing**: The retrieved JSON response, containing the full event - details, is added to the action's result JSON. + 3. Call the `export_event` method, which performs a GET request to the Arcanna + API. - 5. **Completion**: The action terminates, providing the exported data as the primary - output. - - - ### Additional Notes - - This action does not iterate over or process SOAR entities (such as IP addresses - or Hostnames). It relies entirely on the specific IDs provided in the parameters - to fetch data. + 4. Add the resulting event data to the action's result output. capabilities: can_create_case_comments: false can_create_insight: false @@ -55,8 +71,17 @@ Export full event: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to retrieve event data from an external API + (fetches_data=true). It does not modify any external systems (can_mutate_external_data=false) + or internal SOAR data (can_mutate_internal_data=false). It does not update entities, + create insights, or modify alert data. categories: - enrichment: true + enrichment: false + reasoning: >- + The action fetches data from an external source but does not perform any enrichment + on entities or alerts within the SOAR platform (e.g., it does not update entities + or create insights). Therefore, it is not classified as an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -72,24 +97,72 @@ Export full event: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with `siemplify.target_entities` and does not perform + any filtering on entities. It operates independently of the case entities. Get AI Job by name: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: true + reasoning: >- + The action fetches job details from the Arcanna.ai platform. This aligns with + the 'Get Alert Information' category, as it retrieves metadata about a specific + job from the integrated product. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description\nRetrieves detailed information about a specific AI job - from the ArcannaAI platform using the job's name. This action allows users to - programmatically fetch job configurations and metadata, which can be used in subsequent - playbook steps.\n\n### Parameters Description\n| Parameter | Type | Mandatory - | Description |\n| :--- | :--- | :--- | :--- |\n| Job name | String | Yes | The - name of the AI job for which details should be retrieved. |\n\n### Flow Description\n1. - **Configuration Retrieval**: The action fetches the ArcannaAI URL, API Key, and - SSL verification settings from the integration's configuration.\n2. **Input Validation**: - The action extracts the mandatory `Job name` parameter provided by the user.\n3. - **API Request**: The action uses the `ArcannaClient` to send a POST request to - the `/api/v1/jobs/get_by_name` endpoint, passing the job name in the request body.\n4. - **Response Handling**: The action receives the job details in JSON format from - ArcannaAI.\n5. **Output Generation**: The retrieved JSON data is added to the - action's results, and the action completes successfully.\n\n### Additional Notes\nThis - action does not operate on entities. It is a standalone lookup action based on - the provided job name. + Fetches details for a specific AI job from the Arcanna.ai platform. + + + ### Flow + + 1. Extracts the required configuration parameters (URL, API Key, SSL verification) + and the `Job name` from the action settings. + + 2. Initializes the `ArcannaClient` to communicate with the Arcanna.ai API. + + 3. Executes a request to retrieve the job details using the provided `Job name`. + + 4. Adds the resulting JSON data to the action results for further use. + + + ### Parameters + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Job name | string | Yes | The name of the AI job for which details should be + fetched. | + + + ### Additional Notes + + This action performs a retrieval operation and does not modify any external or + internal system state. capabilities: can_create_case_comments: false can_create_insight: false @@ -100,8 +173,15 @@ Get AI Job by name: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action retrieves job metadata from the Arcanna.ai API. It does not modify + external data (the POST request is for retrieval) or internal SOAR data. categories: enrichment: false + reasoning: >- + The action fetches job details from an external system. It does not enrich entities + or alerts, nor does it modify internal SOAR data. Therefore, it is not an enrichment + action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -117,48 +197,76 @@ Get AI Job by name: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not use `target_entities`. It relies on a user-provided `Job + name` parameter. Get AI Job decision set: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: true + reasoning: >- + The action fetches job decision data from Arcanna.ai. This is external data + retrieval. It does not modify external systems, nor does it update SOAR entities + or alerts. It fits the 'Get Alert Information' category as it retrieves metadata + about an AI job process. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description + Fetches the decision set (labels) for a specific AI job from Arcanna.ai. This + action retrieves job-specific metadata and decision information, which is then + returned as a JSON result for further analysis. - The **Get AI Job decision set** action retrieves the collection of possible decisions - (labels) associated with a specific job in Arcanna.ai. This action is primarily - used to understand the classification schema or the set of outcomes an AI job - is configured to produce, which is essential for interpreting AI-driven analysis - results. + ### Flow Description - ### Parameters Description + 1. Extracts configuration parameters (URL, API Key, SSL verification). - | Parameter | Type | Mandatory | Description | + 2. Extracts the `Job ID` parameter. - | :--- | :--- | :--- | :--- | + 3. Initializes the `ArcannaClient`. - | Job ID | String | Yes | The unique identifier of the Arcanna.ai job for which - the decision set (labels) should be retrieved. | + 4. Performs a GET request to the Arcanna API to retrieve the decision set for + the specified job. + 5. Adds the retrieved JSON response to the action result. - ### Flow Description - 1. **Configuration Retrieval**: The action extracts the Arcanna.ai base URL, API - Key, and SSL verification settings from the integration's global configuration. + ### Parameters Description - 2. **Parameter Extraction**: The mandatory `Job ID` is retrieved from the action's - input parameters and converted to an integer. + | Parameter | Type | Mandatory | Description | - 3. **API Request**: The action initializes the `ArcannaClient` and performs a - GET request to the `/api/v1/jobs/{job_id}/labels` endpoint to fetch the decision - set. + | --- | --- | --- | --- | - 4. **Result Handling**: The retrieved JSON response containing the labels is added - to the action's execution results, and the action completes successfully. + | Job ID | string | Yes | The unique identifier of the AI job for which the decision + set is requested. | ### Additional Notes - - This action does not process or filter entities from the SecOps environment. - - - It is a utility action focused on metadata retrieval from the Arcanna.ai platform. + There are no additional notes. capabilities: can_create_case_comments: false can_create_insight: false @@ -169,8 +277,17 @@ Get AI Job decision set: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the Arcanna API to fetch job decision data. + It does not mutate external systems (no POST/PUT/DELETE). It does not mutate + internal SOAR data (no entity updates, insights, or case comments). It simply + returns the fetched JSON as an action result. categories: enrichment: false + reasoning: >- + The action fetches data from an external source (Arcanna.ai) but does not enrich + entities or alerts within the SOAR platform. It is a utility action for retrieving + job-specific information, therefore it is not classified as an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -186,50 +303,57 @@ Get AI Job decision set: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code does not reference `siemplify.target_entities` or perform any operations + on entities. It operates on a standalone `Job ID` parameter. Get AI Job decision set by job name: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: true + reasoning: >- + The action retrieves a decision set for a specific job from the Arcanna AI platform. + This aligns with fetching information from a 3rd party product, which is categorized + as 'Get Alert Information'. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description - - Retrieves the decision set (labels) for a specific AI job identified by its name - from the Arcanna.ai platform. This action is used to fetch the possible classification - outcomes or labels associated with a particular AI model configuration, allowing - users to understand the decision space of the job. - - - ### Parameters - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Job name | String | Yes | The unique name of the AI job for which the decision - set (labels) should be retrieved. | - - - ### Flow Description - - 1. **Configuration Extraction**: The action retrieves the Arcanna URL, API Key, - and SSL verification settings from the integration's global configuration. - - 2. **Parameter Extraction**: The action extracts the mandatory `Job name` provided - by the user. - - 3. **API Interaction**: It initializes the Arcanna client and performs a POST - request to the `/api/v1/jobs/get_by_name/labels` endpoint, passing the job name - in the request body to identify the target job. - - 4. **Result Processing**: The retrieved decision set (JSON) is captured and added - to the action's execution results for use in subsequent playbook steps. - - - ### Additional Notes - - - This action does not operate on SOAR entities (IPs, Hosts, etc.); it is a system-level - query based on a job name string. - - - Note: The provided script contains a potential configuration mapping error where - it attempts to extract the 'SSL Verification' value using the key 'Api Key' from - the configuration block. + Fetches the decision set (labels) for a specific Arcanna AI job by its name. **General + Description:** This action retrieves the decision set associated with a specified + Arcanna AI job. It interacts with the Arcanna AI platform to fetch labels and + decision data, which can then be used for further analysis or reporting within + the SOAR platform. **Parameters:** | Name | Type | Mandatory | Description | | + --- | --- | --- | --- | | Job name | string | true | The name of the Arcanna AI + job to retrieve the decision set for. | **Flow Description:** 1. The action extracts + the necessary configuration parameters (URL, API Key, SSL verification) and the + 'Job name' parameter. 2. It initializes the ArcannaClient with the provided configuration. + 3. It calls the Arcanna API endpoint '/api/v1/jobs/get_by_name/labels' via a POST + request, passing the 'job_name' in the request body. 4. The retrieved decision + set JSON is added to the action results using the SOAR SDK. **Additional Notes:** + This action does not perform any modifications to external systems or internal + SOAR data. It is a read-only operation designed to retrieve information. capabilities: can_create_case_comments: false can_create_insight: false @@ -240,8 +364,15 @@ Get AI Job decision set by job name: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action retrieves data from the Arcanna AI platform by sending a POST request + with a job name. It does not modify external systems or internal SOAR data (other + than adding result JSON). categories: enrichment: false + reasoning: >- + The action fetches data from an external system (Arcanna AI) but does not enrich + entities or alerts. Therefore, it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -257,65 +388,91 @@ Get AI Job decision set by job name: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The script does not interact with siemplify.target_entities and the YAML configuration + does not define any entity types for simulation, confirming it does not run + on entities. Get Arcanna decision: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: true + reasoning: >- + The action fetches the status/decision of an event from the Arcanna AI platform. + This matches the 'Get Alert Information' category, as it retrieves specific + information about an event/alert from the 3rd party product. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description + General description: - Retrieves the AI decision for a specific event from Arcanna.ai. This action is - designed to poll the Arcanna API to fetch the inference results for an event that - has been previously submitted. It uses a configurable retry mechanism to wait - for the decision if it is still in a pending state. + This action retrieves the decision status for a specific Arcanna AI job and event. + It polls the Arcanna API until a final decision is available or the retry limit + is reached. - ### Parameters Description + Parameters description: | Parameter | Type | Mandatory | Description | - | :--- | :--- | :--- | :--- | + | --- | --- | --- | --- | - | Job Id | string | Yes | The unique identifier of the Arcanna Job associated - with the event. | + | Job Id | string | Yes | The ID of the Arcanna job to query. | - | Event Id | string | Yes | The unique identifier of the specific event for which - the decision is being requested. | + | Event Id | string | Yes | The ID of the event to check. | - | Retry count | string | Yes | The maximum number of times the action will poll - the API if the decision is still 'pending_inference'. Default is 20. | + | Retry count | string | Yes | Number of times to retry the request if the status + is 'pending_inference'. | - | Seconds per retry | string | Yes | The duration (in seconds) to wait between - each polling attempt. Default is 5. | + | Seconds per retry | string | Yes | Time in seconds to wait between retry attempts. + | - ### Additional Notes + Flow description: - This action does not operate on SecOps entities. It relies entirely on the provided - `Job Id` and `Event Id` parameters to identify the data to retrieve. The action - will fail if the decision is not available within the total retry window (Retry - count * Seconds per retry) or if the API returns an error status. + 1. Extracts configuration parameters (URL, API Key, SSL verification) and action + parameters (Job ID, Event ID, Retry count, Seconds per retry). + 2. Initializes the ArcannaClient with the provided credentials. - ### Flow Description + 3. Enters a retry loop to poll the Arcanna API for the event status using the + 'get_event_status' method. + + 4. If the status is 'pending_inference', the action waits for the configured duration + and retries. - 1. **Initialization**: Extracts the Arcanna integration configuration (URL, API - Key, SSL) and the action parameters. + 5. If the status is 'OK', the action adds the response JSON to the result and + completes successfully. - 2. **Client Setup**: Initializes the Arcanna API client. + 6. If the status is 'ERROR' or the retry limit is reached, the action fails. - 3. **Polling Loop**: Enters a loop that continues for the specified `Retry count`. - 4. **Status Check**: Calls the Arcanna API to get the status of the event using - the `Job Id` and `Event Id`. + Additional notes: - 5. **Decision Handling**: - * If the status is `OK`, the decision data is retrieved, added to the action's - JSON results, and the action completes successfully. - * If the status is `pending_inference`, the action waits for the specified - `Seconds per retry` and then attempts the next poll. - * If the status is `ERROR`, the action logs the error and terminates with - a failure state. - 6. **Timeout**: If the loop finishes without receiving an `OK` or `ERROR` status, - the action fails, notifying the user that the decision could not be retrieved - within the configured window. + This action performs a GET request to the Arcanna API and does not modify any + external systems or internal SOAR data. capabilities: can_create_case_comments: false can_create_insight: false @@ -326,8 +483,16 @@ Get Arcanna decision: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action polls the Arcanna API for the status of a specific event. It does + not modify external systems or internal SOAR data (entities, insights, comments). + It only adds the result JSON to the action output. categories: enrichment: false + reasoning: >- + The action fetches data but does not perform any of the allowed internal mutations + (update entities, create insights, add comments). Therefore, it is not an enrichment + action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -343,50 +508,50 @@ Get Arcanna decision: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with target_entities. It uses parameters provided + in the action configuration. Get Jobs: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves a list of jobs from Arcanna.AI. It does not match any of + the provided categories (e.g., Enrich IOC, Enrich Asset, Update Alert, etc.). + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description - - The **Get Jobs** action retrieves a comprehensive list of all available jobs configured - within the Arcanna.AI platform. This utility action is primarily used to discover - job identifiers and names, which are necessary for configuring other actions within - the Arcanna.AI integration, such as sending events or triggering model training. - - - ### Parameters Description - - There are no action-specific parameters for this action. It utilizes the global - integration configuration for connectivity: - - * **Url**: The base URL of the Arcanna.AI instance. - - * **Api Key**: The API key used for authentication. - - * **SSL Verification**: Boolean flag to enable or disable SSL certificate validation. - - - ### Flow Description - - 1. **Configuration Extraction**: The action retrieves the connection details (URL, - API Key, and SSL settings) from the integration's configuration block. - - 2. **Client Initialization**: An Arcanna API client is initialized using the retrieved - credentials. - - 3. **API Request**: The action executes a GET request to the `/api/v1/jobs` endpoint - to fetch the list of jobs. - - 4. **Result Processing**: The retrieved JSON response is parsed and added to the - action's result output. - - 5. **Completion**: The action terminates, providing the job list in the execution - summary and as a JSON result for downstream playbook tasks. - - - ### Additional Notes - - This action does not interact with or require any entities (IPs, Hosts, etc.) - to function. It is a global data retrieval task. + Retrieves a list of available jobs from the Arcanna.AI platform. The action performs + the following steps: 1. Extracts configuration parameters including the Arcanna.AI + URL, API Key, and SSL verification setting. 2. Initializes the ArcannaClient with + the provided credentials. 3. Executes a GET request to the /api/v1/jobs endpoint + to fetch the list of jobs. 4. Adds the retrieved JSON response to the action result. + Parameters: Integration.Url (String, Mandatory) - The base URL of the Arcanna.AI + instance. Integration.Api Key (String, Mandatory) - The API key for authentication. + SSL Verification (Boolean, Mandatory) - Flag to enable or disable SSL verification. capabilities: can_create_case_comments: false can_create_insight: false @@ -397,8 +562,16 @@ Get Jobs: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the Arcanna.AI API to retrieve a list of + jobs. It does not modify any external systems or internal SOAR data (entities, + insights, comments). categories: enrichment: false + reasoning: >- + The action retrieves a list of jobs from an external system. It does not enrich + entities or alerts, nor does it perform any of the allowed internal mutations + (comments, insights, entity updates). Therefore, it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -414,47 +587,85 @@ Get Jobs: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with siemplify.target_entities. It operates globally + to fetch job data. Ping: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action is a connectivity test (Ping). It does not perform any of the listed + functional operations (enrichment, containment, ticketing, etc.). + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - Tests the connectivity between Google SecOps and the Arcanna.ai instance by performing - a health check. This action ensures that the provided URL and API Key are valid - and that the service is reachable. + This action tests the connectivity between the SOAR platform and the Arcanna.ai + instance by performing a health check. It verifies that the integration is correctly + configured and reachable. - ### Parameters Description + ### Flow Description - | Parameter | Type | Mandatory | Description | + 1. The action extracts the required configuration parameters: `Integration.Url`, + `Integration.Api Key`, and `SSL Verification`. - | :--- | :--- | :--- | :--- | + 2. It initializes the `ArcannaClient` using the provided credentials and configuration. - | Url | String | Yes | The base URL of the Arcanna.ai instance. | + 3. It executes a GET request to the `/api/v1/health` endpoint of the Arcanna.ai + API. - | Api Key | String | Yes | The API key used for authentication with the Arcanna.ai - API. | + 4. The response from the health check is returned as a JSON result to the SOAR + platform. - | SSL Verification | Boolean | Yes | If set to true, the action will verify the - SSL certificate of the Arcanna.ai server. | + 5. The action concludes by reporting the success or failure of the connectivity + test. - ### Additional Notes + ### Parameters Description + + | Parameter | Type | Mandatory | Description | - This is a standard connectivity test (Ping) action and does not process any entities. + | :--- | :--- | :--- | :--- | + | Integration.Url | String | Yes | The base URL of the Arcanna.ai instance. | - ### Flow Description + | Integration.Api Key | String | Yes | The API key for authentication. | - 1. **Extract Configuration:** Retrieves the Arcanna URL, API Key, and SSL verification - settings from the integration configuration. + | SSL Verification.Api Key | String | Yes | Whether to verify SSL certificates + (expected "true" or "false"). Note: The parameter name in the code is "Api Key". + | - 2. **Initialize Client:** Sets up the Arcanna API client with the provided credentials. - 3. **Health Check:** Executes a GET request to the `/api/v1/health` endpoint of - the Arcanna service. + ### Additional Notes - 4. **Process Result:** Captures the JSON response from the health check and reports - the execution status (Success/Failure). + This action is a standard connectivity test (Ping) and does not perform any data + enrichment or system mutations. capabilities: can_create_case_comments: false can_create_insight: false @@ -465,8 +676,14 @@ Ping: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the /api/v1/health endpoint to verify connectivity. + It does not modify external systems or internal SOAR data. categories: enrichment: false + reasoning: >- + The action is a "Ping" action designed to test connectivity. Per the instructions, + "Actions named Ping must not be categorized as enrichment actions." entity_usage: entity_types: [] filters_by_additional_properties: false @@ -482,60 +699,78 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with any entities; it performs a global connectivity + test. Send Active Alert from Case to Arcanna: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action transmits alert data to an external AI platform (Arcanna.ai). It + does not perform enrichment, containment, ticketing, or alert modification. + Therefore, it does not match any of the predefined product categories. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description - - Sends the currently active alert from a Google SecOps case to Arcanna.ai for processing. - This action allows users to forward specific alert data to Arcanna's AI engine - for decision-making or further analysis based on a configured Job ID. + Sends an active alert from a Google SecOps case to the Arcanna.ai platform for + processing. This action allows users to specify a Job ID and optionally map an + alert identifier field to ensure the alert is correctly ingested by Arcanna.ai. - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | + ### Flow Description - | **Job ID** | String | Yes | The ID of the Arcanna.ai job that will receive and - process the alert. Note: The action converts this value to an integer internally. - | + 1. Extracts configuration parameters (URL, API Key, SSL verification). - | **Alert identifier field** | String | No | The specific field in the alert JSON - to use as the identifier. Defaults to "identifier". | + 2. Extracts action parameters (Job ID, Alert identifier field, and whether to + use the alert ID). - | **Use Alert ID as ID in Arcanna** | Boolean | No | If set to `True`, the action - uses the value from the "Alert identifier field" as the ID in Arcanna. If `False`, - Arcanna generates a new unique ID. | + 3. Retrieves the current case and its associated cyber alerts. + 4. Identifies the specific alert matching the current alert's identifier. - ### Additional Notes + 5. Sends the alert payload to the Arcanna.ai platform using the provided Job ID. - If **Use Alert ID as ID in Arcanna** is enabled, the **Alert identifier field** - should be correctly configured to point to a valid field in the alert payload - (using dot notation if necessary) to ensure the identifier is correctly mapped - in Arcanna.ai. + 6. Adds the API response to the action result. - ### Flow Description - - 1. **Initialization**: Extracts integration configuration (URL, API Key, SSL Verification) - and action parameters. + ### Parameters Description - 2. **Context Retrieval**: Fetches the full case details and identifies the currently - active alert in the SOAR context. + | Parameter | Type | Mandatory | Description | - 3. **Alert Matching**: Iterates through the alerts in the case to find the one - matching the active alert's identifier. + | :--- | :--- | :--- | :--- | - 4. **ID Resolution**: If configured to use an existing ID, it extracts the value - from the specified alert field using a dot-notation helper. + | Job ID | string | Yes | Job ID used for sending event to Arcanna.ai. | - 5. **External Transmission**: Sends the raw alert payload to the Arcanna.ai API - via a POST request to the events endpoint. + | Alert identifier field | string | No | Identifier field that will be used as + an ID in Arcanna.ai when ingesting the alert. | - 6. **Result Handling**: Captures the API response and attaches it to the action - results as JSON. + | Use Alert ID as ID in Arcanna | boolean | Yes | If False, Arcanna generates + a new unique ID for the alert. If True, Arcanna uses the id found in the "Alert + identifier field". | capabilities: can_create_case_comments: false can_create_insight: false @@ -544,12 +779,19 @@ Send Active Alert from Case to Arcanna: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Sends alert data to Arcanna.ai, creating a new event record for analysis within - the specified Job ID. + Sends an alert payload to the Arcanna.ai platform for processing. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action makes a POST request to send an alert payload to the external Arcanna.ai + platform (can_mutate_external_data=true). It does not fetch context data from + external systems, nor does it modify internal SOAR case or alert data. categories: enrichment: false + reasoning: >- + The action transmits data to an external system (Arcanna.ai) and does not fetch + data for enrichment or modify internal SOAR data. It does not meet the criteria + for an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -565,54 +807,86 @@ Send Active Alert from Case to Arcanna: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over `target_entities`. It retrieves the current + case and its associated cyber alerts using `siemplify.current_alert` and `siemplify._get_case()`. + Therefore, it does not run on entities. Send Analyst Feedback to Arcanna: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action sends feedback to an external system (Arcanna.ai). It does not match + any of the predefined categories like 'Enrich IOC', 'Contain Host', or 'Create + Ticket'. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - This action sends analyst feedback for a specific event to the Arcanna.ai platform. - It is used to provide human-validated labels or feedback on AI-processed events, - which is essential for model training and refinement within the Arcanna ecosystem. - The action interacts with the Arcanna API via a PUT request to update the feedback - status of a specific event associated with a job. + This action sends analyst feedback to the Arcanna.ai platform for a specific event. + It allows analysts to provide input on Arcanna-processed events, which can be + used for model training or decision refinement. - ### Parameters + ### Parameters Description - | Parameter Name | Description | Type | Mandatory | Default Value | + | Parameter | Type | Mandatory | Description | - | :--- | :--- | :--- | :--- | :--- | + | :--- | :--- | :--- | :--- | - | Event Id | The unique identifier of the event in Arcanna for which feedback - is being provided. | string | Yes | N/A | + | Event Id | string | Yes | The unique identifier of the event in Arcanna. | - | Username | The name of the analyst providing the feedback. This is used for - auditing and tracking within Arcanna. | user | Yes | Admin | + | Username | user | Yes | The username of the analyst providing the feedback. + | - | Job Id | The unique identifier of the Arcanna job that the event belongs to. - | string | Yes | N/A | + | Job Id | string | Yes | The unique identifier of the Arcanna job associated + with the event. | - | Analyst Feedback | The specific feedback or label (e.g., a decision or classification) - that the analyst wants to assign to the event. | string | Yes | N/A | + | Analyst Feedback | string | Yes | The feedback string provided by the analyst. + | + + + ### Additional Notes + + There are no additional notes for this action. ### Flow Description - 1. **Configuration Extraction**: The action retrieves the Arcanna URL, API Key, - and SSL verification settings from the integration configuration. + 1. Extract configuration parameters (URL, API Key, SSL verification). - 2. **Parameter Retrieval**: It extracts the `Job Id`, `Event Id`, `Username`, - and `Analyst Feedback` from the action parameters. + 2. Extract action parameters (Job ID, Event ID, Username, Feedback). - 3. **Client Initialization**: An `ArcannaClient` is initialized using the provided - connection details. + 3. Initialize the `ArcannaClient` with the provided credentials. - 4. **API Interaction**: The action calls the `send_feedback` method, which performs - a PUT request to the Arcanna endpoint `/api/v1/events/{job_id}/{event_id}/feedback` - with the analyst's feedback and username. + 4. Execute the `send_feedback` method, which performs a PUT request to the Arcanna + API. - 5. **Result Processing**: The response from the Arcanna API is captured and added - to the action's JSON results. If successful, the action completes with a success - status; otherwise, it logs the error and fails. + 5. Add the API response to the action result. capabilities: can_create_case_comments: false can_create_insight: false @@ -621,12 +895,19 @@ Send Analyst Feedback to Arcanna: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - The action performs a PUT request to the Arcanna API to update the feedback/label - associated with a specific event in an Arcanna job. + Updates the feedback status for a specific event in the Arcanna.ai platform + via a PUT request. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a PUT request to an external API (Arcanna.ai) to update + feedback for an event. It does not retrieve contextual data about entities or + alerts, nor does it modify internal SOAR data. categories: enrichment: false + reasoning: >- + The action is a mutation action (sending feedback) and does not fetch data for + enrichment purposes. Therefore, it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -642,14 +923,50 @@ Send Analyst Feedback to Arcanna: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with `siemplify.target_entities`. It operates on + specific IDs provided as parameters. Send Case to Arcanna: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action sends case data to an external AI platform (Arcanna.ai). It does + not match any of the predefined categories like 'Enrich IOC', 'Create Ticket', + 'Contain Host', etc. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - Sends a Google SecOps case, including its metadata and associated entities, to - Arcanna.ai for analysis or processing. This action allows for the seamless transfer - of case context to Arcanna's AI engine to facilitate automated decision-making - or further investigation. + This action sends the current case data to Arcanna.ai for AI-driven analysis. + It retrieves the full case object from Google SecOps, optionally extracts a specific + case identifier, and prepares a payload containing the case data and target entities. + This payload is then sent to Arcanna.ai via the ArcannaClient, and the API response + is added to the action results. ### Parameters Description @@ -658,40 +975,32 @@ Send Case to Arcanna: | :--- | :--- | :--- | :--- | - | **Job ID** | String | Yes | The specific Arcanna job ID used for sending the - event to Arcanna.ai. | + | Job ID | string | Yes | The ID of the job in Arcanna.ai used for sending the + event. | - | **Case identifier field** | String | No | The field within the Google SecOps - case JSON that will be used as the ID in Arcanna.ai. Default is "identifier". - | + | Case identifier field | string | No | The field in the case to use as an ID + in Arcanna.ai. | - | **Use case ID as ID in Arcanna** | Boolean | No | If set to `True`, Arcanna - uses the value found in the "Case identifier field" as the event ID. If `False`, - Arcanna generates a new unique ID. | + | Use case ID as ID in Arcanna | boolean | Yes | If True, Arcanna uses the ID + found in the 'Case identifier field'. If False, Arcanna generates a new unique + ID. | ### Flow Description - 1. **Configuration Retrieval**: The action fetches the Arcanna URL, API Key, and - SSL settings from the integration configuration. + 1. Extracts configuration parameters (URL, API Key, SSL verification). - 2. **Parameter Extraction**: It retrieves the Job ID, the target case identifier - field, and the ID usage preference from the action parameters. + 2. Extracts action parameters (Job ID, Case identifier field, Use case ID flag). - 3. **Data Gathering**: The action retrieves the complete case details and the - list of target entities from the current Google SecOps context. + 3. Retrieves the full case object from Google SecOps. - 4. **Payload Construction**: It combines the case data and entities into a single - JSON payload. + 4. Optionally extracts a specific case identifier if configured. - 5. **ID Resolution**: If configured to use an existing ID, it extracts the specified - field value from the case data using a dot-notation path. + 5. Prepares a payload containing the case data and target entities. - 6. **API Interaction**: The action sends the payload to the Arcanna `/api/v1/events/` - endpoint via a POST request. + 6. Sends the payload to Arcanna.ai via the `ArcannaClient`. - 7. **Result Handling**: The response from Arcanna is captured and added to the - action's JSON results. + 7. Adds the API response to the action results. capabilities: can_create_case_comments: false can_create_insight: false @@ -700,12 +1009,18 @@ Send Case to Arcanna: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates a new event record in Arcanna.ai containing the case details and entity - information. - fetches_data: true + Sends case data to Arcanna.ai for processing. + fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action sends case data to an external system (Arcanna.ai) via a POST request. + It does not fetch data from external systems, nor does it modify internal SecOps + data (entities, insights, or comments). categories: enrichment: false + reasoning: >- + The action is not an enrichment action because it does not fetch data from an + external source to enrich the case. It is a data transmission action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -721,66 +1036,98 @@ Send Case to Arcanna: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action retrieves `target_entities` from the case context and includes them + in the payload sent to Arcanna.ai, but it does not perform any filtering or + operations on the entities themselves. Send JSON Document to Arcanna: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action is an ingestion/sending tool for Arcanna.ai. It does not match the + expected outcomes of the provided categories (e.g., it is not an enrichment, + containment, ticket creation, or alert modification action). + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description - - The **Send JSON Document to Arcanna** action enables the ingestion of custom JSON - data into the Arcanna.ai platform. It is designed to send a raw JSON payload to - a specific Arcanna Job ID, allowing for external processing, AI analysis, or decision-making - based on the provided data. This action is highly flexible as it allows users - to define the document structure and optionally specify a unique identifier from - within the JSON content. + Sends a JSON document to the Arcanna.ai platform for processing. This action allows + users to ingest custom JSON payloads into specific Arcanna jobs, optionally using + a field within the JSON as a unique identifier. - ### Parameters Description + ### Flow Description - | Parameter | Type | Mandatory | Description | + 1. **Configuration Extraction**: The action retrieves the Arcanna.ai integration + configuration (URL, API Key, and SSL verification settings). - | :--- | :--- | :--- | :--- | + 2. **Parameter Extraction**: It extracts the action-specific parameters: `Job + ID`, `Identifier field`, `Use document ID as ID in Arcanna`, and the `JSON Document` + payload. - | **Job ID** | String | Yes | The unique ID of the Arcanna.ai job that will receive - and process the document. | + 3. **Validation**: The action parses the provided `JSON Document` string. If the + JSON is invalid or if the root is a list, the action fails. - | **Identifier field** | String | No | A dot-notation path (e.g., 'id' or 'metadata.uuid') - used to extract a specific value from the JSON document to serve as the document's - ID in Arcanna. | + 4. **Identifier Processing**: If `Use document ID as ID in Arcanna` is set to + `true`, the action attempts to extract the identifier from the JSON document using + the path provided in `Identifier field`. - | **Use document ID as ID in Arcanna** | Boolean | Yes | If set to `True`, the - action uses the value found in the 'Identifier field' as the document ID. If `False`, - Arcanna generates a new unique ID. | + 5. **API Interaction**: The action sends the JSON document (and the optional identifier) + to the Arcanna.ai API using the `ArcannaClient`. - | **JSON Document** | Code/String | Yes | The JSON object to be sent to Arcanna.ai. - Note: The root of the document must be a JSON object (dictionary), not a list. - | + 6. **Result Handling**: The API response is added to the action result, and the + execution status is updated. - ### Additional Notes + ### Parameters Description - - The action validates that the input is a valid JSON object. If a list is provided - at the root level, the action will fail. + | Parameter | Type | Mandatory | Description | - - If 'Use document ID as ID in Arcanna' is enabled but the 'Identifier field' - is not provided or the path is not found in the JSON, the document will be sent - without a specific ID override. + | :--- | :--- | :--- | :--- | + | **Job ID** | string | Yes | The ID of the job in Arcanna.ai to which the event + will be sent. | - ### Flow Description + | **Identifier field** | string | No | The dot-notation field path within the + JSON document to be used as an ID. This is used only if 'Use document ID as ID + in Arcanna' is set to True. | - 1. **Parameter Extraction**: The action retrieves the Arcanna API credentials - and the user-provided parameters (Job ID, JSON Document, etc.). + | **Use document ID as ID in Arcanna** | boolean | No | If True, the action uses + the value found in the 'Identifier field' as the event ID. If False, Arcanna generates + a new unique ID. | - 2. **JSON Parsing**: The 'JSON Document' string is parsed into a Python dictionary. - The action verifies that the root element is a dictionary. + | **JSON Document** | code | Yes | The JSON document payload to be sent to Arcanna.ai. + | - 3. **ID Resolution**: If configured to use an existing ID, the action traverses - the JSON structure using the 'Identifier field' path to extract the ID value. - 4. **Data Ingestion**: The action performs a POST request to the Arcanna.ai API - (`/api/v1/events/`), passing the Job ID and the JSON payload. + ### Additional Notes - 5. **Result Processing**: The response from Arcanna.ai is captured and added to - the action's JSON results for downstream use in the playbook. + - The `Identifier field` parameter is optional, but it is required if `Use document + ID as ID in Arcanna` is set to `true` for the action to correctly map the event + ID. capabilities: can_create_case_comments: false can_create_insight: false @@ -789,12 +1136,22 @@ Send JSON Document to Arcanna: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates a new event or document record in the Arcanna.ai platform via a POST - request. + Sends a JSON document to the Arcanna.ai platform for ingestion and processing. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a POST request to an external system (Arcanna.ai) to ingest + a JSON document. It does not fetch data from external systems (no GET requests + for context), nor does it modify internal SOAR case data (entities, insights, + etc.). The use of `siemplify.result.add_result_json` is for reporting the API + response and is not considered an internal mutation. categories: enrichment: false + reasoning: >- + The action is designed to push/ingest data into an external system (Arcanna.ai). + It does not retrieve contextual information about entities or alerts, nor does + it perform any of the allowed internal mutations (comments, insights, entity + updates). Therefore, it does not meet the criteria for an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -810,60 +1167,64 @@ Send JSON Document to Arcanna: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action operates on a raw JSON document provided as a parameter and does + not interact with or iterate over the `siemplify.target_entities` list. Send event to Arcanna: - ai_description: >- - Sends case or alert data from Google SecOps to Arcanna.ai for AI-driven analysis - and decision-making. This action acts as a bridge, exporting security event data - to a specific Arcanna AI job to leverage its machine learning capabilities. - - - ### Flow Description: - - 1. **Configuration Extraction:** Retrieves the Arcanna URL and API Key from the - integration settings, along with action-specific parameters like Job ID and Username. - - 2. **Data Retrieval:** Fetches the full case details from Google SecOps. - - 3. **Payload Preparation:** Depending on the 'Send individual alerts from case' - parameter, the action either isolates the current alert or packages the entire - case (including target entities) as the payload. - - 4. **Identifier Mapping:** If an 'Event ID mapping field' is provided, the action - uses dot-notation to extract a specific value from the data to serve as the external - reference ID in Arcanna. - - 5. **API Interaction:** Performs a POST request to the Arcanna API to submit the - event data to the designated Job ID. - - 6. **Result Handling:** Captures the API response and attaches it as a JSON result - to the action output. - - - ### Parameters Description: - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Job ID | String | Yes | The unique identifier of the Arcanna.ai job that will - process the sent event. | - - | Username | User | Yes | The username registered in Arcanna for audit and tracking - purposes. | - - | Event ID mapping field | String | No | A dot-notation path (e.g., `alert.id` - or `case.id`) used to extract a specific field from the payload to be used as - the Event ID in Arcanna. | - - | Send individual alerts from case | Boolean | No | If set to `true`, only the - alert currently being processed is sent. If `false` (default), the entire case - data is sent. | - - - ### Additional Notes: - - - This action is primarily used for exporting data to Arcanna.ai for further analysis - rather than retrieving enrichment data for SecOps entities. + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action sends case or alert data to an external AI platform (Arcanna.ai). + It does not match any of the predefined categories such as 'Enrich IOC', 'Contain + Host', 'Create Ticket', or 'Send Message' (as it is not a communication app). + It is a specialized integration/export action. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: "Sends case or alert data to Arcanna.ai for analysis or processing.\ + \ This action facilitates the integration between the SOAR platform and Arcanna.ai\ + \ by pushing event data to the external service.\n\n### Flow Description\n1. **Configuration\ + \ Extraction**: Retrieves the Arcanna.ai API key and base URL from the integration\ + \ configuration.\n2. **Parameter Parsing**: Extracts action parameters including\ + \ the Job ID, Username, Event ID mapping field, and the toggle for sending individual\ + \ alerts.\n3. **Case Retrieval**: Fetches the full case details from the SOAR\ + \ platform.\n4. **Data Processing**: \n - If 'Send individual alerts from case'\ + \ is enabled, it iterates through the case's cyber alerts, identifies the current\ + \ alert, and prepares the payload.\n - If disabled, it prepares the full case\ + \ payload, including target entities.\n5. **External Submission**: Sends the prepared\ + \ payload to the Arcanna.ai API via a POST request.\n6. **Result Reporting**:\ + \ Adds the API response to the action results.\n\n### Parameters\n| Parameter\ + \ | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| Job ID\ + \ | String | Yes | The ID of the job in Arcanna.ai used for sending the event.\ + \ |\n| Username | User | Yes | The username registered for audit purposes. |\n\ + | Event ID mapping field | String | No | The field used as a reference ID with\ + \ Arcanna.ai. |\n| Send individual alerts from case | Boolean | No | If true,\ + \ sends individual alerts; otherwise, sends the full case. |\n\n### Additional\ + \ Notes\nThis action performs an outbound data push to an external system (Arcanna.ai)\ + \ and does not perform enrichment or modification of the internal SOAR case data." capabilities: can_create_case_comments: false can_create_insight: false @@ -872,12 +1233,21 @@ Send event to Arcanna: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates a new event or updates an existing one within the Arcanna.ai platform - by sending raw case/alert data via a POST request. + Sends event or case data to the Arcanna.ai platform via a POST request. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a POST request to an external API (Arcanna.ai) to send event + data, which constitutes external data mutation (in the context of the external + system). It does not fetch data to enrich the SOAR case, nor does it modify + internal SOAR data, entities, or case comments. categories: enrichment: false + reasoning: >- + The action is an export/integration action that pushes data to an external system. + It does not fetch data to enrich the SOAR case, nor does it perform any of the + allowed internal mutations (comments, insights, entity updates). Therefore, + it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -893,54 +1263,56 @@ Send event to Arcanna: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action retrieves 'target_entities' from the context data to include them + in the payload sent to Arcanna.ai, but it does not iterate over, filter, or + perform any operations on the entities themselves. Therefore, it does not run + on specific entity types. Trigger AI Model training: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action triggers an AI model training job in the Arcanna.ai platform. This + does not match any of the predefined categories such as enrichment, containment, + or ticketing. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description - - Triggers the AI model training process for a specific job within the ArcannaAI - platform. This action is typically used after providing feedback or adding new - data to a job to ensure the underlying AI model is updated and refined based on - the latest information. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Job ID | String | Yes | The unique identifier of the Arcanna job for which the - AI model training should be initiated. The value is internally converted to an - integer. | - - | Username | User | Yes | The username of the person or system account triggering - the training, used for audit logging within ArcannaAI. | - - - ### Additional Notes - - - This action performs a state-changing operation in ArcannaAI by initiating a - background training task. - - - It does not interact with or require any Google SecOps entities to run. - - - ### Flow Description - - 1. **Configuration Extraction**: Retrieves the Arcanna URL, API Key, and SSL verification - settings from the integration configuration. - - 2. **Parameter Retrieval**: Extracts the `Job ID` and `Username` from the action - parameters. - - 3. **Client Initialization**: Initializes the `ArcannaClient` with the provided - credentials and connection settings. - - 4. **API Request**: Sends a POST request to the ArcannaAI `/train` endpoint for - the specified Job ID. - - 5. **Result Handling**: Captures the API response, adds it to the action's JSON - results, and reports the execution status (Completed or Failed). + This action triggers an AI model training job within the Arcanna.ai platform. + The action extracts configuration parameters (URL, API Key, SSL verification) + and action parameters (Job ID, Username) to authenticate and initiate the training + process via a POST request. The action returns the API response to the SOAR platform + for audit and tracking purposes. Flow: 1. Extract configuration and action parameters. + 2. Initialize the ArcannaClient. 3. Execute the train_model method, which sends + a POST request to the Arcanna.ai API to initiate the training process. 4. Return + the API response to the SOAR platform. Parameters: | Parameter | Type | Mandatory + | Description | | --- | --- | --- | --- | | Job ID | string | Yes | The ID of + the job where training will be triggered. | | Username | user | Yes | The username + for audit purposes. | capabilities: can_create_case_comments: false can_create_insight: false @@ -949,12 +1321,19 @@ Trigger AI Model training: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Initiates a model training process on the ArcannaAI server for a specific job - ID. + Triggers an AI model training job in the Arcanna.ai platform. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action triggers an AI model training job in the Arcanna.ai platform via + a POST request. It does not fetch contextual data for enrichment, nor does it + modify internal SOAR data or entities. categories: enrichment: false + reasoning: >- + The action triggers an external process (AI model training) and does not fetch + data for enrichment or modify internal SOAR data. Therefore, it is not an enrichment + action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -970,13 +1349,47 @@ Trigger AI Model training: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with entities. It uses action parameters 'Job ID' + and 'Username' to perform its task. Update alert priority: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action updates the priority of the alert within the SecOps platform, which + directly matches the 'Update Alert' category. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: true + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - Updates the priority level of the current alert within Google SecOps. This action - is typically used to dynamically adjust alert severity based on external analysis - or decision logic (e.g., from an AI model like Arcanna.ai). + This action updates the priority of the current alert within the Google SecOps + platform. It allows analysts to programmatically change an alert's priority level + based on automated decisions or other workflow triggers. ### Parameters Description @@ -985,31 +1398,21 @@ Update alert priority: | :--- | :--- | :--- | :--- | - | Priority | string | Yes | The new priority level to assign to the alert. Must - be one of the following: `Informative`, `Low`, `Medium`, `High`, or `Critical`. - | - - - ### Additional Notes - - - This action requires Google SecOps (Siemplify) version 5.6 or higher to function. - - - The action interacts with the internal SOAR API to perform the update. + | Priority | string | Yes | The new priority level for the alert. Must be one + of the following values: 'Informative', 'Low', 'Medium', 'High', 'Critical'. | ### Flow Description - 1. **Validation**: The action retrieves the current alert identifier and validates - that the provided `Priority` parameter matches one of the five allowed values. + 1. The action extracts the 'Priority' parameter and validates it against the allowed + list of priority values. - 2. **Version Check**: It checks the system version to ensure compatibility (version - 5.6+). + 2. It verifies that the current Siemplify version is 5.6 or higher. - 3. **Internal API Call**: It constructs a request containing the Case ID, Alert - Identifier, Alert Name, and the new Priority. + 3. It retrieves the current alert identifier and case ID from the context. - 4. **Execution**: It sends a POST request to the internal Google SecOps endpoint - `/external/v1/sdk/UpdateAlertPriority` to commit the change. + 4. It sends a POST request to the internal SecOps API endpoint (`/external/v1/sdk/UpdateAlertPriority`) + to update the alert's priority. capabilities: can_create_case_comments: false can_create_insight: false @@ -1020,10 +1423,16 @@ Update alert priority: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: >- - Updates the priority level of the current alert within the Google SecOps platform - via an internal API call. + Updates the priority of the current alert within the Google SecOps platform. + reasoning: >- + The action modifies the alert's priority within the SecOps platform by calling + an internal API endpoint. It does not fetch external data or mutate external + systems. categories: enrichment: false + reasoning: >- + The action is a mutation action (updates alert priority) and does not fetch + data for enrichment purposes. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1039,3 +1448,7 @@ Update alert priority: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action operates on the current alert context (`siemplify.current_alert`) + rather than iterating over `target_entities`. Therefore, it does not use any + entity types. diff --git a/content/response_integrations/third_party/community/arcanna_ai/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/arcanna_ai/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..4b52710b0 --- /dev/null +++ b/content/response_integrations/third_party/community/arcanna_ai/resources/ai/integration_ai_description.yaml @@ -0,0 +1,24 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: false + reasoning: >- + The Arcanna.ai integration is a decision intelligence platform designed to augment + SOC analysts by providing AI-driven decisions on alerts and cases. It does not + perform log analysis or IOC correlation (SIEM), host-level investigation (EDR), + network traffic blocking (Network Security), indicator reputation enrichment (Threat + Intelligence), email management (Email Security), identity management (IAM), cloud + resource management (Cloud Security), ticketing (ITSM), vulnerability management + (Vulnerability Management), asset inventory management (Asset Inventory), or collaboration/notification + (Collaboration). While the integration includes an action to update alert priority + within the SOAR platform, this is an internal utility action and does not align + with the specific functional categories provided. Consequently, none of the product + categories are applicable. + siem: false + threat_intelligence: false + vulnerability_management: false diff --git a/content/response_integrations/third_party/community/asana/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/asana/resources/ai/actions_ai_description.yaml index fea6bec9e..2a16e9ad7 100644 --- a/content/response_integrations/third_party/community/asana/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/asana/resources/ai/actions_ai_description.yaml @@ -1,42 +1,77 @@ Add User To Workspace: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action adds a user to an Asana workspace, which modifies workspace membership. + This aligns with the 'Update Identity' category, which includes modifying group + memberships. It does not match other categories like Enrichment, Ticket creation, + or Alert updates. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: true + update_ticket: false ai_description: >- ### General Description - This action adds a user to a specific Asana workspace using their email address. - It is used to manage workspace membership programmatically within the Asana platform. + Adds a user to a specific Asana workspace. This action facilitates user management + by programmatically adding a user to a designated workspace within the Asana platform. ### Parameters Description - | Parameter Name | Type | Mandatory | Description | + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Workspace Name | string | Yes | The name of the Asana workspace to which you - want to add the user. Note: This field is case-sensitive. | + | Workspace Name | string | Yes | The name of the workspace to which you want + to add the user. Note: It is case sensitive! | + + | User's Email | string | Yes | The email address of the user you want to add. + | + + + ### Additional Notes + + - The action requires a valid Asana API token and base URL configured in the integration + settings. - | User's Email | string | Yes | The email address of the user you want to add - to the workspace. | + - The workspace name is case-sensitive. ### Flow Description - 1. **Configuration Extraction**: The action retrieves the Asana API token and - base URL from the integration configuration. + 1. Extracts configuration parameters (Token, Base URL) and action parameters (Workspace + Name, User's Email). - 2. **Parameter Extraction**: The action extracts the target workspace name and - the user's email from the action parameters. + 2. Initializes the Asana manager with the provided credentials. - 3. **Workspace Identification**: It calls the Asana API to list all workspaces - and finds the unique identifier (GID) for the workspace matching the provided - name. + 3. Retrieves the workspace ID by searching for the provided workspace name. - 4. **User Addition**: It sends a POST request to the Asana API endpoint `/workspaces/{workspace_id}/addUser` - with the user's email. + 4. Sends a POST request to add the specified user to the identified workspace. - 5. **Result Processing**: The action captures the API response, adds it as a JSON - result to the SOAR case, and provides a success or failure message based on the - outcome. + 5. Returns the operation result and adds the JSON result to the action. capabilities: can_create_case_comments: false can_create_insight: false @@ -45,12 +80,19 @@ Add User To Workspace: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - This action adds a user to an Asana workspace, which changes the membership - state of that workspace in the external Asana system. + Adds a user to an Asana workspace via a POST request. fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action makes a POST request to add a user to a workspace (can_mutate_external_data=true). + It fetches the workspace ID (fetches_data=true). It does not update internal + entities or create insights. categories: enrichment: false + reasoning: >- + The action performs a mutation on an external system (adding a user to a workspace) + and does not fetch data for enrichment purposes. Therefore, it is not an enrichment + action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -66,64 +108,64 @@ Add User To Workspace: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code does not iterate over `siemplify.target_entities` or use entity-specific + identifiers. It extracts parameters directly from the action configuration, + so it does not run on entities. Create Task: - ai_description: >- - ### General Description - - Creates a new task within a specific project in Asana. This action allows users - to automate task management and tracking directly from Google SecOps by generating - tasks with specific subjects, descriptions, assignees, and due dates. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Task Subject | String | Yes | The title or subject line of the new task to be - created. | - - | Assignee | String | No | The user to whom the task will be assigned. Note: This - is case-sensitive and typically expects the user's email or unique identifier. - | - - | Due Date | String | No | The deadline for the task, which must be provided in - the format YYYY-MM-DD. | - - | Description | String | Yes | The detailed content or notes for the new task. - | - - | Project Name | String | Yes | The name of the Asana project where the task will - be assigned. Note: This is case-sensitive. | - - - ### Additional Notes - - - Either the project name must exist exactly as provided (case-sensitive) for - the action to successfully retrieve the project ID. - - - If the Assignee parameter is provided, the action will attempt to resolve the - user's email to a unique Asana GID. - - - ### Flow Description - - 1. **Configuration Retrieval**: The action extracts the Asana API Token and Base - URL from the integration configuration. - - 2. **Project ID Resolution**: It queries the Asana API to find the unique project - ID corresponding to the provided `Project Name`. - - 3. **User ID Resolution (Optional)**: If an `Assignee` is specified, the action - fetches the unique user ID for that individual. - - 4. **Task Creation**: The action sends a POST request to the Asana `/tasks` endpoint, - including the subject, description, project ID, and optional assignee/due date. - - 5. **Output Generation**: Upon successful creation, the action adds a direct link - to the new task in the SOAR interface and provides the full JSON response for - downstream use. + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: true + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action creates a new task in Asana, which is a project management tool. + This aligns with the 'Create Ticket' category, as creating a task is functionally + equivalent to creating a ticket or record in an external system. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: "Creates a new task in Asana. This action allows users to programmatically\ + \ generate tasks within a specified project, optionally assigning them to a user\ + \ and setting a due date.\n\n### Flow Description\n1. The action extracts the\ + \ configuration parameters (Token, Base URL) and the action parameters (Task Subject,\ + \ Assignee, Due Date, Description, Project Name).\n2. An `AsanaManager` instance\ + \ is initialized with the provided credentials.\n3. The action retrieves the `project_id`\ + \ from Asana using the provided `Project Name`.\n4. If an `Assignee` is provided,\ + \ the action retrieves the corresponding `user_id` from Asana.\n5. The action\ + \ creates the task in the specified project using the retrieved IDs and the provided\ + \ task details.\n6. Upon successful creation, the task's permalink URL is added\ + \ to the action results, and the full JSON response is attached to the action\ + \ output.\n\n### Parameters Description\n| Parameter | Type | Mandatory | Description\ + \ |\n| :--- | :--- | :--- | :--- |\n| Task Subject | string | Yes | The subject\ + \ of the new task. |\n| Assignee | string | No | The user to whom the task will\ + \ be assigned. Note: This is case-sensitive. |\n| Due Date | string | No | The\ + \ due date for the task in YYYY-MM-DD format. |\n| Description | string | Yes\ + \ | The description of the new task. |\n| Project Name | string | Yes | The name\ + \ of the project to which the task will be assigned. Note: This is case-sensitive.\ + \ |\n\n### Additional Notes\n- The `Project Name` and `Task Subject` are mandatory\ + \ for the action to function. \n- The `Assignee` and `Due Date` parameters are\ + \ optional; if not provided, the task will be created without them." capabilities: can_create_case_comments: false can_create_insight: false @@ -131,12 +173,19 @@ Create Task: can_mutate_external_data: true can_mutate_internal_data: false can_update_entities: false - external_data_mutation_explanation: >- - Creates a new task record in the specified Asana project via a POST request. + external_data_mutation_explanation: Creates a new task in the Asana project. fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs GET requests to retrieve project and user IDs (fetches_data=true) + and a POST request to create a task in Asana (can_mutate_external_data=true). + It does not modify internal Google SecOps data, update entities, create insights, + or modify alert data. categories: enrichment: false + reasoning: >- + The action creates data in an external system (Asana) rather than just retrieving + context. Therefore, it does not meet the criteria for an Enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -152,50 +201,79 @@ Create Task: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over or process `siemplify.target_entities`. It + relies entirely on user-provided input parameters to perform its task. Get Task: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: true + reasoning: >- + The action fetches task details from Asana. This aligns with the 'Get Alert + Information' category, as it retrieves metadata about a specific object from + the third-party product. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description + Retrieves detailed information for a specific task from Asana. This action fetches + task metadata, including the task name, due date, and a direct link to the task + in Asana, and adds this information to the action results. - The **Get Task** action retrieves comprehensive details for a specific task in - Asana using its unique Task ID. This action allows analysts to pull context about - work items directly into Google SecOps for investigation or tracking purposes. + ### Flow Description - ### Parameters Description + 1. The action extracts the required configuration parameters (Token, Base URL) + and the mandatory 'Task ID' parameter. - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | + 2. It initializes the `AsanaManager` to handle communication with the Asana API. - | **Task ID** | String | Yes | The unique identifier for the Asana task, typically - found in the task's URL (e.g., `https://app.asana.com/0/project_id/task_id`). - | + 3. It calls the `get_a_task` method to retrieve the task details from Asana. + 4. If the task is found, it adds a link to the task in the action results and + returns a success status. - ### Additional Notes + 5. If the task is not found, it returns a failure status. - - This action does not process or filter SecOps entities; it is a standalone data - retrieval task based on the provided ID. + 6. Finally, it adds the full JSON response containing the task details to the + action results. - - The action provides a direct link to the Asana task in the SecOps interface - for quick access. + ### Parameters Description - ### Flow Description + | Parameter | Type | Mandatory | Description | - 1. **Configuration Extraction**: Retrieves the API Token and Base URL from the - Asana integration configuration. + | :--- | :--- | :--- | :--- | - 2. **Parameter Retrieval**: Extracts the `Task ID` from the action parameters. + | Task ID | string | Yes | The unique identifier for the Asana task, which can + be found in the task's URL. | - 3. **API Interaction**: Initializes the Asana Manager and performs a GET request - to the `/tasks/{task_id}` endpoint. - 4. **Result Processing**: If the task is found, it extracts the task name, due - date, and permalink. + ### Additional Notes - 5. **Output**: Adds a link to the task and the full JSON response to the action - results, then terminates with a success message. + There are no additional notes for this action. capabilities: can_create_case_comments: false can_create_insight: false @@ -206,8 +284,17 @@ Get Task: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to retrieve task details from Asana. It does + not modify external data (no POST/PUT/DELETE). It does not modify internal Google + SecOps data (no entity updates, insights, or case comments). It simply fetches + data and presents it in the action results. categories: - enrichment: true + enrichment: false + reasoning: >- + The action fetches data from an external system (Asana) but does not operate + on entities or modify internal SecOps data. Therefore, it does not meet the + criteria for an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -223,14 +310,47 @@ Get Task: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with the `siemplify.target_entities` list. It operates + solely based on the provided 'Task ID' parameter. List My Tasks: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves a list of tasks from Asana. It does not match any of the + defined categories, as it is a task-listing utility rather than an enrichment, + containment, or ticket management action. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - The **List My Tasks** action retrieves a list of tasks associated with a specific - user within a designated Asana workspace. It allows analysts to view task details, - including names, due dates, and direct links to the tasks in Asana. This action - is useful for tracking user activity or verifying task statuses during an investigation. + Lists all the tasks associated with a user in Asana. This action retrieves task + details, including names and due dates, and provides links to the tasks in Asana. ### Parameters Description @@ -239,47 +359,39 @@ List My Tasks: | :--- | :--- | :--- | :--- | - | **User's Email** | String | Yes | The email address of the Asana user whose - tasks you want to retrieve. | + | User's Email | string | Yes | The email of the user you would like to retrieve + tasks for in Asana. | - | **Workspace Name** | String | Yes | The exact name of the Asana workspace. Note: - This is case-sensitive. | + | Workspace Name | string | Yes | The workspace name. Note: This is case sensitive. + | - | **Completed Status** | Boolean | No | If checked (True), the action retrieves - only tasks that have been marked as completed. If unchecked (False), it retrieves - only incomplete tasks. | + | Completed Status | boolean | No | Marking the checkbox will retrieve only the + tasks that were completed by the user. | - ### Flow Description + ### Additional Notes - 1. **Authentication**: The action initializes the Asana manager using the configured - Personal Access Token and Base URL. + The action requires a valid Asana Personal Access Token and Base URL configured + in the integration settings. - 2. **User Identification**: It retrieves the unique Asana User ID (GID) associated - with the provided email address. - 3. **Workspace Identification**: It retrieves the unique Workspace ID (GID) by - matching the provided workspace name. + ### Flow Description - 4. **Task List Retrieval**: It fetches the specific 'User Task List' ID for the - identified user within the specified workspace. + 1. Extract configuration and action parameters. - 5. **Task Enumeration**: It retrieves the list of tasks contained within that - user's task list. + 2. Initialize `AsanaManager`. - 6. **Detail Fetching & Filtering**: For each task in the list, the action fetches - full task details and filters them based on the **Completed Status** parameter. + 3. Retrieve `user_id` and `workspace_id`. - 7. **Output**: Filtered tasks are added to the JSON result, and direct URLs to - the tasks are added as links in the action output. + 4. Fetch the user's task list ID. + 5. Retrieve all tasks from the user's task list. - ### Additional Notes + 6. Filter tasks based on the `Completed Status` parameter. - - This action does not iterate over entities in the case; it relies entirely on - the provided input parameters. + 7. Add task details to the JSON result and add links to the action results. - - The `Workspace Name` must be an exact match to the name in Asana. + 8. End the action. capabilities: can_create_case_comments: false can_create_insight: false @@ -290,8 +402,14 @@ List My Tasks: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action fetches task data from Asana via GET requests. It does not modify + external systems or internal SOAR data (entities, insights, etc.). categories: enrichment: false + reasoning: >- + The action does not meet the criteria for an enrichment action as it does not + enrich entities or alerts, nor does it add insights or update entities. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -307,63 +425,84 @@ List My Tasks: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code does not reference `target_entities` and relies on action parameters + to identify the user and workspace. Therefore, it does not run on entities. List Project Tasks: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves a list of tasks from Asana based on a project name. It + does not match any of the defined categories such as 'Enrich IOC', 'Enrich Asset', + 'Search Events', or 'Get Alert Information'. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - The **List Project Tasks** action retrieves all tasks associated with a specific - project in Asana. It is designed to provide visibility into project progress by - fetching task details and filtering them based on their completion status. The - action outputs a detailed JSON result for each task and provides direct links - to the tasks in the Asana web interface for quick access. + This action retrieves a list of tasks from a specified Asana project. It allows + users to filter tasks based on their completion status. - ### Parameters Description + ### Flow Description - | Parameter | Type | Mandatory | Description | + 1. Extract configuration parameters (Token, Base URL) and action parameters (Project + Name, Completed Status). - | :--- | :--- | :--- | :--- | + 2. Initialize the `AsanaManager` to interact with the Asana API. - | **Project Name** | String | Yes | The name of the Asana project from which you - want to fetch tasks. The action resolves this name to a project ID internally. - | + 3. Retrieve the project ID corresponding to the provided `Project Name`. - | **Completed Status** | Boolean | No | Determines which tasks to retrieve. If - set to `true`, only completed tasks are returned. If set to `false` (default), - only incomplete tasks are returned. | + 4. Fetch all tasks associated with the identified project. + 5. Iterate through the tasks, retrieving detailed information for each. - ### Flow Description + 6. Filter the tasks based on the `Completed Status` parameter. - 1. **Initialization**: The action extracts the Asana API token and base URL from - the integration configuration and the project name and completion status from - the action parameters. + 7. Add links to the tasks in the SOAR result and return the task details as a + JSON result. - 2. **Project Identification**: It calls the Asana API to find the unique project - ID associated with the provided **Project Name**. - 3. **Task Listing**: It retrieves a list of all task identifiers associated with - that project ID. + ### Parameters Description - 4. **Detail Retrieval & Filtering**: For each task identifier, the action fetches - full task details (including completion status, name, due date, and permalink). - It then filters these tasks to match the user-specified **Completed Status**. + | Parameter | Type | Mandatory | Description | - 5. **Result Compilation**: Matching tasks are added to the final JSON result. - For each matching task, a direct link containing the task name and due date is - added to the SOAR interface. + | --- | --- | --- | --- | - 6. **Completion**: The action ends by providing a summary message and the collected - task data. + | Project Name | string | Yes | The name of the project from which you would like + to fetch all the tasks. | + | Completed Status | boolean | No | Marking the checkbox will retrieve only the + tasks that were completed by the user. | - ### Additional Notes - - This action does not process SOAR entities (such as IP addresses or Hostnames); - it operates strictly based on the provided project name string. + ### Additional Notes - - If the specified project name cannot be found or contains no tasks matching - the filter, the action will return a failure status. + None. capabilities: can_create_case_comments: false can_create_insight: false @@ -374,8 +513,16 @@ List Project Tasks: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs GET requests to the Asana API to retrieve project tasks. + It does not modify any external systems (no POST/PUT/DELETE on Asana) or internal + SOAR data (no entity updates, insights, or case comments). categories: enrichment: false + reasoning: >- + The action is a search/list operation for project tasks. It does not enrich + entities or alerts, nor does it meet the criteria for an enrichment action (which + requires operating on entities). entity_usage: entity_types: [] filters_by_additional_properties: false @@ -391,49 +538,78 @@ List Project Tasks: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not use `target_entities`. It relies on user-provided parameters + (`Project Name`) to perform its search. Ping: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action is a connectivity test ('Ping') and does not perform any functional + operations like enrichment, ticketing, or containment. Therefore, it does not + match any of the defined product categories. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - The **Ping** action is a utility designed to verify the connectivity between Google - SecOps and the Asana service. It ensures that the integration is correctly configured - with a valid Personal Access Token (PAT) and that the specified Base URL is reachable. - This action is typically used during the initial setup or for troubleshooting - communication issues. + This action tests the connectivity between the SOAR platform and the Asana API + to ensure the integration is configured correctly. ### Parameters Description - There are no action-specific parameters for this action. It utilizes the global - integration configuration parameters: + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | - * **Token**: The Personal Access Token used for authentication. + | Token | String | Yes | The personal access token (PAT) used for authentication + with the Asana API. | - * **Base URL**: The API endpoint URL for Asana. + | Base URL | String | Yes | The base URL of the Asana API. | ### Additional Notes - As per standard SOAR practices, Ping actions are used solely for health checks - and do not process entities or modify data within the case or the external system. + This action is a connectivity test and does not perform any data enrichment or + system modifications. It is intended for verification purposes only. ### Flow Description - 1. **Configuration Extraction**: The action retrieves the 'Token' and 'Base URL' - from the Asana integration settings. + 1. The action extracts the `Token` and `Base URL` from the integration configuration. - 2. **Manager Initialization**: An instance of the `AsanaManager` is created using - the retrieved credentials. + 2. It initializes the `AsanaManager` with these credentials. - 3. **Connectivity Test**: The action calls the `test_connectivity` method, which - performs a GET request to the Asana `/users/me` endpoint. + 3. It executes the `test_connectivity` method, which performs a `GET` request + to the Asana API endpoint `/users/me`. - 4. **Response Validation**: The code checks if the API call was successful and - returned a valid JSON response. - - 5. **Result Reporting**: If the connection is successful, it returns a positive - status and a success message; otherwise, it reports a failure. + 4. If the request is successful, the action returns a success message; otherwise, + it reports a failure. capabilities: can_create_case_comments: false can_create_insight: false @@ -442,10 +618,16 @@ Ping: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null - fetches_data: true + fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to verify connectivity. It does not modify + external systems, update internal SOAR data, or process entities. categories: enrichment: false + reasoning: >- + The action is named 'Ping' and is designed solely to test connectivity. Per + the instructions, 'Ping' actions are not categorized as enrichment actions. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -461,50 +643,82 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with `siemplify.target_entities` and performs a + global connectivity test. Remove User From Workspace: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: true + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action removes a user from an Asana workspace. This action revokes the user's + access to that workspace, which aligns with 'Disable Identity' (revoking access) + and 'Update Identity' (modifying membership/permissions). + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: true + update_ticket: false ai_description: >- ### General Description - Removes a specific user from an Asana workspace using their email address. This - action is useful for offboarding users or managing workspace access programmatically - through Google SecOps. + This action removes a specified user from an Asana workspace. It interacts with + the Asana API to identify the workspace by name and then performs a removal operation + for the provided user email address. ### Parameters Description - | Parameter | Description | Type | Mandatory | + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Workspace Name | The name of the Asana workspace from which the user should - be removed. Note: This value is case-sensitive. | String | Yes | + | Workspace Name | string | Yes | The name of the Asana workspace from which the + user should be removed. Note: This is case-sensitive. | - | User's Email | The email address of the user to be removed from the workspace. - | String | Yes | + | User's Email | string | Yes | The email address of the user to be removed from + the workspace. | ### Flow Description - 1. **Configuration Extraction**: Retrieves the Asana API Token and Base URL from - the integration settings. - - 2. **Parameter Retrieval**: Extracts the target Workspace Name and the User's - Email from the action inputs. - - 3. **Workspace Identification**: Calls the Asana API to list workspaces and identifies - the unique Workspace ID corresponding to the provided name. + 1. **Configuration Extraction**: The action retrieves the Asana API token and + base URL from the integration configuration. - 4. **User Removal**: Sends a POST request to the Asana `/removeUser` endpoint - for the identified workspace, passing the user's email in the request body. + 2. **Parameter Extraction**: The action retrieves the `Workspace Name` and `User's + Email` from the action parameters. - 5. **Result Handling**: Validates the API response. If the user is successfully - removed, it returns a success message; otherwise, it reports a failure. + 3. **Manager Initialization**: An `AsanaManager` instance is initialized with + the provided credentials. + 4. **Workspace Identification**: The action calls the Asana API to resolve the + `Workspace Name` to a unique `workspace_id`. - ### Additional Notes + 5. **User Removal**: The action sends a request to the Asana API to remove the + specified user from the identified workspace. - This action does not run on entities; it relies entirely on the provided string - parameters for the workspace name and user email. + 6. **Result Reporting**: The action returns a success or failure message based + on the API response. capabilities: can_create_case_comments: false can_create_insight: false @@ -513,12 +727,19 @@ Remove User From Workspace: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Removes a user's access and membership from a specific Asana workspace by sending - a POST request to the Asana API. + The action removes a user from an Asana workspace via an API call. fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to retrieve the workspace ID (fetches_data=true) + and a POST request to remove the user from the workspace (can_mutate_external_data=true). + It does not modify any internal SOAR data or entities. categories: enrichment: false + reasoning: >- + The action mutates external data (removes a user from a workspace), which violates + the 'External State Preservation' rule for enrichment actions. Therefore, it + is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -534,61 +755,92 @@ Remove User From Workspace: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not utilize the `target_entities` list. It relies solely on + user-provided input parameters (Workspace Name and User's Email) to perform + its function. Update Task: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action updates an existing task in Asana, which is a project management/ticketing + system. This aligns with the 'Update Ticket' category. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: true ai_description: >- ### General Description - Updates an existing task in Asana by modifying its assignee, due date, or description. - This action is useful for programmatically managing task lifecycles and ensuring - task metadata is kept up-to-date based on security orchestration workflows. + Updates an existing task in Asana. This action allows users to modify specific + fields of a task, such as the assignee, due date, and description, by providing + the task's unique identifier. - ### Parameters Description + ### Flow Description - | Parameter | Type | Mandatory | Description | + 1. The action extracts the required configuration parameters (Token, Base URL) + and action parameters (Task ID, Assignee, Due Date, Description). - | :--- | :--- | :--- | :--- | + 2. An `AsanaManager` instance is initialized to handle communication with the + Asana API. - | **Task ID** | String | Yes | The unique identifier of the Asana task to be updated. - This can be found in the task's URL. | + 3. If an assignee email is provided, the action resolves the email to a user ID + using the Asana API. - | **Due Date** | String | No | The new due date for the task in `YYYY-MM-DD` format. - | + 4. The action performs a `PUT` request to the Asana API to update the specified + task with the provided details (assignee, due date, and description). - | **Description** | String | No | The new description or notes for the task. | + 5. The updated task information is returned as a JSON result, and the action concludes + with a success message. - | **Assignee** | String | No | The email address of the user to whom the task - should be reassigned. Note that this is case-sensitive and will be resolved to - a user ID internally. | + ### Parameters Description - ### Additional Notes + | Parameter | Type | Mandatory | Description | - - The **Assignee** parameter requires a valid email address that exists within - the Asana workspace. The action will attempt to resolve this email to a GID (Global - ID) before updating the task. + | :--- | :--- | :--- | :--- | - - If optional parameters like **Due Date**, **Description**, or **Assignee** are - left blank, the action will still proceed, but those specific fields may be overwritten - with null or empty values depending on the API's behavior. + | Task ID | string | Yes | The unique identifier of the task to update. Can be + found in the Asana task URL. | + | Due Date | string | No | The new due date for the task in YYYY-MM-DD format. + | - ### Flow Description + | Description | string | No | The new description for the task. | - 1. **Configuration Extraction**: Retrieves the Asana API Token and Base URL from - the integration settings. + | Assignee | string | No | The email address of the user to whom the task should + be re-assigned. | - 2. **Parameter Retrieval**: Extracts the Task ID and the optional update fields - (Assignee, Due Date, Description) from the action input. - 3. **User Resolution**: If an Assignee email is provided, the action calls the - Asana API to retrieve the corresponding User GID. + ### Additional Notes - 4. **Task Update**: Executes a PUT request to the Asana API endpoint for the specific - Task ID, updating the assignee, due date, and notes. + - The `Assignee` parameter is case-sensitive. - 5. **Result Processing**: Captures the API response, adds the updated task data - as a JSON result to the action, and returns a success message. + - The action requires a valid Personal Access Token (PAT) configured in the integration + settings. capabilities: can_create_case_comments: false can_create_insight: false @@ -597,12 +849,18 @@ Update Task: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates the properties (assignee, due date, and description) of an existing - task in the Asana platform via a PUT request. + Updates task details (assignee, due date, description) in Asana. fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action fetches user information (GET) to resolve an email to a user ID and + then updates a task (PUT) in Asana. It does not modify internal SOAR data or + entities. categories: enrichment: false + reasoning: >- + The action mutates external data (updates a task in Asana), so it is not an + enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -618,3 +876,6 @@ Update Task: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not use `target_entities`. It uses a `Task ID` provided as an + action parameter to perform the update. diff --git a/content/response_integrations/third_party/community/asana/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/asana/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..133c0975d --- /dev/null +++ b/content/response_integrations/third_party/community/asana/resources/ai/integration_ai_description.yaml @@ -0,0 +1,27 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: true + itsm: true + network_security: false + reasoning: >- + The Asana integration provides capabilities for task management and user access + control. It qualifies for 'IAM & Identity Management' because it includes actions + like 'Add User To Workspace' and 'Remove User From Workspace', which allow for + the management of user access and membership within the platform. It qualifies + for 'ITSM' because it includes actions like 'Create Task' and 'Update Task', which + are functionally equivalent to creating and updating tickets or assigning tasks + to teams for investigation and remediation. It does not qualify for 'Collaboration' + as defined in the context, which focuses on real-time communication platforms + like Slack/Teams for SOC notifications and human-in-the-loop approvals, whereas + Asana is a project/task management tool. It does not match other categories such + as SIEM, EDR, Network Security, Threat Intelligence, Email Security, Cloud Security, + Vulnerability Management, or Asset Inventory, as it does not interact with security + logs, endpoints, network infrastructure, threat feeds, email systems, cloud resources, + or vulnerability scanners. + siem: false + threat_intelligence: false + vulnerability_management: false diff --git a/content/response_integrations/third_party/community/aws_ec2/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/aws_ec2/resources/ai/actions_ai_description.yaml index 7159b452f..77e44a19a 100644 --- a/content/response_integrations/third_party/community/aws_ec2/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/aws_ec2/resources/ai/actions_ai_description.yaml @@ -1,25 +1,76 @@ Authorize Security Group Egress: - ai_description: "### General Description\nThis action adds or updates outbound (egress)\ - \ IP permissions for a specific AWS EC2 Security Group within a VPC. It allows\ - \ administrators to programmatically define network traffic rules, such as allowed\ - \ protocols, port ranges, and destination IP ranges (CIDR), directly from Google\ - \ SecOps.\n\n### Parameters Description\n| Parameter | Description | Type | Mandatory\ - \ |\n| :--- | :--- | :--- | :--- |\n| Group ID | The unique identifier of the\ - \ security group (e.g., sg-1a2b3c4d) where the outbound rules will be applied.\ - \ | String | Yes |\n| IP Permissions | A JSON-formatted string defining the egress\ - \ rules. This includes fields like `FromPort`, `ToPort`, `IpProtocol`, and `IpRanges`\ - \ (containing `CidrIp`). | Code | Yes |\n\n### Additional Notes\n- The `IP Permissions`\ - \ parameter must be a valid JSON array or object as expected by the Boto3 EC2\ - \ client. \n- This action performs a state-changing operation in the AWS environment.\n\ - \n### Flow Description\n1. **Credential Retrieval**: Extracts AWS Access Key,\ - \ Secret Key, and Default Region from the integration configuration.\n2. **Parameter\ - \ Extraction**: Retrieves the target Security Group ID and the JSON-formatted\ - \ IP permissions from the action input.\n3. **JSON Parsing**: Converts the `IP\ - \ Permissions` string into a structured Python dictionary/list.\n4. **AWS API\ - \ Interaction**: Uses the `EC2Manager` to call the AWS `authorize_security_group_egress`\ - \ API with the provided parameters.\n5. **Result Processing**: Captures the API\ - \ response, logs the outcome, and attaches the raw JSON result to the action output\ - \ for use in subsequent playbook steps." + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action modifies AWS security group egress rules. This is an infrastructure + configuration change. It does not match any of the specific predefined categories + like 'Enrich IOC', 'Contain Host', or 'Add IOC To Blocklist'. Therefore, all + categories are false. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: >- + ### General Description + + Adds or updates outbound IP permissions for a specific security group in an AWS + VPC. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Group ID | string | Yes | The ID of the security group to modify. | + + | IP Permissions | code | Yes | JSON-formatted string defining the egress rules + (e.g., `{"FromPort": 80, "IpProtocol": "tcp", "IpRanges": [{"CidrIp": "1.1.1.1/16"}], + "ToPort": 80}`). | + + + ### Additional Notes + + This action performs a direct mutation on the AWS EC2 infrastructure. Ensure that + the provided AWS credentials have the necessary permissions to modify security + group rules. + + + ### Flow Description + + 1. Extracts AWS credentials and action parameters (`Group ID`, `IP Permissions`). + + 2. Parses the `IP Permissions` JSON string into a dictionary. + + 3. Initializes the `EC2Manager` with the provided AWS credentials. + + 4. Executes the `authorize_security_group_egress` method to apply the new egress + rules to the specified security group. + + 5. Logs the operation status and adds the result JSON to the action output. capabilities: can_create_case_comments: false can_create_insight: false @@ -28,12 +79,19 @@ Authorize Security Group Egress: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - This action modifies the configuration of an AWS EC2 Security Group by adding - or updating egress (outbound) firewall rules. + Modifies AWS EC2 security group egress rules by adding new permissions. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action uses `boto3` to call `authorize_security_group_egress` on AWS EC2. + This is an external mutation. It does not fetch data for enrichment, nor does + it modify internal SOAR data. categories: enrichment: false + reasoning: >- + The action performs a mutation on an external system (AWS EC2) and does not + fetch data for enrichment, nor does it modify internal SOAR data. Therefore, + it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -49,56 +107,88 @@ Authorize Security Group Egress: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code does not reference `target_entities` or any entity-specific logic. + It operates on parameters provided in the action configuration. Authorize Security Group Ingress: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action modifies AWS security group ingress rules. This is a configuration + change on an external system. It does not fit the specific definitions of IOC + block/allowlisting (which typically target specific indicators), identity management, + or ticket management provided in the list. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description - - The **Authorize Security Group Ingress** action adds or updates inbound (ingress) - IP permissions for a specific AWS Security Group within a VPC. This action is - used to programmatically modify network access rules, allowing traffic from specified - IP ranges, protocols, and ports to reach AWS resources associated with the security - group. + The Authorize Security Group Ingress action modifies an AWS EC2 security group + by adding or updating inbound IP permissions. This action allows users to programmatically + define network access rules (e.g., opening specific ports for specific IP ranges) + directly within the AWS environment. - ### Parameters Description + ### Flow Description - | Parameter | Type | Mandatory | Description | + 1. **Configuration Extraction**: The action retrieves the necessary AWS credentials + (Access Key ID, Secret Access Key) and the default region from the integration + configuration. - | :--- | :--- | :--- | :--- | + 2. **Parameter Extraction**: It extracts the `Group ID` and the `IP Permissions` + (provided as a JSON string) from the action parameters. - | **Group ID** | String | No | The unique identifier of the AWS Security Group - (e.g., `sg-1a2b3c4d`) to which the inbound rules will be added. | + 3. **Initialization**: An `EC2Manager` instance is initialized using the extracted + credentials to interface with the AWS EC2 API. - | **IP Permissions** | Code (JSON) | No | A JSON-formatted string defining the - ingress rule. It typically includes `IpProtocol` (e.g., 'tcp'), `FromPort`, `ToPort`, - and `IpRanges` (containing `CidrIp`). | + 4. **Execution**: The action calls the `authorize_security_group_ingress` method, + which applies the specified ingress rules to the target security group. + 5. **Result Handling**: The action logs the outcome and returns the API response + as a JSON result to the SOAR platform. - ### Flow Description - 1. **Credential Retrieval:** The action extracts AWS Access Key ID, Secret Access - Key, and Default Region from the integration configuration. + ### Parameters Description - 2. **Parameter Extraction:** It retrieves the target `Group ID` and the `IP Permissions` - JSON string from the action parameters. + | Parameter | Type | Mandatory | Description | - 3. **Data Parsing:** The `IP Permissions` string is parsed from JSON into a dictionary - format required by the AWS SDK. + | :--- | :--- | :--- | :--- | - 4. **AWS API Call:** The action utilizes the `EC2Manager` to invoke the `authorize_security_group_ingress` - method, which communicates with the AWS EC2 service to apply the new rules. + | Group ID | string | No | The ID of the security group (e.g., sg-1a2b3c4d) to + which the inbound IP permissions will be added. | - 5. **Result Processing:** The response from AWS is captured and attached as a - JSON result. The action concludes with a success message if the rules were applied - successfully, or an error message if the operation failed. + | IP Permissions | code | No | A JSON-formatted string defining the ingress rules. + Example: `{"FromPort": 80, "IpProtocol": "tcp", "IpRanges": [{"CidrIp": "1.1.1.1/16"}], + "ToPort": 80}`. | ### Additional Notes - - This action performs a state-changing operation in the external AWS environment. - - - Although parameters are marked as non-mandatory in the configuration, the action - logic expects valid values to successfully execute the AWS API call. + While the parameters are marked as not mandatory in the configuration, they are + required for the action to function correctly. The `IP Permissions` parameter + must be a valid JSON string that conforms to the AWS EC2 `IpPermissions` structure. capabilities: can_create_case_comments: false can_create_insight: false @@ -107,12 +197,19 @@ Authorize Security Group Ingress: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Adds or updates inbound (ingress) firewall rules in an AWS Security Group, modifying - the network access control list for associated VPC resources. + Modifies AWS EC2 security group configuration by adding inbound ingress rules. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a mutation on an external system (AWS EC2) by adding ingress + rules to a security group. It does not fetch data from external systems, nor + does it modify internal SOAR data such as entities, insights, or alert metadata. categories: enrichment: false + reasoning: >- + The action is a mutation action that changes the state of an external system + (AWS). It does not retrieve data for enrichment purposes, nor does it meet the + criteria for an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -128,57 +225,70 @@ Authorize Security Group Ingress: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with the `target_entities` list. It relies entirely + on user-provided parameters (`Group ID` and `IP Permissions`) to perform its + task. Create Instance: - ai_description: >- - ### General Description - - Creates one or more Amazon EC2 instances based on a specified Amazon Machine Image - (AMI). This action is designed to be asynchronous, polling the AWS environment - until the instances transition from a 'pending' state to a 'running' state. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Image ID | String | No | The AMI ID used to create the instance (e.g., `ami-12345`). - | - - | Instance Type | String | No | The hardware configuration for the instance (e.g., - `m1.small`). Defaults to `m1.small` if not provided. | - - | Max Count | String | Yes | The maximum number of instances to launch. | - - | Min Count | String | Yes | The minimum number of instances to launch. | - - | Security Group ID | String | No | Comma-separated list of Security Group IDs - to associate with the instances. | - - - ### Flow Description - - 1. **Initialization**: The action extracts AWS credentials and region from the - integration configuration and parameters from the action settings. - - 2. **Instance Creation (First Run)**: It calls the AWS EC2 `run_instances` API - to initiate the creation of the specified number of instances. - - 3. **State Check**: If the created instances are in a `pending` state, the action - saves the instance IDs and sets the execution status to `IN_PROGRESS`. - - 4. **Polling (Subsequent Runs)**: The action periodically checks the status of - the pending instances using the `describe_instances` API. - - 5. **Completion**: Once all instances reach the `running` state, the action completes - and returns the full JSON details of the created instances. - - - ### Additional Notes - - This action requires the AWS EC2 integration to be configured with valid Access - Key ID, Secret Access Key, and Default Region. + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action creates an AWS EC2 instance. This does not match any of the provided + categories (e.g., Enrichment, Ticket creation, Containment, etc.). + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: "### General Description\nThis action creates a new Amazon EC2 instance\ + \ within an AWS environment based on the provided Amazon Machine Image (AMI) ID\ + \ and configuration parameters. It supports asynchronous execution, allowing the\ + \ action to poll the instance status until it reaches a 'running' state.\n\n###\ + \ Flow Description\n1. **Initialization**: The action extracts AWS credentials\ + \ (Access Key, Secret Key, Region) and action parameters (Image ID, Instance Type,\ + \ Max/Min Count, Security Group IDs).\n2. **Instance Creation**: It initializes\ + \ the `EC2Manager` and calls the AWS `run_instances` API to initiate the creation\ + \ of the requested EC2 instances.\n3. **Status Check (First Run)**: \n - If\ + \ the instance state is 'pending', the action sets the execution status to 'In\ + \ Progress' and stores the instance IDs in the `additional_data` field for subsequent\ + \ polling.\n - If the instance state is 'running', the action completes successfully\ + \ and returns the instance details.\n4. **Status Check (Subsequent Runs)**: If\ + \ the action is triggered again (polling), it uses the stored instance IDs to\ + \ call `describe_instances` to check the current status of the instances.\n5.\ + \ **Completion**: Once the instances reach the 'running' state, the action completes\ + \ and returns the instance details in the result JSON.\n\n### Parameters Description\n\ + | Parameter | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n\ + | Image ID | string | No | The AMI ID to create the new instance from (e.g., ami-12345).\ + \ |\n| Instance Type | string | No | The hardware configuration for the instance\ + \ (e.g., m1.small). |\n| Max Count | string | Yes | The maximum number of instances\ + \ to create. |\n| Min Count | string | Yes | The minimum number of instances to\ + \ create. |\n| Security Group ID | string | No | Comma-separated IDs of security\ + \ groups to assign to the instance (e.g., sg-12345,sg-6789). |\n\n### Additional\ + \ Notes\n- This action performs a state-changing operation on an external AWS\ + \ environment.\n- The action is designed to be asynchronous; if instances are\ + \ not immediately 'running', it will require subsequent runs to verify the final\ + \ state." capabilities: can_create_case_comments: false can_create_insight: false @@ -187,12 +297,19 @@ Create Instance: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates new EC2 instances in the AWS environment based on the provided AMI and - configuration. + The action creates new EC2 instances in the AWS environment via the run_instances + API. fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action interacts with the AWS EC2 API to create instances (mutating external + data) and describes instances to check their status (fetching data). It does + not modify internal SOAR data, update entities, or create insights. categories: enrichment: false + reasoning: >- + The action is not an enrichment action because its primary purpose is to create + an external resource (EC2 instance), not to retrieve context for existing entities. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -208,57 +325,83 @@ Create Instance: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over or utilize `siemplify.target_entities`. It + operates based on parameters provided in the action configuration. Create Tags: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action modifies AWS EC2 resources by adding tags. This does not align with + any of the provided categories (e.g., it is not an identity, alert, ticket, + or email update). + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - This action creates or overwrites tags for specified AWS EC2 resources, such as - instances, volumes, or security groups. It allows users to programmatically manage - metadata for their AWS infrastructure directly from Google SecOps by providing - a list of resource IDs and a JSON-formatted set of tags. + Creates or updates tags for specified AWS EC2 resources. This action allows users + to apply key-value pairs to one or more EC2 resources, facilitating better resource + management and organization within the AWS environment. ### Parameters Description - | Parameter | Description | Type | Mandatory | - - | :--- | :--- | :--- | :--- | + | Parameter | Type | Mandatory | Description | - | Resources ID | A comma-separated list of AWS resource IDs (e.g., i-1234567890abcdef0) - that you want to tag. | String | Yes | + | --- | --- | --- | --- | - | Tags | A JSON-formatted string defining the tags to be applied. It must follow - the structure: `{"tags": [{"Key": "key1", "Value": "value1"}]}`. | Code | Yes + | Resources ID | string | Yes | Comma-separated list of AWS resource IDs to tag. | + | Tags | code | Yes | JSON-formatted string representing the tags to apply (e.g., + `{"tags": [{"Key": "k", "Value": "v"}]}`). | - ### Additional Notes - - - This action is case-sensitive regarding tag keys and values. - - If a tag key already exists on a resource, its value will be overwritten by - the new value provided in this action. + ### Flow Description - - Each resource can have a maximum of 50 tags. + 1. Extract AWS credentials (Access Key ID, Secret Access Key) and Default Region + from the integration configuration. + 2. Extract the `Resources ID` and `Tags` parameters from the action settings. - ### Flow Description + 3. Parse the `Resources ID` string into a list and the `Tags` JSON string into + a list of dictionaries. - 1. **Parameter Extraction**: The action retrieves AWS credentials (Access Key, - Secret Key, Region) from the integration configuration and the target Resource - IDs and Tags from the action parameters. + 4. Iterate through each resource ID and call the AWS EC2 `create_tags` API to + apply the specified tags. - 2. **Data Parsing**: The `Tags` parameter is parsed from a JSON string into a - Python list, and the `Resources ID` string is split into individual identifiers. + 5. Log the outcome for each resource and return the results as a JSON object. - 3. **AWS Interaction**: For each provided Resource ID, the action calls the AWS - EC2 `create_tags` API via the `EC2Manager` to apply the specified tag set. - 4. **Result Logging**: The action tracks which resources were successfully tagged - and which encountered errors. + ### Additional Notes - 5. **Final Output**: Success and failure details are added to the action's JSON - results, and a summary message is displayed in the SOAR interface. + This action performs a direct mutation on AWS resources. Ensure that the provided + AWS credentials have the necessary `ec2:CreateTags` permissions. capabilities: can_create_case_comments: false can_create_insight: false @@ -267,12 +410,18 @@ Create Tags: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - This action adds or overwrites tags on AWS EC2 resources, which modifies the - metadata state of those resources in the AWS environment. + Modifies AWS EC2 resources by adding or updating tags. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a `create_tags` operation on AWS EC2 resources, which is + an external mutation. It does not fetch data for enrichment, nor does it modify + internal SOAR data (entities, insights, etc.). categories: enrichment: false + reasoning: >- + The action is a mutation action (modifying AWS resources) and does not fetch + data for enrichment purposes. Therefore, it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -288,54 +437,83 @@ Create Tags: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action takes `Resources ID` as a string parameter and does not interact + with the `siemplify.target_entities` list. Delete Instance: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: true + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action terminates an EC2 instance, which is a form of host-level remediation. + This aligns with the 'Contain Host' category, as it effectively removes the + instance from the operational environment. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - Deletes (terminates) specific Amazon EC2 instances within a specified AWS region. - This action is used to permanently remove virtual server instances from an AWS - environment. It supports processing multiple instances in a single execution and - handles the asynchronous nature of AWS instance termination. + This action terminates specified AWS EC2 instances. It is designed to perform + a destructive remediation action on cloud infrastructure by invoking the AWS EC2 + `terminate_instances` API. The action processes a list of instance IDs provided + by the user, attempts to delete them, and reports the final status of each instance + (e.g., 'shutting-down' or 'terminated'). - ### Parameters + ### Parameters Description | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Instance Ids | Content | Yes | A comma-separated list of EC2 instance IDs to - be deleted (e.g., `i-1234567890abcdef0, i-0987654321fedcba0`). | + | Instance Ids | String | Yes | A comma-separated list of AWS EC2 instance IDs + to be deleted (e.g., `i-1234567890abcdef0, i-0987654321fedcba0`). | ### Flow Description - 1. **Credential Extraction**: Retrieves AWS Access Key ID, Secret Access Key, - and Default Region from the integration configuration. - - 2. **Input Parsing**: Extracts the `Instance Ids` parameter and splits the comma-separated - string into a list of individual identifiers. + 1. **Configuration Extraction**: The action retrieves the necessary AWS credentials + (Access Key ID, Secret Access Key) and the default region from the integration + configuration. - 3. **Instance Termination**: Iterates through the list of instance IDs and calls - the AWS EC2 `terminate_instances` API for each. + 2. **Parameter Parsing**: The `Instance Ids` parameter is extracted and split + into a list of individual instance IDs. - 4. **State Verification**: Evaluates the `CurrentState` returned by AWS. If an - instance is in the `shutting-down` state, the action status is set to `IN_PROGRESS` - (async). If the state is `terminated`, the instance is logged as successfully - deleted. + 3. **Manager Initialization**: An `EC2Manager` object is instantiated using the + provided credentials to interface with the AWS SDK (boto3). - 5. **Result Reporting**: Adds the raw API response for each successfully terminated - instance to the JSON results and returns the total count of deleted instances - as the final result value. - - - ### Additional Notes + 4. **Execution**: The action iterates through the list of instance IDs and calls + the `delete_instance` method for each. - - Deleted instances remain visible in the AWS console for approximately one hour - after termination. + 5. **Status Verification**: For each request, the action checks the returned instance + state. If the state is 'shutting-down' or 'terminated', it logs the success; otherwise, + it captures and logs any errors encountered. - - The action will log an error for any instance that cannot be transitioned to - a terminated state from its current state. + 6. **Result Reporting**: The action compiles the results into a JSON object, logs + the outcome, and returns the total count of successfully deleted instances. capabilities: can_create_case_comments: false can_create_insight: false @@ -344,12 +522,20 @@ Delete Instance: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Terminates (deletes) EC2 instances in the target AWS account and region, which - is a permanent state change for those resources. + Terminates the specified AWS EC2 instances, which is a permanent state change + in the AWS environment. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a destructive mutation (termination) on external AWS EC2 + instances. It does not fetch data for enrichment purposes, nor does it modify + internal SOAR case data, entities, or insights. categories: enrichment: false + reasoning: >- + The action is a remediation/mutation action that modifies external infrastructure + state. It does not meet the criteria for an enrichment action as it does not + retrieve context for entities or alerts. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -365,62 +551,61 @@ Delete Instance: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with the SOAR `target_entities` list. It relies + entirely on a user-provided input parameter ('Instance Ids') to identify the + resources to act upon. Find Instance: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action searches for AWS EC2 instances based on provided IDs or filters. + This matches the 'Search Asset' category. It does not enrich existing entities, + update alerts, or perform any mutation. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: true + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description - - This action fetches detailed information about specific AWS EC2 instances or searches - for instances based on provided filters. It is primarily used for visibility and - data gathering regarding the state and configuration of virtual machines within - an AWS environment. - - - ### Parameters - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Instance Ids | String | No | A comma-separated list of AWS Instance IDs (e.g., - i-1234567890abcdef0). If provided, the action fetches details for these specific - instances. | - - | Filters | Content (JSON) | No | A JSON-formatted string defining filters to - apply to the search (e.g., `{"Name": "instance-type", "Values": ["t2.micro"]}`). - | - - | Max Results | String | No | The maximum number of instances to return in the - result set, ranging from 5 to 1000. | - - - ### Flow Description - - 1. **Parameter Extraction:** The action retrieves AWS credentials (Access Key, - Secret Key, Region) and the user-provided parameters (Instance IDs, Filters, Max - Results). - - 2. **Manager Initialization:** An EC2 Manager is initialized to handle communication - with the AWS API using the Boto3 library. - - 3. **Data Retrieval:** - - If **Instance Ids** are provided: The action iterates through the list and - calls the `describe_instances` API for each ID individually. - - If **Instance Ids** are NOT provided: The action performs a single `describe_instances` - call using the provided **Filters** and **Max Results**. - 4. **Result Processing:** The action collects the metadata for all found instances - and formats it into a JSON object. - - 5. **Completion:** The action outputs the JSON result and a summary message indicating - which instances were successfully retrieved. - - - ### Additional Notes - - - If neither **Instance Ids** nor **Filters** are specified, the action will attempt - to return information for all instances in the configured region (subject to the - **Max Results** limit). - - - This action is read-only and does not modify any AWS resources. + The 'Find Instance' action retrieves detailed information about specific AWS EC2 + instances or a list of instances based on provided filters. It interacts with + the AWS EC2 API to fetch instance data, which is then returned as a JSON result + for further analysis or reporting. The action flow is as follows: 1. It extracts + the necessary AWS configuration parameters (Access Key ID, Secret Access Key, + and Default Region). 2. It extracts the action-specific parameters: 'Instance + Ids' (a comma-separated list of IDs), 'Filters' (a JSON object defining criteria + like instance type), and 'Max Results' (an integer limiting the number of returned + instances). 3. It initializes an 'EC2Manager' object to handle the AWS API communication. + 4. It calls the 'describe_instances' method using the provided parameters. 5. + It logs the success or failure of the operation for each instance ID. 6. Finally, + it adds the retrieved instance details to the action's result JSON and terminates + the action. Parameters: 'Instance Ids' (string, optional): The instance IDs to + fetch, e.g., 'i-1234567890abcdef0,i-0987654321fedcba0'. 'Filters' (content, optional): + A JSON object for filtering instances, e.g., '{"Name": "instance-type", "Values": + ["t2.micro"]}'. 'Max Results' (string, optional): The maximum number of results + to return, ranging from 5 to 1000. capabilities: can_create_case_comments: false can_create_insight: false @@ -431,8 +616,17 @@ Find Instance: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a read-only 'describe_instances' operation against the AWS + EC2 API. It fetches data based on user-provided parameters and returns it as + a JSON result. It does not modify any external system state, nor does it modify + internal SOAR case data (entities, insights, or comments). categories: enrichment: false + reasoning: >- + The action performs a search/lookup of AWS EC2 instances. It does not operate + on existing SOAR entities (no 'target_entities' iteration), so it is not an + enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -448,25 +642,82 @@ Find Instance: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over 'siemplify.target_entities'. It relies on user-provided + parameters ('Instance Ids', 'Filters') to query AWS EC2 directly. Therefore, + it does not process any entity types. Ping: - ai_description: "### General Description\nThe **Ping** action is designed to verify\ - \ the connectivity between Google SecOps and the Amazon Web Services (AWS) EC2\ - \ environment. It serves as a diagnostic tool to ensure that the provided credentials\ - \ (Access Key ID and Secret Access Key) and the specified region are correct and\ - \ that the system can successfully communicate with the AWS API.\n\n### Parameters\ - \ Description\nThis action does not require any input parameters from the user\ - \ at runtime. It relies entirely on the integration's configuration parameters:\n\ - * **Access Key ID**: The AWS access key used for authentication.\n* **Secret Access\ - \ Key**: The AWS secret key used for authentication.\n* **Default Region**: The\ - \ AWS region to which the connectivity test is directed.\n\n### Flow Description\n\ - 1. **Configuration Extraction**: The action retrieves the AWS credentials and\ - \ region from the integration settings.\n2. **Manager Initialization**: An instance\ - \ of the `EC2Manager` is created using the extracted configuration.\n3. **Connectivity\ - \ Test**: The action calls the `test_connectivity` method, which executes the\ - \ AWS `describe_regions` API call.\n4. **Result Handling**: \n * If the API\ - \ call is successful, the action returns a success message (\"Connected successfully\"\ - ) and a `True` status.\n * If the API call fails, it returns a failure message\ - \ (\"The Connection failed\") and a `False` status." + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action is a connectivity test ('Ping') and does not perform any of the defined + product category operations (e.g., enrichment, containment, ticket management). + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: >- + ### General description + + Tests connectivity to the AWS EC2 service to verify that the provided credentials + and region configuration are valid. + + + ### Parameters description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Access Key ID | String | Yes | The AWS Access Key ID used for authentication. + | + + | Secret Access Key | String | Yes | The AWS Secret Access Key used for authentication. + | + + | Default Region | String | Yes | The AWS region to connect to (e.g., us-east-1). + | + + + ### Additional notes + + This action is a connectivity test and does not perform any data enrichment or + mutation. + + + ### Flow description + + 1. The action extracts the AWS credentials and region from the integration configuration. + + 2. It initializes the `EC2Manager` with the provided credentials. + + 3. It calls the `test_connectivity` method, which performs a `describe_regions` + API call to AWS. + + 4. If the API call succeeds, the action returns a success status; otherwise, it + returns a failure status. capabilities: can_create_case_comments: false can_create_insight: false @@ -477,8 +728,15 @@ Ping: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a `describe_regions` API call to AWS to verify connectivity. + This is a read-only operation that fetches data (connectivity status) but does + not mutate external or internal data. categories: enrichment: false + reasoning: >- + The action is named 'Ping' and is a connectivity test. According to the guidelines, + actions named 'Ping' must not be categorized as enrichment actions. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -494,13 +752,49 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with any entities; it only uses configuration parameters + to test connectivity. Revoke Security Group Egress: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: true + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action modifies an external security control (AWS Security Group) by removing + egress rules, which prevents traffic. This aligns with the 'Add IOC To Blocklist' + category, as it updates security controls to prevent interaction. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - Revokes specified outbound (egress) IP permissions from a specific AWS EC2 Security - Group within a VPC. This action is used to tighten network security by removing - existing rules that allow traffic to leave the environment. + This action revokes outbound IP permissions (egress rules) for a specified AWS + EC2 security group. It interacts with the AWS EC2 API to remove specific network + rules, effectively restricting outbound traffic as defined by the provided IP + permissions. ### Parameters Description @@ -509,37 +803,38 @@ Revoke Security Group Egress: | :--- | :--- | :--- | :--- | - | Group ID | String | No | The unique identifier of the security group (e.g., - sg-1a2b3c4d) from which permissions will be revoked. | + | Group ID | string | No | The security group ID for which you want to revoke + outbound IP permissions in a VPC. | - | IP Permissions | Code (JSON) | No | A JSON-formatted object defining the protocol, - port range, and CIDR blocks to be removed. Example: `{"FromPort": 80, "IpProtocol": - "tcp", "IpRanges": [{"CidrIp": "1.1.1.1/16"}], "ToPort": 80}`. | + | IP Permissions | code | No | The IP permissions in a JSON format (e.g., `{"FromPort": + 80, "IpProtocol": "tcp", "IpRanges": [{"CidrIp": "1.1.1.1/16"}], "ToPort": 80}`). + | ### Additional Notes - - While parameters are marked as non-mandatory in the configuration, providing - both the `Group ID` and valid `IP Permissions` is required for the action to successfully - execute the revocation logic. - - - This action interacts directly with the AWS EC2 API and requires appropriate - IAM permissions (`ec2:RevokeSecurityGroupEgress`). + This action performs a direct mutation on the AWS EC2 security group configuration. + Ensure that the provided `Group ID` and `IP Permissions` are accurate to avoid + unintended network restrictions. ### Flow Description - 1. **Configuration Extraction**: Retrieves AWS credentials (Access Key ID, Secret - Access Key) and the default region from the integration settings. + 1. The action extracts the AWS credentials (Access Key ID, Secret Access Key, + Default Region) from the integration configuration. - 2. **Parameter Parsing**: Extracts the target Security Group ID and the IP permissions - JSON string, converting the latter into a Python dictionary. + 2. It extracts the `Group ID` and `IP Permissions` parameters provided by the + user. - 3. **API Interaction**: Utilizes the `EC2Manager` to call the AWS Boto3 `revoke_security_group_egress` - method. + 3. The `IP Permissions` parameter is parsed from a JSON string into a dictionary. - 4. **Result Processing**: Captures the API response, logs the outcome, and provides - the raw JSON result to the SOAR platform. + 4. An `EC2Manager` instance is initialized with the extracted AWS credentials. + + 5. The action calls the `revoke_security_group_egress` method of the `EC2Manager` + to remove the specified egress rules from the target security group. + + 6. The outcome of the operation is logged, and the result is added to the action's + output. capabilities: can_create_case_comments: false can_create_insight: false @@ -548,12 +843,19 @@ Revoke Security Group Egress: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Removes egress (outbound) firewall rules from an AWS EC2 Security Group, modifying - the network security configuration of the VPC. + Removes specified egress rules from an AWS EC2 security group, effectively blocking + outbound traffic defined by those rules. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a direct API call to AWS EC2 to modify security group rules. + It does not fetch data for enrichment, nor does it modify internal SOAR case + data. categories: enrichment: false + reasoning: >- + The action is a mutation action (modifying AWS security groups) and does not + fetch data for enrichment. Therefore, it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -569,58 +871,81 @@ Revoke Security Group Egress: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over `siemplify.target_entities` or use entity-specific + identifiers. It relies on user-provided parameters (`Group ID` and `IP Permissions`) + to perform its task. Revoke Security Group ingress: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: true + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action modifies AWS security group rules to revoke inbound IP permissions. + This action effectively restricts network traffic, which aligns with the 'Add + IOC To Blocklist' category as it updates security controls to prevent future + interaction. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description + Revokes inbound IP permissions for a specific security group in an AWS VPC. This + action interacts with the AWS EC2 service to remove ingress rules, effectively + restricting network access based on the provided configuration. - This action revokes specific inbound (ingress) IP permissions from a designated - AWS EC2 Security Group within a VPC. It is primarily used for containment or security - posture management by removing existing rules that allow network traffic based - on protocol, port ranges, and CIDR blocks. + ### Parameters - ### Parameters Description | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Group ID | string | No | The unique identifier of the security group (e.g., - `sg-1a2b3c4d`) from which you want to revoke inbound permissions. | - - | IP Permissions | code | No | A JSON-formatted string defining the specific IP - permissions to be removed. It should include keys like `FromPort`, `ToPort`, `IpProtocol`, - and `IpRanges`. | + | Group ID | string | No | The security group ID for which you want to revoke + ingress IP permissions. | + | IP Permissions | code | No | The IP permissions in a JSON format. For example: + `{"FromPort": 80,"IpProtocol": "tcp","IpRanges": [{"CidrIp": "1.1.1.1/16"}],"ToPort": + 80}` | - ### Additional Notes - - This action interacts directly with the AWS EC2 API using the `boto3` library. + ### Flow Description - - While the parameters are marked as not mandatory in the configuration, the action - logic requires both a valid `Group ID` and `IP Permissions` JSON to successfully - execute the revocation request to AWS. + 1. Extract AWS credentials (Access Key ID, Secret Access Key, Default Region) + from the integration configuration. - ### Flow Description + 2. Extract the `Group ID` and `IP Permissions` from the action parameters. - 1. **Configuration Extraction**: The action retrieves AWS credentials (Access - Key ID, Secret Access Key) and the default region from the integration settings. + 3. Parse the `IP Permissions` parameter from a JSON string into a dictionary. - 2. **Parameter Parsing**: It extracts the `Group ID` and the `IP Permissions` - string from the action input. The `IP Permissions` string is parsed from JSON - into a Python dictionary. + 4. Initialize the `EC2Manager` with the provided AWS credentials. - 3. **Manager Initialization**: An instance of the `EC2Manager` is created using - the provided AWS credentials and region. + 5. Execute the `revoke_security_group_ingress` method to remove the specified + ingress rules from the AWS security group. - 4. **Revocation Execution**: The action calls the `revoke_security_group_ingress` - method in the manager, which sends a request to the AWS EC2 service to remove - the specified rules. - - 5. **Result Handling**: If successful, the API response is added to the action's - JSON results, and the action completes with a success message. If an error occurs - during the API call, it is logged, and the action reports a failure. + 6. Log the outcome and return the result JSON. capabilities: can_create_case_comments: false can_create_insight: false @@ -629,13 +954,19 @@ Revoke Security Group ingress: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - This action modifies the configuration of an AWS EC2 Security Group by removing - (revoking) existing ingress rules, which changes the allowed network traffic - state in the AWS environment. + Modifies AWS EC2 security group rules by revoking specified inbound IP permissions. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a direct mutation on an external AWS EC2 resource by calling + `revoke_security_group_ingress`. It does not fetch data for enrichment, nor + does it modify internal SOAR case data or entities. categories: enrichment: false + reasoning: >- + The action is a mutation action (modifying AWS security groups) and does not + perform any data retrieval for enrichment purposes. Therefore, it is not an + enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -651,27 +982,85 @@ Revoke Security Group ingress: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over `siemplify.target_entities`. It relies solely + on action parameters provided by the user. Therefore, it does not use any entity + types. Start Instance: - ai_description: "### General Description\nStarts one or more specified AWS EC2 instances.\ - \ This action is used to transition stopped instances into a running state. It\ - \ supports asynchronous execution, meaning if an instance is in a 'pending' state,\ - \ the action will remain 'In Progress' until the operation completes or times\ - \ out.\n\n### Parameters Description\n| Parameter | Type | Mandatory | Description\ - \ |\n| :--- | :--- | :--- | :--- |\n| **Instance Ids** | Content (String) | Yes\ - \ | A comma-separated list of AWS EC2 instance identifiers to be started (e.g.,\ - \ `i-1234567890abcdef0, i-0987654321fedcba0`). |\n\n### Flow Description\n1. **Configuration\ - \ Extraction**: Retrieves AWS credentials (Access Key ID, Secret Access Key) and\ - \ the default region from the integration settings.\n2. **Parameter Parsing**:\ - \ Extracts the `Instance Ids` string and converts it into a list of individual\ - \ identifiers.\n3. **AWS Interaction**: For each instance ID, the action calls\ - \ the AWS EC2 `start_instances` API via the `EC2Manager`.\n4. **State Verification**:\ - \ \n * If the instance state is returned as `running`, it is marked as successfully\ - \ started.\n * If the instance state is `pending`, the action status is set\ - \ to `IN_PROGRESS` to allow for asynchronous tracking.\n * If the instance\ - \ is in an incompatible state or an error occurs, the failure is logged.\n5. **Result\ - \ Reporting**: Returns the total count of successfully started instances as the\ - \ result value and provides a detailed JSON object containing the API responses\ - \ for each instance." + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action starts an AWS EC2 instance. This is an infrastructure management + action. It does not match any of the provided categories (Enrichment, Containment, + Ticket, etc.). + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: >- + ### General Description + + Starts specified AWS EC2 instances. This action interacts with the AWS EC2 API + to initiate the startup process for one or more instances identified by their + IDs. + + + ### Flow Description + + 1. Extract configuration parameters (Access Key ID, Secret Access Key, Default + Region) from the integration settings. + + 2. Extract the 'Instance Ids' parameter provided by the user. + + 3. Initialize the `EC2Manager` with the provided credentials. + + 4. Iterate through the list of instance IDs. + + 5. For each ID, call the `start_instances` method via the AWS EC2 API. + + 6. Verify the current state of the instance (pending or running). + + 7. Log the status and add the result JSON to the action output. + + 8. Terminate the action with a summary message and the count of successfully started + instances. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Instance Ids | content | Yes | A comma-separated list of EC2 instance IDs to + start. | + + + ### Additional Notes + + This action performs a state-changing operation on external AWS infrastructure. capabilities: can_create_case_comments: false can_create_insight: false @@ -679,12 +1068,19 @@ Start Instance: can_mutate_external_data: true can_mutate_internal_data: false can_update_entities: false - external_data_mutation_explanation: >- - Changes the operational state of AWS EC2 instances from stopped to started/running. - fetches_data: true + external_data_mutation_explanation: Starts the specified AWS EC2 instances. + fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a state-changing operation (starting an EC2 instance) on + an external system (AWS). It does not fetch contextual data for enrichment, + nor does it modify internal SOAR data (entities, insights, etc.). categories: enrichment: false + reasoning: >- + The action is a control/mutation action (starting an instance) and does not + perform any enrichment or data retrieval for context. Therefore, it is not an + enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -700,51 +1096,53 @@ Start Instance: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over `siemplify.target_entities`. It takes a string + parameter 'Instance Ids' to identify the targets. Therefore, it does not use + any entity types. Stop Instance: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: true + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action stops an AWS EC2 instance, which is a form of containment (isolating + the host). It does not match other categories like enrichment or ticket creation. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description - - Stops one or more specified AWS EC2 instances. This action interacts with the - AWS EC2 service to transition instances from a running state to a stopped state. - It supports stopping multiple instances simultaneously and provides an option - to force the shutdown. Because instance shutdown can take time, the action is - designed to run asynchronously, tracking the state until the instances are confirmed - as stopping or stopped. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Instance Ids | String | Yes | A comma-separated list of AWS EC2 instance identifiers - (e.g., `i-0123456789abcdef0, i-0abcdef1234567890`) to be stopped. | - - | Force Instance To Stop | Boolean | No | If set to `true`, forces the instance - to stop immediately without flushing file system caches or metadata. Default is - `false`. | - - - ### Flow Description - - 1. **Initialization**: Retrieves AWS credentials (Access Key, Secret Key) and - the default region from the integration configuration. - - 2. **Parameter Parsing**: Extracts the list of instance IDs from the action parameters - and splits them into individual identifiers. - - 3. **Execution**: Iterates through each instance ID and calls the AWS EC2 `stop_instances` - API via the `EC2Manager`. - - 4. **State Monitoring**: Evaluates the response for each instance: - * If the state is `stopping`, the instance is added to a tracking list, and - the action status is set to `IN_PROGRESS` to allow for asynchronous completion. - * If the state is `stopped`, the instance is marked as successfully stopped. - * If the instance is in an incompatible state or an error occurs, an exception - is logged for that specific instance. - 5. **Result Reporting**: Returns the total count of successfully stopped instances - as the result value and provides detailed JSON data for each processed instance. + General description: This action stops specified AWS EC2 instances. Parameters + description: | Parameter | Type | Mandatory | Description | | --- | --- | --- + | --- | | Instance Ids | content | Yes | Comma-separated list of instance IDs + to stop. | | Force Instance To Stop | boolean | No | Forces the instance to stop + without processing file system caches/metadata. | Additional notes: None. Flow + description: 1. Extract AWS credentials and action parameters. 2. Initialize EC2Manager + with credentials. 3. Iterate through the provided list of instance IDs. 4. Call + the AWS EC2 API to stop each instance. 5. Log the status of each instance (stopping, + stopped, or error). 6. Add the result JSON to the action output and terminate + the action. capabilities: can_create_case_comments: false can_create_insight: false @@ -752,13 +1150,16 @@ Stop Instance: can_mutate_external_data: true can_mutate_internal_data: false can_update_entities: false - external_data_mutation_explanation: >- - Changes the operational state of AWS EC2 instances from 'running' to 'stopping' - or 'stopped'. - fetches_data: true + external_data_mutation_explanation: Stops the specified AWS EC2 instances. + fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a state change on an external AWS EC2 instance by calling + the stop_instances API. It does not modify internal SOAR data or entities. categories: enrichment: false + reasoning: >- + The action is a mutation action (stopping instances) and does not perform enrichment. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -774,3 +1175,6 @@ Stop Instance: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action takes Instance Ids as a direct input parameter (string) and does + not interact with siemplify.target_entities. diff --git a/content/response_integrations/third_party/community/aws_ec2/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/aws_ec2/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..4d0b36f1b --- /dev/null +++ b/content/response_integrations/third_party/community/aws_ec2/resources/ai/integration_ai_description.yaml @@ -0,0 +1,20 @@ +product_categories: + asset_inventory: true + cloud_security: true + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: true + reasoning: >- + The integration provides management capabilities for AWS EC2 instances, which + are cloud-native resources, fitting the 'Cloud Security' category. It allows for + the modification of Security Group ingress and egress rules, which functions as + a network-level control, fitting the 'Network Security' category. Additionally, + the 'Find Instance' action allows for the retrieval of detailed information about + EC2 instances, aligning with 'Asset Inventory' capabilities. It does not provide + EDR (process-level activity), SIEM (log analysis), or other listed categories. + siem: false + threat_intelligence: false + vulnerability_management: false diff --git a/content/response_integrations/third_party/community/azure_devops/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/azure_devops/resources/ai/actions_ai_description.yaml index 8428bc2df..a09e98699 100644 --- a/content/response_integrations/third_party/community/azure_devops/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/azure_devops/resources/ai/actions_ai_description.yaml @@ -1,46 +1,51 @@ Ping: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action is a connectivity test (Ping). It does not match any of the specific + functional categories like Enrich IOC, Contain Host, etc. It is a utility action + for verifying integration settings. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description - - Tests the connectivity to the Azure DevOps instance using the provided configuration - parameters. This action is primarily used to verify that the Personal Access Token, - Organization, and Base URL are correctly configured and that the Google SecOps - environment can reach the Azure DevOps API. - - - ### Parameters Description - - | Parameter | Description | Type | Mandatory | - - | :--- | :--- | :--- | :--- | - - | N/A | This action does not have any input parameters. It relies solely on the - integration's configuration parameters (Personal Access Token, Organization, and - Base URL). | N/A | N/A | - - - ### Additional Notes - - * This is a standard 'Ping' action used for integration health checks. - - * It uses the `azure-devops` Python library to interact with the API. - - - ### Flow Description - - 1. **Configuration Retrieval**: The action extracts the `Personal Access Token`, - `Organization`, and `Base URL` from the integration settings. - - 2. **Authentication**: It sets up Basic Authentication using the provided token. - - 3. **Connection Initialization**: It establishes a connection to the Azure DevOps - service URL (constructed as `Base URL/Organization`). - - 4. **Connectivity Test**: It attempts to retrieve the list of projects using the - `get_projects()` method to verify the API connection. - - 5. **Result Reporting**: Based on the success or failure of the API call, it returns - a boolean result and a status message to the SOAR platform. + General description: This action tests the connectivity between the SOAR platform + and the Azure DevOps integration. It verifies that the provided credentials and + configuration settings are valid by attempting to retrieve the list of projects + from the Azure DevOps instance. Parameters description: The action requires the + following parameters: Personal Access Token (String, Mandatory): The personal + access token used for authentication with Azure DevOps. Organization (String, + Mandatory): The name of the Azure DevOps organization. Base URL (String, Mandatory): + The base URL for the Azure DevOps instance. Additional notes: This action is a + connectivity test and does not perform any data enrichment or modification of + external or internal systems. Flow description: 1. Extract the configuration parameters + (Personal Access Token, Organization, Base URL). 2. Initialize the Azure DevOps + connection using the provided credentials. 3. Attempt to retrieve the list of + projects using the core client. 4. Return a success or failure message based on + the outcome of the connection attempt. capabilities: can_create_case_comments: false can_create_insight: false @@ -49,10 +54,19 @@ Ping: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null - fetches_data: false + fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action attempts to connect to an external service (Azure DevOps) to verify + credentials and connectivity. It performs a GET-like operation (get_projects) + to test the connection. It does not mutate external data, nor does it interact + with internal SOAR entities or case data. categories: enrichment: false + reasoning: >- + The action is named Ping. According to the instructions, Actions named Ping + must not be categorized as enrichment actions. Even though it fetches data (projects), + it is a connectivity test, not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -68,59 +82,79 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code does not reference siemplify.target_entities or any entity objects. + It is a global connectivity test. Trigger Azure Build: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action triggers an external build process in Azure DevOps and monitors its + status. It does not perform enrichment, containment, or ticketing operations. + It is an automation/orchestration action. Therefore, it does not match any of + the provided categories. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description - - Triggers an Azure DevOps build pipeline for a specific build definition ID and - monitors its progress until completion. This action is designed to automate CI/CD - workflows or infrastructure-as-code tasks directly from Google SecOps by interacting - with the Azure DevOps REST API. - - - ### Parameters Description + Triggers an Azure DevOps pipeline build and monitors its status asynchronously. + This action allows users to initiate automated workflows in Azure DevOps by providing + a build definition ID and associated variables. - | Parameter Name | Type | Mandatory | Description | - | :--- | :--- | :--- | :--- | + ### Flow Description - | Build Definition Id | String | Yes | The unique identifier for the build definition - (pipeline) in Azure DevOps that you want to trigger. | + 1. Extracts configuration parameters (Project, Organization, Token, Base URL) + and action parameters (Build Definition ID, Build Variables). - | Build Variables | Code (JSON) | Yes | A JSON-formatted string containing the - variables to be passed to the build pipeline. For example: `{"ENV": "production", - "VERSION": "1.0.1"}`. | + 2. Sends a POST request to the Azure DevOps API to initiate the build. + 3. Returns the triggered build ID. - ### Additional Notes + 4. Asynchronously polls the Azure DevOps API (via `query_job`) to check the build + status until completion. - - This action is asynchronous. It will trigger the build and then periodically - poll Azure DevOps to check the status of the job until it reaches a terminal state - (Succeeded, Failed, or Canceled). - - The integration must be configured with a valid Organization, Project, and Personal - Access Token (PAT) with sufficient permissions to trigger and view builds. + ### Parameters Description + | Parameter | Type | Mandatory | Description | - ### Flow Description + | --- | --- | --- | --- | - 1. **Initialization**: The action retrieves integration configuration (Base URL, - Organization, Project, PAT) and action parameters (Build Definition ID, Build - Variables). + | Build Definition Id | string | Yes | The build definition ID of the pipeline + you want to trigger. | - 2. **Trigger Build**: It sends a POST request to the Azure DevOps API (`_apis/build/builds`) - to initiate the pipeline execution. + | Build Variables | code | Yes | The variables to pass for the given pipeline. + | - 3. **Capture Build ID**: Upon a successful trigger, it extracts the `build_id` - from the response and transitions to an 'In Progress' state. - 4. **Status Polling (Async)**: The `query_job` function periodically sends GET - requests to the Azure DevOps API to monitor the `status` and `result` of the specific - `build_id`. + ### Additional Notes - 5. **Completion**: The action concludes with a 'Completed' status if the build - result is `succeeded` or `partiallySucceeded`. It returns a 'Failed' status if - the build fails, is canceled, or encounters an error. + This action is asynchronous and will continue to run until the build is completed + or failed. capabilities: can_create_case_comments: false can_create_insight: false @@ -129,11 +163,18 @@ Trigger Azure Build: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Triggers a new build pipeline execution in the Azure DevOps environment. + Triggers a new build pipeline in Azure DevOps. fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action triggers an external build (POST) and polls for status (GET). It + does not modify internal SOAR entities or case data. categories: enrichment: false + reasoning: >- + The action is an automation/orchestration task that triggers an external process. + It does not fetch context for entities (enrichment) or perform any of the other + defined categories. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -149,27 +190,75 @@ Trigger Azure Build: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with entities. It uses configuration and action + parameters to trigger a build. Wait Until Web Resource Is Up: - ai_description: "### General Description\nThis action is a utility designed to monitor\ - \ the availability of a specific web resource. It performs an HTTP GET request\ - \ to a provided URL and checks if the resource is accessible (returning a successful\ - \ status code). Because the action is marked as asynchronous, it is typically\ - \ used in playbooks to pause execution until a specific service or endpoint becomes\ - \ reachable.\n\n### Parameters Description\n| Parameter Name | Type | Mandatory\ - \ | Description |\n| :--- | :--- | :--- | :--- |\n| URL | String | Yes | The full\ - \ URL of the web resource to check for availability. |\n\n### Additional Notes\n\ - - This action does not interact with Google SecOps entities.\n- It is an asynchronous\ - \ action; if the web resource is down, the action returns an 'In Progress' state,\ - \ allowing the SOAR platform to retry the check until the resource is up or a\ - \ timeout is reached.\n\n### Flow Description\n1. **Parameter Extraction**: The\ - \ action retrieves the mandatory `URL` parameter from the input.\n2. **Connectivity\ - \ Check**: It performs an HTTP GET request to the specified URL with a 5-second\ - \ timeout.\n3. **Status Evaluation**: \n - If the request is successful (status\ - \ code < 400), the resource is considered 'up'.\n - If the request fails or\ - \ an exception occurs, the resource is considered 'down'.\n4. **Execution Control**:\ - \ \n - If 'up', the action finishes with a `COMPLETED` state.\n - If 'down',\ - \ the action finishes with an `IN_PROGRESS` state, signaling the platform to retry\ - \ later." + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action performs a health check on a URL to determine if it is reachable. + It does not fit into any of the provided categories (Enrichment, Containment, + Ticket management, etc.). It is a workflow utility action. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: >- + This action polls a specified URL to check if a web resource is available (HTTP + 200 OK). It is designed to be used in asynchronous workflows where the system + needs to wait for a service or endpoint to become reachable. + + + ### Parameters + + | Parameter | Type | Mandatory | Description | + + | --- | --- | --- | --- | + + | URL | string | Yes | The URL of the web resource to check. | + + + ### Flow Description + + 1. Extract the `URL` parameter. + + 2. Perform an HTTP GET request to the provided URL. + + 3. Check if the response status is successful (HTTP 200-299). + + 4. If successful, return `True` and set the execution state to `COMPLETED`. + + 5. If unsuccessful, return `False` and set the execution state to `INPROGRESS` + (triggering a retry/wait). + + + ### Additional Notes + + This is an orchestration utility action used for workflow control. It does not + perform enrichment or modify any system state. capabilities: can_create_case_comments: false can_create_insight: false @@ -180,8 +269,17 @@ Wait Until Web Resource Is Up: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs an HTTP GET request to check the availability of a web resource. + It does not modify any external or internal data. It is an orchestration/utility + action used to control workflow execution flow (wait/retry). categories: enrichment: false + reasoning: >- + The action is a utility/orchestration action used to poll a URL for availability. + It does not retrieve context about alerts or entities, nor does it update entity + profiles or case data. Therefore, it does not meet the criteria for an Enrichment + action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -197,3 +295,6 @@ Wait Until Web Resource Is Up: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with `siemplify.target_entities` or any entity-specific + logic. It operates on a standalone URL parameter. diff --git a/content/response_integrations/third_party/community/azure_devops/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/azure_devops/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..3ae69e9e5 --- /dev/null +++ b/content/response_integrations/third_party/community/azure_devops/resources/ai/integration_ai_description.yaml @@ -0,0 +1,24 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: false + reasoning: >- + The azure_devops integration is designed for CI/CD pipeline management, specifically + enabling users to trigger builds and monitor their status. Reviewing the provided + actions (Ping, Trigger Azure Build, Wait Until Web Resource Is Up), none of them + align with the security-focused categories defined in the schema. It does not + perform SIEM, EDR, Network Security, or Threat Intelligence functions. It does + not manage email, identity, or cloud infrastructure security configurations. While + Azure DevOps includes project management features that could theoretically overlap + with ITSM, the specific actions provided do not include ticket creation or task + assignment capabilities. It does not function as an asset inventory tool or a + collaboration platform for SOC workflows. Therefore, none of the defined product + categories are applicable. + siem: false + threat_intelligence: false + vulnerability_management: false diff --git a/content/response_integrations/third_party/community/bandura_cyber/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/bandura_cyber/resources/ai/actions_ai_description.yaml index 4785952fa..d4dcb73f5 100644 --- a/content/response_integrations/third_party/community/bandura_cyber/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/bandura_cyber/resources/ai/actions_ai_description.yaml @@ -1,11 +1,42 @@ Add Domain to Allowed Lists: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: true + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action adds a domain to an allowed list in Bandura Cyber, which directly + matches the 'Add IOC To Allowlist' category. It does not perform enrichment, + alert updates, or other containment actions. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - The **Add Domain to Allowed Lists** action allows users to add the domain component - of URL entities to a specific Allowed List within the Bandura Cyber platform. - This is typically used to whitelist known-safe domains to prevent them from being - blocked by security policies. + This action adds a domain to a specified Allowed List within the Bandura Cyber + platform. It processes URL entities, extracts the domain component, and performs + an API request to update the external allowlist configuration. ### Parameters Description @@ -14,36 +45,32 @@ Add Domain to Allowed Lists: | :--- | :--- | :--- | :--- | - | **List Name** | String | Yes | The exact name of the Allowed List in Bandura - where the domain should be added. Note: This is case-sensitive. | + | List Name | string | Yes | The name of the Allowed List to which the domain + should be added. This value is case-sensitive. | - | **Description** | String | No | A custom description to associate with the domain - entry in the list. | - - | **Expiration Date** | String | No | The date and time when the domain should - be automatically removed from the list (e.g., `2020-01-01T12:00:00.000+00:00`). + | Description | string | No | A description for the entry being added to the list. | + | Expiration Date | string | No | The date and time when the entity should be + removed from the list. Format: 2020-01-01T12:00:00.000+00:00. | - ### Flow Description - 1. **Initialization**: The action retrieves connection details (API Root, credentials) - and user-provided parameters (List Name, Description, Expiration Date). + ### Flow Description - 2. **Entity Filtering**: It identifies all URL entities within the current context. + 1. **Initialization**: The action initializes the Bandura Cyber Manager using + the provided API credentials. - 3. **Domain Extraction**: For each URL, the script parses the string to extract - the network location (domain). + 2. **Entity Filtering**: It iterates through the `target_entities` and filters + for those with the `URL` entity type. - 4. **List Identification**: It queries the Bandura API to find the unique identifier - (UUID) for the provided `List Name`. + 3. **Domain Extraction**: For each valid entity, it extracts the domain (netloc) + from the URL. - 5. **External Mutation**: It sends a POST request to the Bandura Cyber API to - create a new entry in the specified Allowed List containing the domain, description, - and expiration date. + 4. **API Interaction**: It retrieves the list UUID from Bandura Cyber and then + sends a POST request to add the domain to the specified Allowed List. - 6. **Result Reporting**: The action collects the API responses and provides a - summary of which domains were successfully added to the list. + 5. **Result Output**: The action adds the result of the operation to the JSON + output and terminates with a success message. capabilities: can_create_case_comments: false can_create_insight: false @@ -52,12 +79,20 @@ Add Domain to Allowed Lists: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Adds a domain entry to a specified Allowed List in the Bandura Cyber platform - via a POST request. + Adds a domain to the specified allowed list in the Bandura Cyber platform. fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a POST request to the Bandura Cyber API to add a domain + to an allowed list, which constitutes external data mutation. It also performs + a GET request to retrieve the list UUID, so it fetches data. It does not modify + internal SOAR data, update entities, or create insights. categories: enrichment: false + reasoning: >- + The action mutates external data (adds to an allowlist), which violates the + 'External State Preservation' rule for enrichment actions. Therefore, it is + not an enrichment action. entity_usage: entity_types: - DestinationURL @@ -74,12 +109,46 @@ Add Domain to Allowed Lists: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over `siemplify.target_entities` and filters them using `entity.entity_type + == URL`. This indicates the action processes URL entities. Add Domain to Denied Lists: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: true + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action adds a domain to a 'Denied List' in Bandura Cyber, which is an external + security control. This directly aligns with the 'Add IOC To Blocklist' category. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - Adds URL entities to a specified Denied List in Bandura Cyber. This action is - primarily used for containment by blocking malicious or suspicious domains at - the network level. It extracts the domain (netloc) from the URL entity and pushes - it to the external Bandura Cyber platform. + Adds a domain to a specific Denied List in the Bandura Cyber platform. This action + extracts the domain from URL entities, queries the Bandura Cyber API to identify + the target list's UUID, and then performs a POST request to add the domain to + that list. ### Parameters @@ -88,47 +157,36 @@ Add Domain to Denied Lists: | :--- | :--- | :--- | :--- | - | List Name | string | Yes | The name of the Denied List where the domain should - be added. Note: This value is case-sensitive. | - - | Description | string | No | A descriptive note to be attached to the entry in - the denied list. | + | List Name | string | Yes | The name of the Denied List to which the entity should + be added. This is case-sensitive. | - | Expiration Date | string | No | The date and time when the entity should be - automatically removed from the list. Expected format: `YYYY-MM-DDTHH:MM:SS.mmm+00:00`. + | Description | string | No | A description for the entry being added to the list. | + | Expiration Date | string | No | The date and time for the entity to be removed + from the list. Format: 2020-01-01T12:00:00.000+00:00. | - ### Flow Description - - 1. **Authentication**: The action authenticates with the Bandura Cyber API using - the configured Username and Password to retrieve an access token. - - 2. **Entity Selection**: It filters the target entities to identify those of type - URL. - 3. **Domain Parsing**: For each identified URL, the action extracts the domain - component (netloc) using standard URL parsing logic. + ### Flow Description - 4. **List Lookup**: It queries the Bandura Cyber platform to find the internal - UUID associated with the provided 'List Name'. + 1. **Configuration Initialization**: Retrieves API credentials (API Root, Username, + Password) and SSL verification settings. - 5. **External Mutation**: The action performs a POST request to the Bandura Cyber - API to add the domain to the specified denied list, including the optional description - and expiration date if provided. + 2. **Entity Filtering**: Iterates through the `target_entities` and filters for + entities of type `URL`. - 6. **Result Processing**: It captures the API response for each entity and returns - a summary of the entities successfully added to the list. + 3. **Domain Extraction**: For each valid entity, parses the URL to extract the + domain (netloc). + 4. **List Identification**: Queries the Bandura Cyber API to retrieve the list + of denied domains and matches the provided `List Name` to obtain its UUID. - ### Additional Notes - - - The action specifically targets the domain portion of a URL. If a full path - is included in the URL entity, only the root domain/subdomain will be blocked - in Bandura Cyber. + 5. **Mutation**: Sends a POST request to the Bandura Cyber API to add the domain + to the identified Denied List, including the optional description and expiration + date. - - If the specified 'List Name' does not exist in the Bandura Cyber environment, - the action will fail to add the entities. + 6. **Result Reporting**: Updates the action result with the status of the operation + and provides a summary message. capabilities: can_create_case_comments: false can_create_insight: false @@ -137,12 +195,19 @@ Add Domain to Denied Lists: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Adds domain entries to a specified denied list within the Bandura Cyber platform - via a POST request to the /denied-lists/domain/{uuid}/entries endpoint. - fetches_data: false + Adds a domain to a denied list in the Bandura Cyber platform. + fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to retrieve list information (fetches_data=true) + and a POST request to add a domain to a denied list (can_mutate_external_data=true). + It does not modify internal SOAR case data, update entities, or create insights. categories: enrichment: false + reasoning: >- + The action mutates external data by adding an IOC to a blocklist. It does not + meet the criteria for an enrichment action as it performs a state change on + an external system. entity_usage: entity_types: - DestinationURL @@ -159,50 +224,82 @@ Add Domain to Denied Lists: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over `siemplify.target_entities` and filters using `entity.entity_type + == URL`. This maps to the 'DestinationURL' entity type in the provided schema. Add IP to Allowed Lists: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: true + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action adds an IP address to an allowed list in Bandura Cyber, which directly + matches the 'Add IOC To Allowlist' expected outcome. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - Adds IP address entities to a specified IPv4 Allowed List in Bandura Cyber. This - action allows for automated whitelisting of IP addresses by adding them to existing - manual lists within the Bandura GMC platform. It supports specifying network masks, - descriptions, and expiration dates for each entry. + Adds an IP address to a specified IPv4 Allowed List in Bandura Cyber. This action + allows security analysts to whitelist IP addresses directly from the SOAR platform, + ensuring that traffic from these IPs is permitted by the Bandura Cyber security + controls. - ### Parameters + ### Flow Description - | Parameter | Type | Mandatory | Description | + 1. **Initialization**: The action initializes the Bandura Cyber manager using + the provided credentials and API root. - | :--- | :--- | :--- | :--- | + 2. **Entity Filtering**: It filters the target entities to process only those + of type `ADDRESS`. - | List Name | String | Yes | The case-sensitive name of the Allowed List where - the IP will be added. | + 3. **List Retrieval**: For each entity, the action performs a GET request to retrieve + the UUID of the specified Allowed List by name. - | Description | String | No | A description to associate with the allowed list - entry. | + 4. **Addition**: It performs a POST request to add the IP address, along with + optional parameters like maskbit, description, and expiration date, to the identified + Allowed List. - | Maskbit | Integer | No | The network mask for the IP address (default is 32). - | + 5. **Result Reporting**: The action returns the result of the operation and updates + the SOAR result JSON. - | Expiration Date | String | No | The date and time when the entry should be automatically - removed (Format: YYYY-MM-DDTHH:MM:SS.mmm+00:00). | + ### Parameters - ### Flow Description + | Parameter | Type | Mandatory | Description | - 1. **Authentication**: Connects to the Bandura Cyber API using the provided credentials - to obtain an access token. + | :--- | :--- | :--- | :--- | - 2. **List Identification**: Retrieves the unique identifier (UUID) for the specified - 'List Name' by querying the Bandura Cyber allowed lists. + | List Name | string | Yes | The name of the Allowed List to which the entity + should be added. This is case-sensitive. | - 3. **Entity Processing**: Filters the target entities to identify all IP Address - (ADDRESS) entities. + | Description | string | No | A description for the allowed list entity. | - 4. **External Mutation**: For each identified IP, sends a POST request to Bandura - Cyber to add the address to the identified Allowed List using the provided mask, - description, and expiration date. + | Maskbit | integer | No | The range of IP addresses to add (default is 32). | - 5. **Result Reporting**: Aggregates the API responses and provides a summary of - the entities successfully added to the list. + | Expiration Date | string | No | The date and time when the entity should be + removed from the list (e.g., 2020-01-01T12:00:00.000+00:00). | capabilities: can_create_case_comments: false can_create_insight: false @@ -211,12 +308,20 @@ Add IP to Allowed Lists: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Adds IP addresses to a specified allowed list in the Bandura Cyber platform, - which modifies the active security policy of the external system. + Adds the IP address to the specified allowed list in the Bandura Cyber system. fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to retrieve the list UUID and a POST request + to add the IP to the allowed list. It mutates external data (Bandura Cyber allowlist). + It does not mutate internal SOAR data (no entity updates, insights, or case + comments). categories: enrichment: false + reasoning: >- + The action mutates external data (adds to allowlist), which violates the 'External + State Preservation' rule for enrichment actions. Therefore, it is not an enrichment + action. entity_usage: entity_types: - ADDRESS @@ -233,52 +338,86 @@ Add IP to Allowed Lists: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over `siemplify.target_entities` and filters specifically + for `ADDRESS` entities using `entity.entity_type == ADDRESS`. Add IP to Denied Lists: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: true + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action adds an IP address to a 'Denied List' in Bandura Cyber, which directly + aligns with the 'Add IOC To Blocklist' category. It does not perform enrichment, + host containment, or other listed actions. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - Adds IP Address entities to a specified Denied List in Bandura Cyber. This action - allows security teams to dynamically block malicious or suspicious IP addresses - by adding them to existing blocklists within the Bandura platform. It supports - specifying CIDR masks, descriptions, and expiration dates for each entry. + This action adds an IP address to a specified Denied List within the Bandura Cyber + platform. It allows analysts to block malicious IP addresses by adding them to + existing denied lists, supporting optional parameters like description, subnet + mask, and expiration date. - ### Parameters + ### Parameters Description | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | List Name | String | Yes | The exact name of the Denied List to which the IP - will be added. Note: This value is case-sensitive. | + | List Name | string | Yes | The name of the Denied List to which the entity should + be added. This is case-sensitive. | - | Description | String | No | A comment or description to be associated with the - IP entry in the Bandura list. | + | Description | string | No | A description for the denied list entry. | - | Maskbit | Integer | No | Defines the network mask for the IP address. Defaults - to 32 (single host). | + | Maskbit | integer | No | The subnet mask for the IP address. Defaults to 32. + | - | Expiration Date | String | No | The timestamp for when the IP should be removed - from the list. Expected format: `2020-01-01T12:00:00.000+00:00`. | + | Expiration Date | string | No | The date and time when the entity should be + removed from the list. Format: 2020-01-01T12:00:00.000+00:00. | ### Flow Description - 1. **Authentication**: The action authenticates with the Bandura Cyber API using - the configured credentials to obtain an access token. + 1. **Initialization**: The action initializes the Bandura Cyber Manager using + the provided credentials. - 2. **Entity Filtering**: It identifies all entities of type `ADDRESS` (IP addresses) - within the current scope. + 2. **Entity Filtering**: It iterates through the `target_entities` and filters + for those with the type `ADDRESS`. - 3. **List Lookup**: For each IP, the action queries the Bandura API to find the - unique identifier (UUID) of the Denied List provided in the 'List Name' parameter. + 3. **List Retrieval**: For each valid entity, the action retrieves the UUID of + the target Denied List by name. - 4. **Addition**: It sends a POST request to the Bandura API to add the IP address - to the identified Denied List, including the provided mask, description, and expiration - date. + 4. **Mutation**: It performs a POST request to the Bandura Cyber API to add the + IP address to the specified Denied List with the provided configuration (maskbit, + description, expiration). - 5. **Result Processing**: The action collects the API responses and reports which - entities were successfully added to the list. + 5. **Result Reporting**: The action adds the result of the operation to the JSON + result output and completes the execution. capabilities: can_create_case_comments: false can_create_insight: false @@ -287,12 +426,19 @@ Add IP to Denied Lists: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Adds IP addresses to a specified Denied List in the Bandura Cyber platform, - which modifies the active blocklist configuration. + Adds the IP address to the specified Denied List in the Bandura Cyber platform. fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action fetches data (GET) to retrieve the list UUID and performs a mutation + (POST) to add the IP to the denied list in the external Bandura Cyber system. + It does not modify internal SOAR data (entities, insights, or case comments). categories: enrichment: false + reasoning: >- + The action mutates external data (adds an IP to a blocklist) and does not meet + the criteria for an enrichment action (which must be read-only regarding external + systems). entity_usage: entity_types: - ADDRESS @@ -309,29 +455,58 @@ Add IP to Denied Lists: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over `siemplify.target_entities` and filters specifically + for entities where `entity.entity_type == ADDRESS`. Get Allowed Domain Lists: - ai_description: "### General Description\nThis action retrieves information about\ - \ Allowed Domain Lists from the Bandura Cyber platform. It allows users to fetch\ - \ either all available allowed domain lists or a specific list by providing its\ - \ name. The retrieved data is presented as a data table and attached as a JSON\ - \ file to the case for further analysis.\n\n### Parameters Description\n| Parameter\ - \ Name | Description | Type | Mandatory | Notes |\n| :--- | :--- | :--- | :---\ - \ | :--- |\n| List Name | The specific name of the allowed domain list to retrieve.\ - \ This parameter is case-sensitive. | String | No | If left empty, the action\ - \ will retrieve all available allowed domain lists. |\n\n### Additional Notes\n\ - - This action does not operate on specific entities (like IPs or Domains) within\ - \ the case; instead, it queries the global configuration of the Bandura Cyber\ - \ instance.\n- The action requires valid API credentials (Username and Password)\ - \ configured in the integration settings.\n\n### Flow Description\n1. **Authentication**:\ - \ The action starts by authenticating with the Bandura Cyber GMC API using the\ - \ provided credentials to obtain an access token.\n2. **Data Retrieval**: It calls\ - \ the Bandura Cyber API to fetch the allowed domain lists.\n3. **Filtering**:\ - \ If a `List Name` was provided as an input, the action filters the API response\ - \ to find the specific list matching that name.\n4. **Output Generation**: \n\ - \ - It creates a data table named 'Bandura Allowed Domain Lists' containing\ - \ the list details.\n - It attaches the raw JSON response as a file named 'allowed_domain_lists.txt'\ - \ to the case.\n5. **Cleanup**: The action logs out of the Bandura Cyber session\ - \ and terminates." + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves a list of allowed domains from an external system. It does + not match the expected outcomes for enrichment (as it does not enrich an indicator), + alert management, or containment. It is a general information retrieval action. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: "Retrieves a list of allowed domains from the Bandura Cyber platform.\ + \ This action allows users to query the system for specific allowed domain lists\ + \ by name or retrieve all available lists if no name is provided.\n\n### Flow\ + \ Description\n1. **Initialization**: The action initializes the Bandura Cyber\ + \ manager using the provided API credentials (API Root, Username, Password).\n\ + 2. **Data Retrieval**: It performs a GET request to the Bandura Cyber API to fetch\ + \ the allowed domain lists. If a 'List Name' is provided, the results are filtered\ + \ accordingly.\n3. **Output Generation**: \n - If lists are found, the action\ + \ attaches the raw JSON response as a file, adds a data table to the action results,\ + \ and sets the result JSON.\n - If no lists are found, it returns a message\ + \ indicating no results were found.\n4. **Cleanup**: The session is closed via\ + \ the manager's logout method.\n\n### Parameters\n| Parameter | Type | Mandatory\ + \ | Description |\n| :--- | :--- | :--- | :--- |\n| List Name | string | No |\ + \ The name of the specific allowed domain list to retrieve. If left empty, all\ + \ lists are returned. |\n\n### Additional Notes\nThis action is a read-only operation\ + \ and does not modify any external or internal system state." capabilities: can_create_case_comments: false can_create_insight: false @@ -342,8 +517,17 @@ Get Allowed Domain Lists: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the Bandura Cyber API to retrieve domain + list information. It does not perform any POST/PUT/DELETE operations on external + systems, nor does it modify internal SOAR case data such as entities, alerts, + or insights. It simply outputs the retrieved data to the action results. categories: enrichment: false + reasoning: >- + The action fetches data from an external system but does not enrich specific + entities or alerts. It is a general data retrieval action and does not meet + the criteria for an Enrichment Action as defined. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -359,33 +543,61 @@ Get Allowed Domain Lists: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with or iterate over any entities. It operates + independently of the case entities. Get Allowed IP Lists: - ai_description: "### General Description\nRetrieves information about Allowed IPv4\ - \ Lists from the Bandura Cyber platform. This action allows users to fetch metadata\ - \ for all available allowed IP lists or filter for a specific list by its name.\ - \ The retrieved data, which typically includes list names, UUIDs, and configurations,\ - \ is presented as a data table and attached as a JSON file to the case for further\ - \ analysis.\n\n### Parameters Description\n\n| Parameter | Type | Mandatory |\ - \ Description |\n| :--- | :--- | :--- | :--- |\n| List Name | String | No | The\ - \ specific name of the Allowed IPv4 List to retrieve. Note: This parameter is\ - \ case-sensitive. If left empty, the action retrieves all available allowed IP\ - \ lists associated with the account. |\n\n### Additional Notes\n- This action\ - \ focuses on retrieving the list definitions/metadata. It does not retrieve the\ - \ individual IP entries contained within those lists.\n- The action requires valid\ - \ API credentials (Username and Password) configured in the integration settings.\n\ - \n### Flow Description\n1. **Initialization**: The action initializes the Bandura\ - \ Cyber manager using the provided API Root, Username, and Password.\n2. **Authentication**:\ - \ It performs a login request to the Bandura Cyber GMC API to obtain an access\ - \ token.\n3. **Data Retrieval**: The action calls the `show_allowed_ip_list` method,\ - \ which sends a GET request to the Bandura Cyber API to fetch the allowed IPv4\ - \ lists.\n4. **Filtering**: If a `List Name` is provided as an input, the action\ - \ filters the API response to return only the list that matches the specified\ - \ name.\n5. **Output Generation**: \n - The raw JSON results are added as an\ - \ attachment named `allowed_ip_lists.txt`.\n - A data table named `Bandura\ - \ Allowed IP Lists` is created to display the results in the SOAR interface.\n\ - \ - The results are also saved as the action's JSON result.\n6. **Cleanup**:\ - \ The action logs out of the Bandura Cyber session to ensure security and ends\ - \ the execution with a summary message." + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves a list of allowed IPs from an external system. It does + not match any of the specific categories like 'Enrich IOC' (as it doesn't take + an IOC as input), 'Search Events', or others. It is a configuration retrieval + action. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: "Retrieves a list of allowed IPv4 addresses from the Bandura Cyber\ + \ platform. This action fetches the configured allowed IP lists, optionally filtered\ + \ by a specific list name, and provides the results as a data table and JSON attachment\ + \ for analysis.\n\n### Flow Description\n1. **Configuration Extraction**: The\ + \ action retrieves the necessary API credentials (API Root, Username, Password)\ + \ and optional parameters (List Name) from the integration configuration.\n2.\ + \ **Authentication**: It initializes the `BanduraCyberManager` and authenticates\ + \ with the Bandura Cyber API.\n3. **Data Retrieval**: It calls the `show_allowed_ip_list`\ + \ method to fetch the allowed IP lists from the external system.\n4. **Result\ + \ Processing**: \n - If lists are found, it attaches the raw JSON results to\ + \ the action, adds a data table to the case, and returns the JSON results.\n \ + \ - If no lists are found, it returns a message indicating no results were found.\n\ + 5. **Cleanup**: It logs out of the Bandura Cyber session.\n\n### Parameters\n\ + | Parameter | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n\ + | List Name | string | No | The name of the specific allowed IP list to retrieve.\ + \ If not provided, all lists are returned. |\n\n### Additional Notes\n- This action\ + \ does not modify any external or internal data. It is a read-only operation used\ + \ for information retrieval." capabilities: can_create_case_comments: false can_create_insight: false @@ -396,8 +608,16 @@ Get Allowed IP Lists: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to retrieve allowed IP lists from the Bandura + Cyber API. It does not modify any external systems or internal SOAR case data. + It only reports results via data tables and JSON attachments. categories: enrichment: false + reasoning: >- + The action retrieves data from an external system but does not act on specific + entities or alerts to enrich them. It is a general utility action for retrieving + configuration lists, thus it does not meet the criteria for an Enrichment Action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -413,41 +633,97 @@ Get Allowed IP Lists: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with or filter any entities. It operates independently + of the SOAR entity model. Get Denied Domain Lists: - ai_description: "### General Description\nThe **Get Denied Domain Lists** action\ - \ retrieves information about denied domain lists from the Bandura Cyber platform.\ - \ It allows users to view all available denied domain lists or filter for a specific\ - \ list by name. The retrieved data is presented as a data table and a JSON attachment\ - \ within the Google SecOps case wall for further analysis.\n\n### Parameters Description\n\ - | Parameter | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n\ - | List Name | String | No | The specific name of the denied domain list to retrieve.\ - \ This parameter is case-sensitive. If left empty, the action retrieves all available\ - \ denied domain lists. |\n\n### Flow Description\n1. **Authentication**: The action\ - \ authenticates with the Bandura Cyber GMC API using the provided Username and\ - \ Password to obtain an access token.\n2. **Data Retrieval**: It performs a GET\ - \ request to the Bandura Cyber API to fetch the denied domain lists associated\ - \ with the account.\n3. **Filtering**: If the `List Name` parameter is provided,\ - \ the action filters the API response to find the specific list matching that\ - \ name.\n4. **Output Generation**: \n - The action attaches the raw JSON results\ - \ as a file named `denied_domain_lists.txt` to the case.\n - It constructs\ - \ and adds a data table named \"Bandura Denied Domain Lists\" to the case wall.\n\ - \ - It populates the action's JSON result with the retrieved data.\n5. **Session\ - \ Termination**: The action explicitly logs out of the Bandura Cyber platform\ - \ to invalidate the session token." + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves a list of denied domains, which provides threat intelligence + and reputation context. This aligns with the 'Enrich IOC' category. It does + not perform any other actions such as blocking, ticket creation, or host containment. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: >- + Retrieves a list of denied domains from the Bandura Cyber platform. This action + fetches the configured denied domain lists, optionally filtered by a specific + list name, and presents the results within the SOAR case as an attachment, a data + table, and a JSON result. + + + ### Parameters + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | List Name | string | No | The name of the specific denied domain list to retrieve. + If not provided, all lists are returned. | + + + ### Flow Description + + 1. Extracts integration configuration parameters (API Root, Username, Password, + Verify SSL). + + 2. Initializes the `BanduraCyberManager` to establish a session with the Bandura + Cyber API. + + 3. Calls the `show_denied_domain_list` method to retrieve the requested denied + domain lists. + + 4. If results are found, adds the data to the SOAR case using `add_attachment`, + `add_data_table`, and `add_result_json`. + + 5. Logs the outcome and terminates the action with a success or failure status. capabilities: can_create_case_comments: false can_create_insight: false can_modify_alert_data: false can_mutate_external_data: false - can_mutate_internal_data: true + can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null fetches_data: true - internal_data_mutation_explanation: >- - The action adds a data table and a file attachment to the case wall containing - the retrieved denied domain list information. + internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the Bandura Cyber API to retrieve denied + domain lists. It does not mutate external systems. It adds results to the SOAR + case using standard output methods (attachments, data tables), which is standard + for enrichment actions and does not constitute a mutation of existing internal + case data. categories: - enrichment: false + enrichment: true + reasoning: >- + The action fetches threat intelligence data (denied domain lists) from an external + system and presents it within the SOAR case. It does not mutate external systems + or modify existing internal case data, fitting the criteria for an enrichment + action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -463,58 +739,105 @@ Get Denied Domain Lists: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over or utilize `siemplify.target_entities`. It + operates globally based on the provided configuration and parameters. Get Denied IP Lists: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves a list of denied IPs from an external system. It does not + match any of the specific categories like 'Enrich IOC' (no entity input), 'Contain + Host', or 'Search Events' (which typically refers to logs/telemetry). It is + a general data retrieval action. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description + Retrieves a list of denied IPv4 addresses from the Bandura Cyber platform. This + action allows users to optionally filter by a specific list name to narrow down + the results. The retrieved data is returned as a JSON object, a data table, and + an attached text file for further analysis. - Retrieves denied IPv4 lists from the Bandura Cyber platform. This action allows - users to fetch details about specific denied IP lists or all available lists associated - with the account to understand which IP ranges are currently being blocked. + ### Flow Description - ### Parameters Description + 1. **Configuration Initialization**: The action initializes the integration using + the provided API Root, Username, Password, and SSL verification settings. - | Parameter | Type | Mandatory | Description | + 2. **Manager Instantiation**: A `BanduraCyberManager` instance is created to handle + the API communication. - | :--- | :--- | :--- | :--- | + 3. **Data Retrieval**: The action calls the `show_denied_ip_list` method, passing + the optional `List Name` parameter to fetch the relevant denied IP list from the + Bandura Cyber API. - | List Name | String | No | The name of the specific denied IP list to retrieve. - This parameter is case-sensitive. If not provided, the action retrieves all denied - IP lists. | + 4. **Result Processing**: + - If data is returned, the action attaches the raw JSON output as a file, displays + the results in a data table, and adds the JSON result to the action output. + - If no data is found, the action returns a message indicating that no lists + were found. + 5. **Session Termination**: The action logs out of the Bandura Cyber session. - ### Flow Description + ### Parameters Description - 1. **Authentication**: Connects to the Bandura Cyber API using the configured - credentials (Username and Password) to obtain an access token. + | Parameter | Type | Mandatory | Description | - 2. **Data Retrieval**: Calls the Bandura Cyber API to fetch denied IPv4 lists. + | :--- | :--- | :--- | :--- | - 3. **Filtering**: If a `List Name` is provided, the action filters the retrieved - lists to match the specified name. + | List Name | string | No | The name of the specific denied IP list to retrieve. + This parameter is case-sensitive. If left empty, the action retrieves all available + denied IP lists. | - 4. **Internal Updates**: Adds the raw JSON results as a file attachment named - `denied_ip_lists.txt` and creates a data table named `Bandura Denied IP Lists` - on the case wall for immediate visibility. - 5. **Cleanup**: Logs out of the Bandura Cyber session to ensure security. + ### Additional Notes - 6. **Completion**: Returns a success message and the JSON results to the SOAR - platform. + - This action is a read-only operation and does not modify any data in the Bandura + Cyber platform or the SOAR environment. capabilities: can_create_case_comments: false can_create_insight: false can_modify_alert_data: false can_mutate_external_data: false - can_mutate_internal_data: true + can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null fetches_data: true - internal_data_mutation_explanation: >- - The action adds a data table to the case wall and attaches a text file containing - the raw JSON results to the case. + internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the Bandura Cyber API to retrieve denied + IP lists. It does not modify any external systems or internal SOAR data. It + does not interact with entities, create insights, or modify alert data. categories: enrichment: false + reasoning: >- + The action does not take entities as input and does not enrich them. It is a + standalone utility to fetch data from an external system. Therefore, it does + not meet the criteria for an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -530,72 +853,98 @@ Get Denied IP Lists: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over or use `siemplify.target_entities`. It operates + independently of any specific entity. Ping: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action is a connectivity test (Ping) and does not perform any of the defined + functional operations like enriching IOCs, blocking, or creating tickets. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description - - The **Ping** action is a diagnostic tool designed to verify the connectivity and - authentication configuration between Google SecOps and the Bandura Cyber platform. - Its primary purpose is to ensure that the integration can successfully communicate - with the Bandura Cyber API using the provided credentials. - + Tests connectivity to the Bandura Cyber API. This action verifies the integration's + ability to communicate with the external service by performing an authentication + request and subsequently terminating the session. - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - | **API Root** | String | Yes | The base URL for the Bandura Cyber API instance - (e.g., https://gmc.banduracyber.com/api/v2/). | + ### Flow Description - | **Username** | String | Yes | The username used for authenticating with the - Bandura Cyber service. | + 1. Extracts configuration parameters: **API Root**, **Username**, **Password**, + and **Verify SSL**. - | **Password** | String | Yes | The password used for authenticating with the - Bandura Cyber service. | + 2. Initializes the `BanduraCyberManager` which performs an authentication request + (POST) to the Bandura Cyber API to retrieve an access token. - | **Verify SSL** | Boolean | No | Determines whether to verify the SSL certificate - of the API endpoint. Defaults to `False`. | + 3. Performs a logout request (POST) to terminate the session. + 4. Checks if the access token was successfully retrieved to determine the connection + status. - ### Additional Notes + 5. Returns a success or failure message to the SOAR platform. - This action is a global utility and does not operate on specific entities (IPs, - Domains, etc.). It uses the integration's configuration parameters to perform - a test login and logout sequence. + ### Parameters - ### Flow Description + | Parameter | Type | Mandatory | Description | - 1. **Parameter Extraction**: The action retrieves the API Root, Username, Password, - and SSL verification settings from the integration configuration. + | :--- | :--- | :--- | :--- | - 2. **Manager Initialization**: It initializes the `BanduraCyberManager`, which - automatically attempts a login (`POST /auth/login`) to the Bandura Cyber API to - retrieve an access token. + | API Root | String | Yes | The base URL for the Bandura Cyber API. | - 3. **Session Termination**: The action immediately calls the `logout` method (`POST - /auth/logout`) to invalidate the session and clean up resources. + | Username | String | Yes | The username for authentication. | - 4. **Connectivity Check**: It evaluates whether an access token was successfully - obtained during the initialization phase. + | Password | String | Yes | The password for authentication. | - 5. **Final Result**: If a token was retrieved, the action returns a success message - ("Connection Established"); otherwise, it returns a failure message ("Connection - Failed"). + | Verify SSL | Boolean | No | Whether to verify SSL certificates. Defaults to + False. | capabilities: can_create_case_comments: false can_create_insight: false can_modify_alert_data: false - can_mutate_external_data: false + can_mutate_external_data: true can_mutate_internal_data: false can_update_entities: false - external_data_mutation_explanation: null + external_data_mutation_explanation: >- + Performs authentication (login) and session termination (logout) POST requests + against the Bandura Cyber API. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a POST request to authenticate and a POST request to logout. + This constitutes external state mutation (session creation/destruction). It + does not fetch data for enrichment or modify internal SOAR data. categories: enrichment: false + reasoning: >- + The action is a 'Ping' action, which is explicitly excluded from being an enrichment + action per the instructions. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -611,3 +960,5 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with any entities. diff --git a/content/response_integrations/third_party/community/bandura_cyber/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/bandura_cyber/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..60bed395f --- /dev/null +++ b/content/response_integrations/third_party/community/bandura_cyber/resources/ai/integration_ai_description.yaml @@ -0,0 +1,20 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: true + reasoning: >- + The Bandura Cyber integration provides capabilities to manage allow and block + lists for IP addresses and domains. This functionality directly aligns with the + Network Security category, which includes the ability to block malicious IPs and + URLs at the gateway. The integration does not perform SIEM log analysis, EDR host-level + investigation, or standard Threat Intelligence enrichment (such as reputation + lookups). It also does not interact with email, IAM, cloud, ITSM, or asset inventory + systems. Therefore, it is classified primarily under Network Security. + siem: false + threat_intelligence: false + vulnerability_management: false diff --git a/content/response_integrations/third_party/community/be_secure/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/be_secure/resources/ai/actions_ai_description.yaml index 5475e6954..9988c2f53 100644 --- a/content/response_integrations/third_party/community/be_secure/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/be_secure/resources/ai/actions_ai_description.yaml @@ -1,42 +1,49 @@ Ping: - ai_description: >- - ### General Description - - This action is designed to verify the connectivity between Google SecOps and the - beSECURE instance. It serves as a health check to ensure that the provided configuration - (URL and API Key) is valid and that the beSECURE API is reachable and responding - correctly. - - - ### Parameters Description - - There are no input parameters for this action. It relies entirely on the integration's - global configuration settings (URL, API Key, and SSL verification). - - - ### Flow Description - - 1. **Configuration Retrieval**: The action starts by fetching the integration's - configuration, including the API Key, URL, and SSL verification preference. - - 2. **Data Sanitization**: The API Key is cleaned of any non-alphanumeric characters - (excluding hyphens) to ensure a valid request format. - - 3. **Connectivity Test**: The action performs a GET request to the beSECURE `/json.cgi` - endpoint. It specifically requests a list of networks (`action=returnnetworks`) - with a search limit and a recent scan time filter to validate that the API can - process administrative queries. - - 4. **Response Validation**: The script checks the JSON response for any error - keys. If the request is successful and no errors are returned, the action completes - with a success status. If an error is detected or the request fails, the action - reports a failure. - - - ### Additional Notes - - This is a standard 'Ping' action used primarily for troubleshooting integration - setup and verifying credentials. + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action performs a connectivity check ('Ping') to the beSECURE integration. + It does not perform any of the defined product category actions such as enriching + IOCs, updating alerts, or creating tickets. Therefore, no categories are selected. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: "This action verifies connectivity to the beSECURE integration by\ + \ performing a GET request to the `/json.cgi` endpoint. \n\n### Parameters\n|\ + \ Parameter | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n\ + | API Key | String | Yes | The API key used for authentication with the beSECURE\ + \ service. |\n| URL | String | Yes | The base URL of the beSECURE instance. |\n\ + | Verify SSL Ceritifcate? | Boolean | Yes | A flag indicating whether to verify\ + \ the SSL certificate during the connection. |\n\n### Flow Description\n1. Retrieve\ + \ the integration configuration, including the API Key, URL, and SSL verification\ + \ setting.\n2. Construct a GET request to the configured URL with specific parameters\ + \ (`primary=\"admin\"`, `secondary=\"networks\"`, `action=\"returnnetworks\"`,\ + \ etc.).\n3. Execute the request to check connectivity.\n4. Validate the response;\ + \ if an \"error\" key is present, the action is marked as failed.\n5. Terminate\ + \ the action with a success or failure status." capabilities: can_create_case_comments: false can_create_insight: false @@ -47,8 +54,16 @@ Ping: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to check connectivity/retrieve data. It does + not mutate external systems (GET only). It does not mutate internal SOAR data + (no entity updates, insights, or comments). categories: enrichment: false + reasoning: >- + The action is named 'Ping'. According to the instructions, actions named 'Ping' + must not be categorized as enrichment actions, regardless of whether they fetch + data. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -64,3 +79,6 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code does not interact with `siemplify.target_entities` or any entity-specific + logic. It operates globally using the integration configuration. diff --git a/content/response_integrations/third_party/community/be_secure/resources/ai/connectors_ai_description.yaml b/content/response_integrations/third_party/community/be_secure/resources/ai/connectors_ai_description.yaml new file mode 100644 index 000000000..51618754c --- /dev/null +++ b/content/response_integrations/third_party/community/be_secure/resources/ai/connectors_ai_description.yaml @@ -0,0 +1,60 @@ +Pull reports: + ai_description: >- + ### General Description + + The beSECURE Connector integrates with the Beyond Security beSECURE vulnerability + assessment platform to ingest vulnerability scan data into Google SecOps. It periodically + polls the beSECURE API for completed scans, retrieves detailed vulnerability reports, + and converts them into actionable alerts within the SOAR platform. This allows + security teams to monitor and respond to vulnerabilities identified by beSECURE + directly within their incident response workflows. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Verify SSL Ceritifcate? | Boolean | No | Whether to verify the SSL certificate + of the beSECURE server. | + + | Check Every X Minutes | String | Yes | The interval in minutes to check for + new scans. | + + | URL | String | Yes | The base URL of the beSECURE instance. | + + | API Key | Password | Yes | The API key for authenticating with the beSECURE + API. | + + | DeviceProductField | String | Yes | The field name used to determine the device + product. | + + | EventClassId | String | No | The field name used to determine the event name + (sub-type). | + + | PythonProcessTimeout | String | Yes | The timeout limit (in seconds) for the + python process. | + + + ### Flow Description + + 1. The connector initializes and connects to the beSECURE API using the provided + URL and API Key. + + 2. It queries the API for network scans that have completed within the configured + "Check Every X Minutes" window. + + 3. It maintains a local `previous_scans.json` file to track processed scan IDs + and avoid duplicate ingestion. + + 4. For each new scan, it fetches the detailed vulnerability report in JSON format. + + 5. It iterates through the vulnerable hosts, filtering for vulnerabilities with + a `RiskFactor` of 1 or higher. + + 6. Valid vulnerabilities are mapped to `AlertInfo` objects, including relevant + details like `VulnID`, `RiskFactor`, and `ScanDate`. + + 7. The connector creates events for each vulnerability and returns the aggregated + alerts to the SOAR platform for case creation. diff --git a/content/response_integrations/third_party/community/be_secure/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/be_secure/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..2ffafe830 --- /dev/null +++ b/content/response_integrations/third_party/community/be_secure/resources/ai/integration_ai_description.yaml @@ -0,0 +1,21 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: false + reasoning: >- + The integration 'be_secure' is a vulnerability assessment and management solution. + Its primary capability, demonstrated by the 'Pull reports' connector, is to ingest + vulnerability scan data, identify vulnerable hosts, and generate alerts for security + teams to address. This directly aligns with the Vulnerability Management category, + which focuses on verifying asset susceptibility to exploits and providing vulnerability + data. It does not perform functions related to SIEM, EDR, Network Security, Threat + Intelligence, Email Security, IAM, Cloud Security, ITSM, Asset Inventory, or Collaboration + as defined in the provided criteria. + siem: false + threat_intelligence: false + vulnerability_management: true diff --git a/content/response_integrations/third_party/community/bitdefender_gravity_zone/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/bitdefender_gravity_zone/resources/ai/actions_ai_description.yaml index 6a61bb207..88c933c00 100644 --- a/content/response_integrations/third_party/community/bitdefender_gravity_zone/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/bitdefender_gravity_zone/resources/ai/actions_ai_description.yaml @@ -1,25 +1,75 @@ Blocklist - Add Hashes: - ai_description: "### General Description\nThe **Blocklist - Add Hashes** action\ - \ allows users to programmatically add file hashes to the Bitdefender GravityZone\ - \ blocklist. This is a containment action used to prevent specific malicious files\ - \ from executing across the environment managed by Bitdefender. It supports both\ - \ MD5 and SHA256 hash formats.\n\n### Parameters Description\n| Parameter | Type\ - \ | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| **Hash List**\ - \ | String | Yes | A comma-separated list of SHA256 or MD5 hashes to be blocked.\ - \ |\n| **Source Info** | String | Yes | A description or reason for blocking these\ - \ hashes (e.g., 'Determined to be malicious'). |\n\n### Flow Description\n1. **Configuration\ - \ Extraction**: The action retrieves the Bitdefender API Key, Access URL, and\ - \ SSL verification settings from the integration configuration.\n2. **Input Parsing**:\ - \ It extracts the `Hash List` and `Source Info` provided as action parameters.\n\ - 3. **Hash Categorization**: The logic splits the comma-separated string and uses\ - \ regular expressions to categorize each hash as either MD5 or SHA256.\n4. **API\ - \ Interaction**: \n - If SHA256 hashes are identified, it sends a request to\ - \ the Bitdefender `addToBlocklist` endpoint with the appropriate type identifier.\n\ - \ - If MD5 hashes are identified, it sends a separate request to the same endpoint\ - \ with the MD5 type identifier.\n5. **Validation**: If any hashes in the list\ - \ do not conform to MD5 or SHA256 formats, the action raises an error and stops\ - \ execution.\n6. **Result Reporting**: Upon successful API calls, the action returns\ - \ a JSON result containing the lists of hashes that were successfully submitted." + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: true + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action adds file hashes to the Bitdefender blocklist, which directly matches + the 'Add IOC To Blocklist' category. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: >- + Adds one or more file hashes (SHA256 or MD5) to the Bitdefender GravityZone blocklist. + This action allows security analysts to proactively block malicious files across + the environment managed by Bitdefender. + + + ### Flow Description + + 1. The action extracts the required configuration (API Key, Access URL, SSL verification) + and action parameters (Hash List, Source Info). + + 2. It initializes the `BitdefenderGravityZoneManager` to establish a connection + with the Bitdefender GravityZone Control Center. + + 3. The provided comma-separated hash list is parsed and categorized into SHA256 + and MD5 lists. + + 4. The action sends a POST request to the Bitdefender API to add the categorized + hashes to the blocklist, including the provided source information. + + 5. The result of the operation is returned and logged. + + + ### Parameters + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Hash List | string | Yes | A comma-separated list of SHA256 or MD5 hashes to + be added to the blocklist. | + + | Source Info | string | Yes | A description or reason for adding the hashes to + the blocklist. | + + + ### Additional Notes + + - The action does not support file types other than SHA256 or MD5. If unsupported + hashes are provided, the action will raise an error. capabilities: can_create_case_comments: false can_create_insight: false @@ -28,12 +78,18 @@ Blocklist - Add Hashes: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Adds file hashes to the Bitdefender GravityZone blocklist, which modifies the - security policy and prevention state of the external Bitdefender environment. + Adds specified file hashes (SHA256/MD5) to the Bitdefender GravityZone blocklist. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a POST request to the Bitdefender GravityZone API to add + hashes to a blocklist. It does not fetch data, nor does it modify internal SOAR + entities or case data. categories: enrichment: false + reasoning: >- + The action is a mutation action (adding to blocklist) and does not fetch data + for enrichment. Therefore, it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -49,58 +105,95 @@ Blocklist - Add Hashes: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over `siemplify.target_entities`. It accepts a raw + string input for the hash list via action parameters. Blocklist - List Items: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves the current blocklist from the external system. It does + not match any of the specific categories provided (e.g., it is not enriching + a specific IOC, nor is it updating an alert or ticket). + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - This action retrieves a comprehensive list of all file hashes (MD5 and SHA256) - currently stored in the Bitdefender GravityZone blocklist. It is primarily used - for auditing blocked items or verifying the current state of the environment's - hash-based prevention rules. + This action retrieves the complete list of hashes currently present in the Bitdefender + GravityZone blocklist. It connects to the Bitdefender GravityZone Control Center + to fetch the blocklist data and returns it as a JSON result for further analysis + or reporting. - ### Parameters Description + ### Flow Description - | Parameter | Type | Mandatory | Description | + 1. The action initializes the Bitdefender GravityZone manager using the provided + API credentials and connection settings. - | :--- | :--- | :--- | :--- | + 2. It executes a request to the Bitdefender API to retrieve all items currently + in the blocklist. - | Use JSON Filter | String | No | Intended for filtering results, though not currently - utilized by the underlying API call logic in this specific action. | + 3. The retrieved blocklist data is added to the action's result output as a JSON + object. - | Filter | String | No | Intended for filtering results, though not currently - utilized by the underlying API call logic in this specific action. | + 4. The action completes with a success status. - | Parent ID | String | No | Intended to scope the request to a specific parent - container, though not currently utilized by the underlying API call logic in this - specific action. | - | Endpoints | String | No | Intended to scope the request to specific endpoints, - though not currently utilized by the underlying API call logic in this specific - action. | + ### Parameters Description + | Parameter | Type | Mandatory | Description | - ### Additional Notes + | :--- | :--- | :--- | :--- | - While the action extracts several parameters (Filter, Parent ID, etc.) from the - UI, the current implementation of the `blocklist_hashes_list` method in the Bitdefender - manager retrieves the entire blocklist without applying these specific filters - to the API request. + | Integration - API Key | String | Yes | The API key used for authentication with + Bitdefender GravityZone. | + | Integration - Access URL | String | Yes | The base URL for the Bitdefender GravityZone + API. | - ### Flow Description + | Integration - Verify SSL | Boolean | Yes | Whether to verify SSL certificates + when connecting to the API. | - 1. **Authentication**: Establishes a connection to the Bitdefender GravityZone - Control Center using the provided API Key and Access URL. + | Use JSON Filter | Boolean | No | Flag to determine if a JSON filter should be + applied to the request. | - 2. **Data Retrieval**: Executes the `getBlocklistItems` JSON-RPC method against - the Incidents API endpoint. + | Filter | String | No | A filter string to narrow down the results. | - 3. **Pagination**: Automatically handles paginated responses from the API to ensure - all blocked items are collected into a single list. + | Parent ID | String | No | The parent ID to scope the request. | - 4. **Output**: Consolidates the retrieved items and returns them as a JSON object - in the action's results for further processing in the playbook. + | Endpoints | String | No | Specifies the endpoints to include in the request. + | + + + ### Additional Notes + + This action is a read-only operation that fetches data from the external system. + It does not modify any entities or alert data within the SOAR platform. capabilities: can_create_case_comments: false can_create_insight: false @@ -111,8 +204,16 @@ Blocklist - List Items: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to retrieve the blocklist from the Bitdefender + GravityZone API. It does not perform any write operations on external systems, + nor does it modify any internal SOAR data (entities, insights, or alert fields). categories: enrichment: false + reasoning: >- + The action retrieves data (the blocklist) but does not perform enrichment on + specific entities or alerts. It is a utility/retrieval action rather than an + enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -128,43 +229,72 @@ Blocklist - List Items: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with the `siemplify.target_entities` list. It operates + globally to retrieve the blocklist from the external system. Blocklist - Remove Item: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action explicitly removes an item from the Bitdefender GravityZone blocklist, + which directly matches the 'Remove IOC From Blocklist' category. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: true + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description + Removes a specific hash item from the Bitdefender GravityZone blocklist. This + action allows security analysts to manage the blocklist by deleting entries that + are no longer required or were added in error. - Removes a specific hash entry from the Bitdefender GravityZone blocklist. This - action is used to manage the blocklist by deleting entries identified by their - unique internal ID, effectively unblocking the associated file hash in the Bitdefender - environment. + ### Parameters - ### Parameters Description - - | Parameter Name | Description | Type | Mandatory | + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Hash ID | The unique internal identifier of the item in the Bitdefender blocklist - to be deleted (e.g., a UUID). | String | Yes | + | Hash ID | string | Yes | The unique identifier of the item in the Blocklist + to be deleted. | ### Flow Description - 1. **Authentication**: Establishes a connection to the Bitdefender GravityZone - Control Center using the provided API Key and Access URL. + 1. The action extracts the required configuration parameters (API Key, Access + URL, and SSL verification setting) from the integration settings. - 2. **Request Execution**: Sends a JSON-RPC request to the Bitdefender API using - the `removeFromBlocklist` method, passing the `Hash ID` as the target identifier. + 2. It retrieves the `Hash ID` provided as an input parameter. - 3. **Result Handling**: Evaluates the API response. If the operation is successful, - the action completes with a success status; otherwise, it reports a failure. + 3. The action initializes the `BitdefenderGravityZoneManager` to establish a connection + with the Bitdefender GravityZone Control Center. + 4. It invokes the `removeFromBlocklist` method, which sends a request to the Bitdefender + API to remove the specified hash item. - ### Additional Notes - - Note that the `Hash ID` refers to the internal ID assigned by Bitdefender to the - blocklist entry, not the MD5 or SHA256 hash value itself. To find this ID, one - might typically use a 'List Blocklist' action first. + 5. The action concludes by returning a success or failure status based on the + API response. capabilities: can_create_case_comments: false can_create_insight: false @@ -173,12 +303,19 @@ Blocklist - Remove Item: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Removes a hash entry from the Bitdefender GravityZone blocklist, which changes - the security policy state in the external Bitdefender system. + Removes a specific hash item from the Bitdefender GravityZone blocklist. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a mutation on an external system (Bitdefender GravityZone) + by removing an item from the blocklist. It does not fetch data, nor does it + modify internal SOAR case data or entities. categories: enrichment: false + reasoning: >- + The action is a mutation action (removing an item from a blocklist) and does + not retrieve data for enrichment purposes. Therefore, it is not an enrichment + action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -194,63 +331,97 @@ Blocklist - Remove Item: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with SOAR entities. It operates based on a provided + 'Hash ID' input parameter. Create Scan Task: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: true + get_alert_information: false + reasoning: >- + The action triggers a scan task on a remote endpoint via the Bitdefender GravityZone + platform. This aligns with the 'Execute Command on the Host' category as it + initiates a remote operation on the endpoint. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - Creates a scan task in Bitdefender GravityZone for specified target endpoints - or containers. This action allows security teams to initiate various types of - scans (Quick, Full, Memory, or Custom) on demand to identify potential threats - on managed systems. Note: While the internal metadata description mentions isolation, - the actual implementation and API calls are strictly for creating scan tasks. + This action creates a scan task on the Bitdefender GravityZone platform for specified + endpoints or containers. It allows users to trigger different types of scans (Quick, + Full, Memory, or Custom) and configure custom scan settings such as depth and + paths. - ### Parameters Description + ### Flow Description - | Parameter | Type | Mandatory | Description | + 1. **Configuration Extraction**: The action retrieves the necessary integration + configuration parameters, including the API Key, Access URL, and SSL verification + settings. - | :--- | :--- | :--- | :--- | + 2. **Parameter Extraction**: The action extracts the specific scan parameters + provided by the user, including the target IDs, scan type, task name, and optional + custom scan settings (depth and paths). - | Target IDs | String | Yes | A comma-separated list of IDs for the targets (endpoints - or containers) to be scanned. | + 3. **Manager Initialization**: The `BitdefenderGravityZoneManager` is initialized + with the provided credentials. - | Scan Type | DDL | Yes | The type of scan to perform. Available options: Quick - (1), Full (2), Memory (3), Custom (4). | + 4. **Task Execution**: The action calls the `task_create_scan` method, which sends + a POST request to the Bitdefender GravityZone API to initiate the scan task. - | Task Name | String | No | A custom name for the scan task. If not provided, - the name is automatically generated by Bitdefender. | + 5. **Result Handling**: The action logs the outcome of the request and terminates + with a success or failure status. - | Custom Scan - Depth | DDL | No | The scanning intensity for 'Custom' scans. - Options: Aggressive (1), Normal (2), Permissive (3). Defaults to Normal. | - | Custom Scan - Paths | String | No | A comma-separated list of target paths to - be scanned. This is only used when the Scan Type is set to 'Custom'. Defaults - to LocalDrives. | + ### Parameters Description + | Parameter | Type | Mandatory | Description | - ### Additional Notes + | :--- | :--- | :--- | :--- | - * The 'Custom Scan' parameters (Depth and Paths) are only processed by the Bitdefender - API when the 'Scan Type' is explicitly set to 'Custom'. + | Target IDs | string | Yes | A comma-separated list of the IDs of the targets + (endpoints or containers) to scan. | - * This action does not automatically process SOAR entities; it requires the manual - input of Target IDs. + | Scan Type | ddl | Yes | The type of scan to perform. Options: Quick, Full, Memory, + Custom. | + | Task Name | string | No | The name of the task. If not provided, it will be + automatically generated. | - ### Flow Description + | Custom Scan - Depth | ddl | No | The scan profile (Aggressive, Normal, Permissive). + Only used when Scan Type is 'Custom'. | - 1. **Authentication**: Connects to the Bitdefender GravityZone Control Center - using the API Key and Access URL provided in the integration configuration. + | Custom Scan - Paths | string | No | A comma-separated list of target paths to + be scanned. Only used when Scan Type is 'Custom'. | - 2. **Parameter Mapping**: Converts the user-selected scan type and depth strings - into the specific integer values required by the Bitdefender JSON-RPC API. - 3. **Task Creation**: Sends a `createScanTask` POST request to the Bitdefender - network endpoint with the target IDs and scan configuration. + ### Additional Notes - 4. **Status Reporting**: Evaluates the API response and terminates the action - with a success or failure message based on whether the task was successfully created - in Bitdefender. + - The parameters 'Custom Scan - Depth' and 'Custom Scan - Paths' are only utilized + when the 'Scan Type' is set to 'Custom'. capabilities: can_create_case_comments: false can_create_insight: false @@ -259,12 +430,20 @@ Create Scan Task: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates a new scan task (job) in the Bitdefender GravityZone Control Center - for the specified target IDs. + Creates a new scan task on the Bitdefender GravityZone platform for the specified + endpoints. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a POST request to the Bitdefender GravityZone API to create + a scan task on the external platform. It does not fetch data for enrichment, + nor does it modify any internal SOAR data or entities. categories: enrichment: false + reasoning: >- + The action is a mutation action (creating a task) and does not fetch data for + enrichment purposes. Therefore, it does not meet the criteria for an enrichment + action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -280,65 +459,90 @@ Create Scan Task: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action takes 'Target IDs' as a direct input parameter string and does not + iterate over or filter 'siemplify.target_entities'. Create Scan Task by MAC Address: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: true + get_alert_information: false + reasoning: >- + The action triggers a scan task on remote endpoints via the Bitdefender GravityZone + API. This aligns with the 'Execute Command on the Host' category as it initiates + a remote operation on the endpoint. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description + Generates a scan task for managed endpoints in Bitdefender GravityZone using their + MAC addresses. This action allows security analysts to trigger remote scans (Quick, + Full, Memory, or Custom) on specific endpoints to identify potential threats or + vulnerabilities. - This action generates a scan task for managed endpoints within Bitdefender GravityZone, - identified by their MAC addresses. It allows security analysts to trigger various - types of scans (Quick, Full, Memory, or Custom) directly from Google SecOps to - remediate or investigate potential threats on specific network interfaces. + ### Flow Description - ### Parameters Description + 1. The action extracts configuration parameters (API Key, Access URL, Verify SSL) + and action-specific inputs (MAC Addresses, Scan Type, Task Name, Custom Scan settings). - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | + 2. It initializes the Bitdefender GravityZone manager to establish a connection + with the Control Center. - | MAC Addresses | String | Yes | A comma-separated list of MAC addresses for the - endpoints to be scanned. A maximum of 100 MAC addresses can be processed in a - single request. | + 3. It invokes the `task_create_scan_macaddr` method, which sends a POST request + to the Bitdefender API to initiate the scan task for the provided MAC addresses. - | Scan Type | DDL | Yes | The category of scan to perform. Options include: Quick, - Full, Memory, or Custom. | + 4. The action logs the outcome and returns a success or failure status to the + SOAR platform. - | Task Name | String | No | A custom name for the scan task. If omitted, Bitdefender - will automatically generate a name. | - | Custom Scan - Depth | DDL | No | Specifies the scanning intensity (Aggressive, - Normal, Permissive). This is only applicable when 'Scan Type' is set to 'Custom'. - | - - | Custom Scan - Paths | String | No | A comma-separated list of specific file - system paths to scan. This is only applicable when 'Scan Type' is set to 'Custom'. - | + ### Parameters Description + | Parameter | Type | Mandatory | Description | - ### Additional Notes + | :--- | :--- | :--- | :--- | - - This action does not utilize Google SecOps entities (e.g., MAC entities in the - case). Instead, it relies entirely on the MAC addresses provided in the input - parameter. + | MAC Addresses | String | Yes | A comma-separated list of MAC addresses of the + endpoints to be scanned (max 100). | - - There is a known discrepancy between the parameter name in the configuration - (`MAC Addresses`) and the identifier used in the script logic (`Target IDs`), - which may require alignment for successful execution. + | Scan Type | DDL | Yes | The type of scan to perform: Quick, Full, Memory, or + Custom. | + | Task Name | String | No | The name of the task. If not provided, it is automatically + generated. | - ### Flow Description + | Custom Scan - Depth | DDL | No | The scan profile (Aggressive, Normal, Permissive). + Only used when Scan Type is 'Custom'. | - 1. **Configuration Extraction:** The action retrieves integration credentials - (API Key, Access URL) and user-provided scan parameters. + | Custom Scan - Paths | String | No | A comma-separated list of target paths to + be scanned. Only used when Scan Type is 'Custom'. | - 2. **Manager Initialization:** It establishes a connection to the Bitdefender - GravityZone Control Center using the provided API Key. - 3. **Task Creation:** The action calls the `createScanTaskByMac` API method, passing - the list of MAC addresses and the specified scan configuration (type, depth, paths). + ### Additional Notes - 4. **Status Reporting:** The action evaluates the API response and returns a success - or failure status to the Google SecOps platform. + - The 'Custom Scan - Depth' and 'Custom Scan - Paths' parameters are only relevant + when the 'Scan Type' is set to 'Custom'. capabilities: can_create_case_comments: false can_create_insight: false @@ -347,12 +551,20 @@ Create Scan Task by MAC Address: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates a new scan task in the Bitdefender GravityZone Control Center for the - specified endpoints. + Creates a new scan task on the Bitdefender GravityZone platform for the specified + endpoints. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a POST request to the Bitdefender GravityZone API to create + a scan task on remote endpoints. It does not fetch data for enrichment, nor + does it modify internal SOAR data or entities. categories: enrichment: false + reasoning: >- + The action performs a state-changing operation (creating a scan task) on an + external system and does not retrieve data for enrichment purposes, therefore + it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -368,43 +580,78 @@ Create Scan Task by MAC Address: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over or utilize the `siemplify.target_entities` + object. Instead, it accepts MAC addresses as a direct input parameter from the + user. Get Custom Groups List: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves a list of custom groups from Bitdefender GravityZone. It + does not match any of the defined categories such as enriching IOCs/Assets, + updating alerts, or performing containment actions. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - The **Get Custom Groups List** action retrieves a list of child groups nested - under a specific parent group within the Bitdefender GravityZone environment. - This action is primarily used for organizational discovery, allowing users to - identify group hierarchies and retrieve specific Group IDs required for other - management tasks. + Retrieves a list of custom groups from the Bitdefender GravityZone platform. This + action connects to the GravityZone Control Center and fetches the hierarchy of + groups based on an optional parent group identifier. The retrieved data is returned + as a JSON result for further use in the playbook. ### Parameters Description | Parameter | Type | Mandatory | Description | - | :--- | :--- | :--- | :--- | + | --- | --- | --- | --- | + + | Parent ID | string | No | Parent group ID for which the child groups will be + listed. 'Computers and Groups' and 'Deleted' groups are returned if the passed + parameter is null. | - | **Parent ID** | String | No | The unique identifier of the parent group for - which child groups should be listed. If this parameter is left empty (null), the - action defaults to returning the top-level 'Computers and Groups' and 'Deleted' - groups. | + + ### Additional Notes + + If the `Parent ID` parameter is not provided, the action returns the root groups + ('Computers and Groups' and 'Deleted'). ### Flow Description - 1. **Authentication**: The action connects to the Bitdefender GravityZone Control - Center using the API Key, Access URL, and SSL verification settings defined in - the integration configuration. + 1. Initialize the Bitdefender GravityZone manager with API credentials. - 2. **API Request**: It executes the `getCustomGroupsList` method via the Bitdefender - API, passing the optional `Parent ID` to filter the results. + 2. Extract the `Parent ID` parameter. - 3. **Data Validation**: The response is validated to ensure a successful connection - and valid data retrieval from the external system. + 3. Execute the `getCustomGroupsList` API call using the provided `Parent ID`. - 4. **Output Generation**: The retrieved list of groups and their metadata is processed - and returned as a JSON result for use in subsequent playbook logic. + 4. Return the list of groups in the action result. capabilities: can_create_case_comments: false can_create_insight: false @@ -415,8 +662,17 @@ Get Custom Groups List: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action makes a POST request to retrieve a list of groups (read-only operation). + It does not fetch context data for entities, nor does it update internal entities + or create insights. categories: enrichment: false + reasoning: >- + The action retrieves a list of groups from an external system. It does not perform + enrichment on any SOAR entities (e.g., updating entity fields or creating insights), + nor does it take entities as input. Therefore, it does not meet the criteria + for an Enrichment Action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -432,79 +688,109 @@ Get Custom Groups List: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with `siemplify.target_entities`. It operates independently + of any specific entity, using only the provided `Parent ID` parameter to query + the Bitdefender API. Get Endpoints List: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves a list of endpoints (assets) from the Bitdefender GravityZone + platform based on user-defined filters. This aligns with the 'Search Asset' + category, as it searches for assets associated with the product. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: true + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description - - Retrieves a comprehensive list of endpoints from the Bitdefender GravityZone Control - Center. This action allows users to search and filter endpoints based on management - status, security roles, network location, and specific identifiers like MAC addresses - or SSIDs. It is primarily used for asset discovery and inventory verification - within the security environment. - + Retrieves a list of endpoints from the Bitdefender GravityZone platform based + on specified filtering criteria. This action allows users to query the network + inventory to identify managed, unmanaged, or all endpoints, with optional filtering + by various attributes such as security agent status, server roles, and specific + identifiers. - ### Parameters Description - | Parameter | Type | Mandatory | Description | + ### Flow Description - | :--- | :--- | :--- | :--- | + 1. The action extracts integration configuration parameters (API Key, Access URL, + SSL verification) and action-specific filters. - | **Endpoints** | DDL | Yes | Determines whether to return 'Managed', 'Unmanaged', - or 'All' endpoints. | + 2. It initializes a connection to the Bitdefender GravityZone Control Center using + the provided credentials. - | **Parent ID** | String | No | The ID of the target company or group. If omitted, - returns endpoints under Computers and Groups. | + 3. It constructs a request with the specified filters (e.g., Parent ID, Endpoint + type, SSID, MAC addresses, Name, and various role-based flags). - | **Filter - Managed with BEST** | Boolean | No | If true, filters for endpoints - with the Bitdefender Endpoint Security Tools (BEST) agent installed. | + 4. The action executes the `getEndpointsList` API call to retrieve the filtered + list of endpoints. - | **Filter - Managed Exchange Servers** | Boolean | No | If true, filters for - protected Exchange servers. | + 5. The retrieved endpoint data is returned as a JSON result in the action output. - | **Filter - Managed Relays** | Boolean | No | If true, filters for endpoints - acting as Relays. | - | **Filter - Security Servers** | Boolean | No | If true, filters for Security - Servers. | + ### Parameters - | **Filter - Depth - All Items Recursively** | Boolean | No | If true, searches - all endpoints recursively within the network inventory. | + | Parameter | Type | Mandatory | Description | - | **Filter - SSID** | String | No | Filters endpoints by their Active Directory - SID. | + | :--- | :--- | :--- | :--- | - | **Filter - MAC Addresses** | String | No | A comma-separated list of MAC addresses - to filter the results. | + | Endpoints | ddl | Yes | Select whether to return only managed endpoints, unmanaged + endpoints, or all endpoints. | - | **Filter - Name** | String | No | Filters items by name. Requires a minimum - of three characters. | + | Parent ID | string | No | The ID of the target company or group. If not specified, + returns endpoints under Computers and Groups. | + | Filter - SSID | string | No | The SSID (Active Directory SID) used to filter + endpoints. | - ### Additional Notes + | Filter - MAC Addresses | string | No | Comma-separated list of MAC addresses + used to filter endpoints. | - - The **Filter - Name** parameter has a strict requirement: if provided, the string - must be at least 3 characters long, otherwise the action will fail with an error. + | Filter - Name | string | No | A string for filtering items by name (minimum + 3 characters). | - - This action does not operate on specific entities within a case; it performs - a global or scoped query against the Bitdefender environment. + | Filter - Depth - All Items Recursively | boolean | No | If true, filters all + endpoints recursively within the Network Inventory. | + | Filter - Security Servers | boolean | No | If true, filters all Security Servers. + | - ### Flow Description + | Filter - Managed Relays | boolean | No | If true, filters all endpoints with + the Relay role. | - 1. **Configuration Extraction**: Retrieves API credentials (API Key, Access URL) - and SSL verification settings. + | Filter - Managed Exchange Servers | boolean | No | If true, filters all protected + Exchange servers. | - 2. **Parameter Parsing**: Collects all filtering criteria from the action input, - including the mandatory 'Endpoints' selection. + | Filter - Managed with BEST | boolean | No | If true, filters all endpoints with + the security agent installed. | - 3. **Manager Initialization**: Establishes a connection to the Bitdefender GravityZone - API using the provided credentials. - 4. **Data Retrieval**: Executes a paginated JSON-RPC request (`getEndpointsList`) - to the Bitdefender Network API endpoint. + ### Additional Notes - 5. **Result Processing**: Aggregates all items from paginated responses and returns - the final list as a JSON object for use in subsequent playbook steps. + This action does not operate on specific entities from the SOAR case; it performs + a global search/list operation against the Bitdefender GravityZone API. capabilities: can_create_case_comments: false can_create_insight: false @@ -515,8 +801,17 @@ Get Endpoints List: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET-like operation (via RPC POST) to retrieve a list of + endpoints from the Bitdefender GravityZone API. It does not modify any external + system state, nor does it modify any internal SOAR case data, entities, or alerts. + It simply returns the requested data to the user. categories: enrichment: false + reasoning: >- + The action retrieves data (a list of endpoints) but does not perform enrichment + on specific entities (it does not take entities as input or update them). Therefore, + it does not meet the criteria for an Enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -532,49 +827,76 @@ Get Endpoints List: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with the `siemplify.target_entities` list. It performs + a standalone search operation based on parameters provided in the action configuration. Get Hourly Usage for EC2 Instances: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves hourly usage statistics for EC2 instances. It does not + match any of the provided categories (Enrich IOC, Enrich Asset, Update Alert, + etc.). + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - Retrieves hourly usage statistics for Amazon EC2 instance categories (such as - micro, medium, etc.) from Bitdefender GravityZone for a specified month. This - action is primarily used for monitoring and reporting on cloud infrastructure - usage managed within the GravityZone environment. + This action retrieves the hourly usage statistics for Amazon EC2 instances from + the Bitdefender GravityZone platform for a specified month. It provides visibility + into resource consumption by category (e.g., micro, medium). ### Parameters Description | Parameter | Type | Mandatory | Description | - | :--- | :--- | :--- | :--- | + | --- | --- | --- | --- | - | Target Month | String | Yes | The month for which the usage data is retrieved. - The value must be provided in the format `mm/yyyy` (e.g., 01/2020). If not specified, - the integration logic typically defaults to the current month. | + | Target Month | string | Yes | The month for which the usage is returned, formatted + as "mm/yyyy". | - ### Additional Notes - - This action does not operate on specific entities (like IP addresses or Hostnames) - within a case. Instead, it performs a global query against the Bitdefender GravityZone - API to fetch account-level or integration-level usage data. + ### Flow Description + 1. Extracts configuration parameters (API Key, Access URL, Verify SSL) and the + `Target Month` parameter. - ### Flow Description + 2. Initializes the Bitdefender GravityZone manager. - 1. **Configuration Extraction**: Retrieves the API Key, Access URL, and SSL verification - settings from the integration configuration. + 3. Sends a POST request to the Bitdefender GravityZone API to fetch hourly EC2 + usage data for the specified month. - 2. **Parameter Parsing**: Extracts the `Target Month` provided by the user. + 4. Adds the retrieved usage data to the action result JSON. - 3. **API Connection**: Initializes the Bitdefender GravityZone Manager and establishes - a connection to the Control Center. - 4. **Data Retrieval**: Calls the `getHourlyUsageForAmazonEC2Instances` API method - to fetch the usage data for the specified month. + ### Additional Notes - 5. **Result Processing**: Returns the retrieved usage data as a JSON object and - completes the action execution. + There are no additional notes. capabilities: can_create_case_comments: false can_create_insight: false @@ -585,8 +907,15 @@ Get Hourly Usage for EC2 Instances: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action retrieves usage data from the Bitdefender GravityZone API. It does + not modify any external or internal systems. It simply returns the data in the + action result. categories: enrichment: false + reasoning: >- + The action fetches data, but it does not operate on entities or alerts. It is + a general reporting action, not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -602,22 +931,80 @@ Get Hourly Usage for EC2 Instances: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code does not reference `siemplify.target_entities` or any entity objects. + It operates independently of entities. Get Managed Endpoint Details: - ai_description: "Retrieves detailed information about a specific managed endpoint\ - \ from Bitdefender GravityZone. This action provides comprehensive data including\ - \ endpoint identification, security agent details, and the operational status\ - \ of various protection modules. \n\n### Parameters\n| Parameter | Type | Mandatory\ - \ | Description |\n| :--- | :--- | :--- | :--- |\n| Endpoint ID | string | Yes\ - \ | The unique identifier of the endpoint for which details are being requested.\ - \ |\n\n### Flow Description\n1. **Configuration Extraction:** Retrieves the API\ - \ Key, Access URL, and SSL verification settings from the integration configuration.\n\ - 2. **Parameter Extraction:** Retrieves the mandatory `Endpoint ID` from the action\ - \ parameters.\n3. **API Connection:** Establishes a connection to the Bitdefender\ - \ GravityZone Control Center using the provided credentials.\n4. **Data Retrieval:**\ - \ Executes the `getManagedEndpointDetails` method via the Bitdefender API to fetch\ - \ the endpoint's metadata and module status.\n5. **Result Processing:** Returns\ - \ the retrieved endpoint data as a JSON object for use in subsequent playbook\ - \ steps." + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: true + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves contextual metadata (security agent status, endpoint identification) + for a specific resource (endpoint). This directly matches the 'Enrich Asset' + category. It does not perform any other operations like ticket creation, alert + modification, or containment. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: >- + Retrieves detailed information about a managed endpoint from the Bitdefender GravityZone + platform. This action provides visibility into endpoint identification, security + agent details, and the status of installed protection modules. + + + ### Flow Description + + 1. **Configuration Extraction**: The action retrieves the necessary integration + settings, including the API Key, Access URL, and SSL verification preference. + + 2. **Parameter Extraction**: The action extracts the `Endpoint ID` provided by + the user. + + 3. **API Interaction**: The action initializes the `BitdefenderGravityZoneManager` + and executes a request to the Bitdefender GravityZone API to fetch the specific + details for the provided endpoint ID. + + 4. **Result Processing**: The retrieved endpoint data is added to the action's + result output for further analysis or display in the SOAR platform. + + + ### Parameters + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Endpoint ID | string | Yes | The unique identifier of the endpoint for which + the details will be retrieved. | + + + ### Additional Notes + + This action performs a read-only operation to fetch data from the Bitdefender + GravityZone API. It does not modify the state of the endpoint or the Bitdefender + environment. capabilities: can_create_case_comments: false can_create_insight: false @@ -628,8 +1015,17 @@ Get Managed Endpoint Details: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET-like operation (via JSON-RPC POST) to retrieve endpoint + details from the Bitdefender GravityZone API. It does not modify any external + system state, nor does it update internal SOAR entities, insights, or case data. categories: enrichment: true + reasoning: >- + The action is designed to fetch contextual information about an endpoint from + an external source (Bitdefender GravityZone). It does not mutate external or + internal data, and it is not a Ping or download action. Therefore, it qualifies + as an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -645,90 +1041,124 @@ Get Managed Endpoint Details: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over or process `siemplify.target_entities`. It + relies on a specific `Endpoint ID` provided as an input parameter to perform + its lookup. Get Network Inventory Items: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action searches for and retrieves a list of network inventory items (assets/endpoints) + from the Bitdefender GravityZone platform based on user-defined filters. This + aligns with the 'Search Asset' category. It does not perform enrichment on a + specific entity, nor does it update alerts or tickets. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: true + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - Retrieves a list of network inventory items from Bitdefender GravityZone. This - action allows users to search for and list various network objects such as endpoints, - virtual machines, security servers, and custom groups managed within the GravityZone - environment. It provides extensive filtering capabilities to narrow down results - based on management status, roles (e.g., Relay, Exchange), or specific identifiers - like MAC addresses and SSIDs. + This action retrieves a list of network inventory items from the Bitdefender GravityZone + platform. It allows users to filter the inventory based on various criteria such + as name, MAC address, SSID, and specific endpoint types (e.g., EC2 instances, + virtual machines, computers, or managed servers). The retrieved data is returned + as a JSON result, providing visibility into the network inventory managed by Bitdefender. - ### Parameters Description + ### Flow Description - | Parameter | Type | Mandatory | Description | + 1. **Configuration Extraction**: The action retrieves the necessary integration + configuration, including the API Key, Access URL, and SSL verification settings. - | :--- | :--- | :--- | :--- | - - | Filter - Name | String | No | Filters items by name. Supports partial matching. - Requires a minimum of 3 characters. | + 2. **Parameter Extraction**: It extracts the provided filters (e.g., Name, MAC + Addresses, SSID, and various boolean flags for endpoint types) from the action + parameters. - | Filter - MAC Addresses | String | No | A comma-separated list of MAC addresses - to filter endpoints. | + 3. **Connection**: It establishes a connection to the Bitdefender GravityZone + Control Center using the provided credentials. - | Filter - SSID | String | No | The Active Directory SID of the endpoint used - for filtering. | + 4. **Data Retrieval**: It calls the `network_inventory_list` method, which sends + a request to the Bitdefender API with the specified filters to fetch the inventory + items. - | Filter - Depth - All Items Recursively | Boolean | No | If set to true, the - action searches all endpoints recursively within the network hierarchy. | + 5. **Result Output**: The retrieved inventory data is added to the action's result + JSON, and the action completes successfully. - | Filter - Security Servers | Boolean | No | Filters the results to include only - Security Servers. | - | Filter - Managed Relays | Boolean | No | Filters the results to include only - endpoints with the Relay role. | + ### Parameters Description - | Filter - Managed Exchange Servers | Boolean | No | Filters the results to include - only protected Exchange servers. | + | Parameter | Type | Mandatory | Description | - | Filter - Managed with BEST | Boolean | No | Filters for endpoints that have - the Bitdefender Endpoint Security Tools (BEST) agent installed. | + | :--- | :--- | :--- | :--- | - | Filter - Virtual Machines | Boolean | No | Filters the results to include only - virtual machines. | + | Filter - Name | string | No | A string for filtering items by name. Minimum + length is 3 characters. Supports '*' for suffix matching. | - | Filter - Computers | Boolean | No | Filters the results to include only physical - computers. | + | Filter - MAC Addresses | string | No | Comma-separated list of MAC addresses + to filter endpoints. | - | Filter - EC2 Instances | Boolean | No | Filters the results to include only - Amazon EC2 instances. | + | Filter - SSID | string | No | The SSID (Active Directory SID) used to filter + endpoints. | - | Filter - Groups | Boolean | No | Filters the results to include only custom - groups of endpoints. | + | Filter - Depth - All Items Recursively | boolean | No | If true, filters all + endpoints recursively within the Network Inventory. | - | Parent ID | String | No | The ID of the container or group for which the network - items will be returned. | + | Filter - Security Servers | boolean | No | If true, filters all Security Servers. + | + | Filter - Managed Relays | boolean | No | If true, filters all endpoints with + the Relay role. | - ### Additional Notes + | Filter - Managed Exchange Servers | boolean | No | If true, filters all protected + Exchange servers. | - - The `Filter - Name` parameter must be at least 3 characters long if provided; - otherwise, the action will raise an error. + | Filter - Managed with BEST | boolean | No | If true, filters all endpoints with + the security agent installed. | - - Some filters may be ignored by the Bitdefender API if the corresponding license - is not active in the GravityZone environment. + | Filter - Virtual Machines | boolean | No | If true, filters all virtual machines. + | + | Filter - Computers | boolean | No | If true, filters all computers. | - ### Flow Description + | Filter - EC2 Instances | boolean | No | If true, filters all Amazon EC2 Instances. + | - 1. **Connection**: The action initializes a connection to the Bitdefender GravityZone - Control Center using the configured API Key and Access URL. + | Filter - Groups | boolean | No | If true, filters all custom groups of endpoints. + | - 2. **Parameter Processing**: It extracts all optional filter parameters and the - Parent ID from the action input. + | Parent ID | string | No | The ID of the container for which the network items + will be returned. | - 3. **API Query**: It executes a paginated request to the `getNetworkInventoryItems` - endpoint. The manager handles the JSON-RPC communication and iterates through - all result pages to compile a complete list. - 4. **Result Handling**: The retrieved inventory data is attached to the action - as a JSON result. + ### Additional Notes - 5. **Completion**: The action concludes by reporting a success status and providing - the collected inventory items. + This action does not require any specific entity to be selected in the SOAR platform + to run, as it performs a global search/list operation within the Bitdefender GravityZone + environment. capabilities: can_create_case_comments: false can_create_insight: false @@ -739,8 +1169,19 @@ Get Network Inventory Items: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request (via `control_center_paged`) to the Bitdefender + GravityZone API to retrieve network inventory data. It does not modify any external + systems (no POST/PUT/DELETE that changes state), nor does it modify internal + SOAR data (entities, insights, or case comments). It simply returns the fetched + data as a JSON result. categories: enrichment: false + reasoning: >- + The action fetches data from an external system (Bitdefender GravityZone). However, + it does not operate on specific entities (it is a standalone search/list action) + and does not enrich existing entities in the SOAR case. Therefore, it does not + meet the criteria for an Enrichment Action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -756,54 +1197,74 @@ Get Network Inventory Items: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code does not iterate over `siemplify.target_entities` or reference any + entity objects. It performs a general search based on provided parameters. Therefore, + it does not run on any specific entity types. Get Scan Tasks List: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves a list of scan tasks from the product. It does not match + any of the specific categories like 'Enrich IOC', 'Contain Host', or 'Create + Ticket'. It is a general utility action for retrieving information. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description + Retrieves a list of scan tasks from the Bitdefender GravityZone platform based + on specified filters. This action allows analysts to query the status of scan + tasks, which can be useful for monitoring the progress of security operations. - Retrieves a list of scan tasks from the Bitdefender GravityZone Control Center. - This action allows security analysts to monitor the status and progress of scanning - operations across the environment by filtering results based on task status and - name. - - ### Parameters Description + ### Parameters | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Task Status | DDL | Yes | Filters tasks by their current state. Options include - 'All', 'Pending', 'In-progress', and 'Finished'. | + | Task Status | ddl | Yes | The status of the task to filter by. Options: All, + Pending, In-progress, Finished. | - | Task Name | String | No | Filters tasks by name. If an asterisk (*) is used - at the beginning, it searches for the keyword anywhere in the name; otherwise, - it returns results where the name starts with the keyword. | + | Task Name | string | No | A keyword to search for in the task name. Use an asterisk + (*) in front to search for the keyword anywhere in the name; otherwise, it searches + for tasks starting with the keyword. | ### Flow Description - 1. **Authentication**: Establishes a connection to the Bitdefender GravityZone - API using the configured API Key and Access URL. - - 2. **Parameter Extraction**: Retrieves the filtering criteria (Task Status and - Task Name) provided by the user. - - 3. **API Request**: Executes the `getScanTasksList` method via the Bitdefender - manager. The manager handles the JSON-RPC request and maps the status strings - to their corresponding numerical identifiers (e.g., 'Pending' to 1). - - 4. **Pagination Handling**: Automatically iterates through paginated results from - the API to compile a complete list of matching scan tasks. + 1. Initialize the Bitdefender GravityZone manager using the provided API key and + SSL verification settings. - 5. **Output**: Returns the compiled list of tasks as a JSON result and sets the - action execution state to completed. + 2. Extract the action parameters: `Task Status` and `Task Name`. + 3. Execute the `task_scan_list` method to query the Bitdefender GravityZone API + for scan tasks matching the provided criteria. - ### Additional Notes - - This action is a read-only utility and does not interact with specific entities - in the Google SecOps environment. It is used for broad visibility into the scanning - infrastructure. + 4. Return the retrieved list of scan tasks as a JSON result to the SOAR platform. capabilities: can_create_case_comments: false can_create_insight: false @@ -814,8 +1275,16 @@ Get Scan Tasks List: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET/List operation to retrieve scan task data from the + Bitdefender GravityZone API. It does not modify any external systems, nor does + it interact with internal SOAR entities or case data. categories: enrichment: false + reasoning: >- + The action retrieves a list of scan tasks. It does not enrich entities or alerts, + nor does it perform any mutations. Therefore, it does not meet the criteria + for an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -831,40 +1300,82 @@ Get Scan Tasks List: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with or filter by any SOAR entities. It operates + independently of the entity model. Isolate Endpoint: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: true + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action isolates an endpoint in Bitdefender GravityZone, which directly aligns + with the 'Contain Host' category as it restricts network access to the endpoint. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - This action creates a task in Bitdefender GravityZone to isolate a specified endpoint. - It is primarily used as a containment measure during incident response to restrict - the network connectivity of a potentially compromised machine, preventing lateral - movement or data exfiltration. + This action isolates a specific endpoint within the Bitdefender GravityZone environment. + By triggering an isolation task, the action restricts the endpoint's network connectivity, + effectively containing potential threats or compromised assets. - ### Parameters Description + ### Flow Description - | Parameter Name | Description | Type | Mandatory | Notes | + 1. **Configuration Extraction**: The action retrieves the necessary integration + settings, including the API Key, Access URL, and SSL verification preference. - | :--- | :--- | :--- | :--- | :--- | + 2. **Parameter Extraction**: It extracts the `Endpoint ID` provided as an input + parameter. - | Endpoint ID | The unique identifier of the endpoint in Bitdefender GravityZone - that needs to be isolated. | String | True | This ID is used to target the specific - machine for the isolation task. | + 3. **Manager Initialization**: The `BitdefenderGravityZoneManager` is initialized + with the provided credentials. + 4. **Task Execution**: The action calls the `isolate_endpoint` method, which sends + a POST request to the Bitdefender GravityZone API to create an isolation task + for the specified endpoint. - ### Flow Description + 5. **Result Reporting**: The action logs the outcome and terminates with a success + or failure status based on the API response. - 1. **Authentication**: The action connects to the Bitdefender GravityZone Control - Center using the provided API Key and Access URL. - 2. **Task Creation**: It sends a request to the Bitdefender API (`createIsolateEndpointTask`) - using the specified `Endpoint ID`. + ### Parameters Description - 3. **Execution Status**: The action monitors the API response to determine if - the isolation task was successfully created. + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Endpoint ID | string | Yes | The unique identifier of the endpoint to be isolated + in Bitdefender GravityZone. | + + + ### Additional Notes - 4. **Completion**: It returns a success or failure status to the Google SecOps - platform based on the API's response. + This action does not utilize the SOAR entity model directly; it relies on the + `Endpoint ID` provided via the action parameters. capabilities: can_create_case_comments: false can_create_insight: false @@ -873,12 +1384,19 @@ Isolate Endpoint: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates an isolation task in Bitdefender GravityZone which changes the network - state of the target endpoint to restricted/isolated. + The action triggers an isolation task on the target endpoint within the Bitdefender + GravityZone platform, which changes the endpoint's network state. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a state-changing operation (isolating an endpoint) on an + external system (Bitdefender GravityZone) via an API POST request. It does not + fetch data for enrichment, nor does it modify internal SOAR case data or entities. categories: enrichment: false + reasoning: >- + The action is a containment/mutation action, not an enrichment action. It does + not fetch data to enrich entities or alerts. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -894,27 +1412,83 @@ Isolate Endpoint: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over `siemplify.target_entities`. It uses an `Endpoint + ID` provided as a direct input parameter to identify the target, therefore it + does not run on any specific entity types. Ping: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action is a connectivity check (Ping) and does not perform any of the defined + functional outcomes like enriching data, blocking IOCs, or managing tickets. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description The Ping action is used to verify the connectivity between - Google SecOps and the Bitdefender GravityZone Control Center. It ensures that - the provided API Key and Access URL are valid and that the network connection - is functional. ### Parameters Description | Parameter Name | Type | Mandatory - | Description | | :--- | :--- | :--- | :--- | | API Key | String | Yes | The API - key used for authenticating with the Bitdefender GravityZone API. This is an integration-level - configuration. | | Access URL | String | Yes | The base URL of the Bitdefender - GravityZone instance (e.g., https://cloud.gravityzone.bitdefender.com). This is - an integration-level configuration. | | Verify SSL | Boolean | Yes | Determines - whether to verify the SSL certificate of the Bitdefender GravityZone server. This - is an integration-level configuration. | ### Additional Notes This action does - not take any action-specific parameters. It relies entirely on the integration's - configuration. ### Flow Description 1. Initialization: The action extracts the - API Key, Access URL, and SSL verification setting from the integration configuration. - 2. API Request: It initializes the Bitdefender GravityZone Manager and calls the - getApiKeyDetails method. 3. Validation: The manager sends a POST request to the - GravityZone JSON-RPC endpoint. 4. Result: If the API returns valid key details, - the action completes successfully with a true result. If an error occurs or no - details are returned, it fails with a false result. + ### General Description + + This action verifies connectivity to the Bitdefender GravityZone Control Center + by validating the provided API credentials. It serves as a health check to ensure + the integration is correctly configured and the API key is authorized. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | API Key | String | Yes | The API key used for authentication with the Bitdefender + GravityZone Control Center. | + + | Access URL | String | Yes | The URL of the Bitdefender GravityZone Control Center. + | + + | Verify SSL | Boolean | Yes | Determines whether to verify SSL certificates during + the connection. | + + + ### Additional Notes + + This action does not perform any data retrieval or modification beyond validating + the connection. It is intended for connectivity testing purposes only. + + + ### Flow Description + + 1. The action extracts the `API Key`, `Access URL`, and `Verify SSL` configuration + parameters. + + 2. It initializes the `BitdefenderGravityZoneManager` with the provided credentials. + + 3. It executes the `getApiKeyDetails` API method to test the connection. + + 4. If the API call is successful, it returns a success status. If the API key + is invalid or the connection fails, it raises an error and returns a failure status. capabilities: can_create_case_comments: false can_create_insight: false @@ -925,8 +1499,16 @@ Ping: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a connectivity check by calling the `getApiKeyDetails` method + on the Bitdefender GravityZone API. It does not modify any external or internal + data, nor does it interact with entities. It fetches API key details to validate + the connection. categories: enrichment: false + reasoning: >- + The action is a 'Ping' action, which is explicitly excluded from being an enrichment + action per the instructions. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -942,15 +1524,47 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with any entities. Policies - Get Details: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves policy details from Bitdefender GravityZone. It does not + match any of the defined categories such as Enrich IOC, Enrich Asset, or Update + Alert, as it is a specific administrative query for policy configuration. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - Retrieves comprehensive information about a specific security policy from Bitdefender - GravityZone. This action allows security analysts to inspect the detailed settings - of a policy, including its rules, modules, and configurations, by providing the - unique Policy ID. It is primarily used for auditing policy configurations or verifying - the security posture applied to specific groups or endpoints. + This action retrieves detailed information about a specific security policy from + the Bitdefender GravityZone platform. It allows analysts to query the configuration + and settings of a policy by its unique identifier. ### Parameters Description @@ -959,32 +1573,26 @@ Policies - Get Details: | :--- | :--- | :--- | :--- | - | Policy ID | String | Yes | The unique identifier of the security policy to be - queried. This ID is typically obtained from the 'Policies - List' action or the - Bitdefender console. | - - - ### Additional Notes + | Policy ID | string | Yes | The unique identifier of the policy to be queried. + | - - This action does not operate on entities (IPs, Hosts, etc.) but rather on a - specific Policy ID provided as an input parameter. - - The output is a JSON object containing the full policy specification. + ### Flow Description + 1. The action extracts the integration configuration (API Key, Access URL, and + SSL verification settings). - ### Flow Description + 2. It extracts the mandatory `Policy ID` parameter provided by the user. - 1. **Initialization**: Extracts integration settings (API Key, Access URL, SSL - verification) and the target `Policy ID` from the action parameters. + 3. The action initializes the `BitdefenderGravityZoneManager` to establish a connection + with the Bitdefender GravityZone Control Center. - 2. **Connection**: Establishes a connection to the Bitdefender GravityZone Control - Center via the `BitdefenderGravityZoneManager`. + 4. It calls the `getPolicyDetails` method via the Bitdefender API using the provided + `Policy ID`. - 3. **Data Retrieval**: Executes the `getPolicyDetails` API call to fetch the policy's - metadata and configuration details. + 5. The retrieved policy details are added to the action's result JSON. - 4. **Result Processing**: Formats the API response and attaches it to the action's - JSON results, marking the execution as completed. + 6. The action terminates and returns the success status. capabilities: can_create_case_comments: false can_create_insight: false @@ -995,8 +1603,17 @@ Policies - Get Details: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a read-only operation to fetch policy details from the Bitdefender + GravityZone API. It does not modify any external systems, nor does it update + internal SOAR entities, insights, or alert data. It simply outputs the retrieved + data to the action result. categories: enrichment: false + reasoning: >- + The action fetches data from an external system, but it does not perform enrichment + on entities or alerts. It is a standalone utility action to retrieve policy + information. Therefore, it does not meet the criteria for an Enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1012,44 +1629,77 @@ Policies - Get Details: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over or utilize `siemplify.target_entities`. It + operates solely based on the provided `Policy ID` parameter. Policies - List All: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves a list of policies from Bitdefender GravityZone. It does + not match any of the specific categories like 'Enrich IOC', 'Enrich Asset', + or 'Get Alert Information' as it is a configuration/utility retrieval action. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description + Retrieves the list of available policies from the Bitdefender GravityZone Control + Center. This action connects to the Bitdefender API, fetches the complete list + of configured policies, and returns the data as a JSON result for use in the SOAR + platform. - This action retrieves a comprehensive list of all available security policies - configured within the Bitdefender GravityZone Control Center. It is primarily - used for administrative auditing, policy management, or as a helper step in playbooks - to identify which policies can be applied to endpoints. + ### Parameters - ### Parameters Description - - There are no input parameters for this action. It relies solely on the integration's - global configuration (API Key and Access URL). + | Parameter | Type | Mandatory | Description | + | :--- | :--- | :--- | :--- | - ### Additional Notes + | Integration.API Key | String | Yes | The API key used to authenticate with the + Bitdefender GravityZone API. | - * This action does not target specific entities; it performs a global fetch of - policy data from the Bitdefender environment. + | Integration.Access URL | String | Yes | The base URL for the Bitdefender GravityZone + API. | - * The action automatically handles API pagination to ensure all policies are retrieved - if the list exceeds a single page. + | Integration.Verify SSL | Boolean | Yes | Whether to verify the SSL certificate + when connecting to the API. | ### Flow Description - 1. **Authentication**: The action initializes a connection to the Bitdefender - GravityZone API using the provided API Key and Access URL. + 1. The action initializes the `BitdefenderGravityZoneManager` using the provided + API key and SSL verification setting. - 2. **Data Retrieval**: It calls the `getPoliciesList` method via the JSON-RPC - interface. + 2. It calls the `policy_list` method, which sends a `getPoliciesList` JSON-RPC + request to the Bitdefender API. - 3. **Pagination Handling**: The manager logic checks for multiple pages of results - and iteratively fetches all policy items. + 3. The API returns the list of policies, which is then added to the action result + using `siemplify.result.add_result_json`. - 4. **Result Processing**: The complete list of policies is formatted and attached - to the action's JSON result for use in subsequent playbook steps. + 4. The action completes with a success status. capabilities: can_create_case_comments: false can_create_insight: false @@ -1060,8 +1710,17 @@ Policies - List All: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a retrieval operation (JSON-RPC POST request) to fetch a + list of policies from the Bitdefender GravityZone API. It does not modify any + external system state, nor does it update internal SOAR entities, insights, + or case data. categories: enrichment: false + reasoning: >- + The action retrieves a list of policies. It does not perform enrichment on specific + entities or alerts, nor does it meet the criteria for an enrichment action as + it does not add context to entities or alerts. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1077,50 +1736,89 @@ Policies - List All: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with any entities. It is a global utility action + that retrieves configuration data from the external system. Quarantine - Add File: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action performs a remediation task (quarantining a file) on an external + system. It does not match the specific definitions for enrichment, ticket creation, + or host isolation/blocking provided in the categories list. While it is a containment-like + action, it does not isolate the host from the network as defined by the 'Contain + Host' category. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - This action creates a new task in Bitdefender GravityZone to add a specific file - to quarantine on designated endpoints. It is primarily used for containment by - isolating potentially malicious files based on their absolute file path on the - target system. + This action adds a specific file to quarantine on target endpoints using the Bitdefender + GravityZone platform. It is a remediation action designed to contain potentially + malicious files by triggering a quarantine task on the specified endpoints. - ### Parameters Description + ### Flow Description - | Parameter | Type | Mandatory | Description | + 1. **Configuration Extraction**: The action retrieves the Bitdefender GravityZone + API key, access URL, and SSL verification settings from the integration configuration. - | :--- | :--- | :--- | :--- | + 2. **Parameter Extraction**: The action extracts the `Endpoint IDs` (a comma-separated + list of target endpoints) and the `File Path` (the absolute path of the file to + be quarantined) from the action parameters. - | File Path | String | Yes | The absolute file path on the target disk (e.g., - 'C:\\Users\\Public\\malicious.exe'). Max 4096 characters. | + 3. **Manager Initialization**: The `BitdefenderGravityZoneManager` is initialized + with the provided credentials. - | Endpoint IDs | String | Yes | A comma-separated list of target endpoint IDs. - Supports up to 100 targets per request. | + 4. **API Execution**: The action calls the `quarantine_item_add` method, which + sends a POST request to the Bitdefender GravityZone API (`/v1.0/jsonrpc/quarantine`) + to create a task to add the specified file to quarantine on the target endpoints. + 5. **Result Reporting**: The action logs the outcome and returns a success or + failure status to the SOAR platform. - ### Additional Notes - - Only endpoints with an active EDR Sensor module are considered valid targets - for this action. + ### Parameters Description - - The file path format must be suitable for the target's operating system. + | Parameter | Type | Mandatory | Description | + | :--- | :--- | :--- | :--- | - ### Flow Description + | File Path | string | Yes | The absolute file path on disk to be quarantined. + Max 4096 characters. | - 1. **Authentication**: Connects to the Bitdefender GravityZone Control Center - using the configured API Key and Access URL. + | Endpoint IDs | string | Yes | A comma-separated list of the IDs of the target + endpoints. Max 100 targets at once. | - 2. **Parameter Extraction**: Retrieves the target endpoint IDs and the specific - file path from the action inputs. - 3. **Task Creation**: Sends a JSON-RPC request to the Bitdefender API using the - `createAddFileToQuarantineTask` method. + ### Additional Notes - 4. **Result Handling**: Evaluates the API response to determine if the task was - successfully created and updates the action status accordingly. + This action does not interact with SOAR entities directly; it relies on the user + providing specific Endpoint IDs as input parameters. capabilities: can_create_case_comments: false can_create_insight: false @@ -1129,12 +1827,21 @@ Quarantine - Add File: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates a task in Bitdefender GravityZone to move a file from its original location - to quarantine on the target endpoints. + Creates a task in Bitdefender GravityZone to quarantine a specific file on target + endpoints. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a POST request to the Bitdefender GravityZone API to create + a quarantine task for a specific file on specified endpoints. It does not fetch + data for enrichment, nor does it modify internal SOAR case data (entities, insights, + or comments). categories: enrichment: false + reasoning: >- + The action is a remediation/containment action that modifies external system + state (quarantining a file). It does not fetch data for enrichment, so it is + not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1150,43 +1857,93 @@ Quarantine - Add File: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action takes 'Endpoint IDs' as a string parameter. It does not iterate over + or interact with 'siemplify.target_entities'. Quarantine - Get Items List: - ai_description: "### General Description\nRetrieves a list of quarantined items\ - \ from Bitdefender GravityZone. This action allows security analysts to search\ - \ for and list files or Microsoft Exchange objects that have been moved to quarantine\ - \ across the network or on specific endpoints. It supports various filtering options\ - \ to narrow down results based on threat names, timeframes, and specific endpoint\ - \ identifiers.\n\n### Parameters Description\n| Parameter | Type | Mandatory |\ - \ Description |\n| :--- | :--- | :--- | :--- |\n| Service | DDL | Yes | Determines\ - \ the source of the quarantined items. Options are 'Computers' (for Computers\ - \ and Virtual Machines) or 'Exchange' (for Security for Exchange). |\n| Filter\ - \ - Threat Name | String | No | Filters the list by the name of the detected threat.\ - \ Supports partial matching. |\n| Filter - Start Date | String | No | Filters\ - \ for items quarantined after this specific date. Must be in ISO 8601 format.\ - \ |\n| Filter - End Date | String | No | Filters for items quarantined before\ - \ this specific date. Must be in ISO 8601 format. |\n| Filter - File Path | String\ - \ | No | Filters by the file path where the item originated. Supports partial\ - \ matching and wildcards (e.g., using '*' as a suffix). Only available for the\ - \ 'Computers' service. |\n| Filter - IP Address | String | No | Filters by the\ - \ IP address of the source endpoint. Only available for the 'Computers' service.\ - \ |\n| Filter - Action Status | DDL | No | Filters items by their current status\ - \ (None, Pending Save, Saved). Note: 'Pending Save' is only applicable to the\ - \ Exchange service. |\n| Endpoint ID | String | No | The unique identifier of\ - \ a specific computer. If provided, only items from that computer are returned;\ - \ otherwise, the search covers the entire network. |\n\n### Additional Notes\n\ - - The filter fields **Threat Name**, **File Path**, and **IP Address** support\ - \ partial matching. \n- For the **File Path** filter, you can use an asterisk\ - \ (*) to perform suffix matching (e.g., `*myfile.exe`).\n- The Exchange service\ - \ filters require a valid license for 'Security for Exchange'.\n\n### Flow Description\n\ - 1. **Parameter Extraction**: The action retrieves the integration configuration\ - \ (API Key, URL) and all user-defined filter parameters.\n2. **Manager Initialization**:\ - \ Initializes the Bitdefender GravityZone Manager to handle API communication.\n\ - 3. **API Request**: Sends a JSON-RPC request (`getQuarantineItemsList`) to the\ - \ Bitdefender Control Center, targeting the specified service (Computers or Exchange).\n\ - 4. **Pagination Handling**: The action automatically handles paginated responses\ - \ from the API to ensure all matching quarantined items are retrieved.\n5. **Result\ - \ Processing**: The collected list of quarantined items is formatted and returned\ - \ as a JSON result for use in subsequent playbook steps." + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves a list of quarantined items from Bitdefender GravityZone. + It does not match the expected outcomes for enrichment, containment, ticket + management, or alert modification. It is a specific retrieval action that does + not fit the provided product categories. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: >- + Retrieves a list of quarantined items from the Bitdefender GravityZone platform + based on specified filters. This action allows analysts to query quarantined files + or Exchange objects across the network or for a specific endpoint. + + + ### Parameters + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Service | ddl | Yes | The service to query: 'computers' (for Computers and Virtual + Machines) or 'exchange' (for Security for Exchange). | + + | Filter - Threat Name | string | No | Filters the quarantined items by threat + name. | + + | Filter - Start Date | string | No | Filters items quarantined after this date + (ISO 8601 format). | + + | Filter - End Date | string | No | Filters items quarantined before this date + (ISO 8601 format). | + + | Filter - File Path | string | No | Filters quarantined items by file path. | + + | Filter - IP Address | string | No | Filters quarantined items by IP address. + | + + | Filter - Action Status | ddl | No | Filters by action status (e.g., None, Pending + Save, Saved). | + + | Endpoint ID | string | No | The ID of the specific computer to retrieve items + for. If omitted, retrieves items for the entire network. | + + + ### Flow Description + + 1. **Initialization**: The action extracts the integration configuration (API + Key, Access URL, SSL verification) and the action parameters (Service, filters, + Endpoint ID). + + 2. **Connection**: It initializes the `BitdefenderGravityZoneManager` to establish + a connection with the Bitdefender GravityZone Control Center. + + 3. **Data Retrieval**: It calls the `quarantine_item_list` method, passing the + provided filters to the Bitdefender API. + + 4. **Output**: The retrieved list of quarantined items is added to the action + result as a JSON object, and the action completes with a success status. capabilities: can_create_case_comments: false can_create_insight: false @@ -1197,8 +1954,19 @@ Quarantine - Get Items List: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the Bitdefender GravityZone API to retrieve + a list of quarantined items. It does not modify any external system state (no + POST/PUT/DELETE for state changes) and does not modify any internal SOAR data + (no entity updates, insights, or case comments). It simply returns the retrieved + data to the action result. categories: enrichment: false + reasoning: >- + The action retrieves data from an external system, but it does not operate on + entities to enrich them, nor does it meet the criteria for an enrichment action + (which typically involves updating entity profiles or adding insights). It is + a retrieval/search action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1214,52 +1982,90 @@ Quarantine - Get Items List: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over `siemplify.target_entities`. It uses input + parameters provided in the action configuration to filter the request, meaning + it does not run on specific entities. Quarantine - Remove Items: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action removes items from quarantine in Bitdefender GravityZone. This is + a remediation/containment-related action. It does not match any of the specific + categories provided (e.g., it is not blocking an IOC, updating an alert, or + managing identity/host containment). + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - This action creates a new task in Bitdefender GravityZone to remove specific items - from quarantine. It allows security analysts to permanently delete quarantined - files or emails that have been identified as malicious or are no longer needed - for investigation. + This action removes specified items from the quarantine in the Bitdefender GravityZone + platform. It allows security analysts to clear quarantined files or objects across + managed services (Computers or Exchange) by providing their unique identifiers. - ### Parameters Description + ### Flow Description - | Parameter | Type | Mandatory | Description | + 1. **Configuration Extraction**: The action retrieves the API Key, Access URL, + and SSL verification settings from the integration configuration. - | :--- | :--- | :--- | :--- | + 2. **Parameter Extraction**: It extracts the target `Service` (e.g., Computers, + Exchange) and the comma-separated list of `Quarantine Item IDs` from the action + parameters. - | Service | DDL | Yes | Specifies the target service for the removal task. Options - are 'Computers' (for Computers and Virtual Machines) or 'Exchange' (for Security - for Exchange). | + 3. **Connection**: It initializes the `BitdefenderGravityZoneManager` using the + provided credentials. - | Quarantine Item IDs | String | Yes | A comma-separated list of unique identifiers - for the items to be removed from quarantine. A maximum of 100 items can be processed - in a single request. | + 4. **Execution**: The action calls the `quarantine_item_remove` method, which + sends a POST request to the Bitdefender GravityZone API to create a removal task + for the specified items. + 5. **Result**: The action returns a success or failure status based on the API + response. - ### Additional Notes - - The action interacts with the Bitdefender GravityZone Control Center via JSON-RPC. + ### Parameters Description - - The 'Service' parameter determines the specific API endpoint used for the removal - request. + | Parameter | Type | Mandatory | Description | + | :--- | :--- | :--- | :--- | - ### Flow Description + | Service | ddl | Yes | The service type to target. Allowed values are 'Computers' + or 'Exchange'. | - 1. **Authentication**: The action connects to the Bitdefender GravityZone Control - Center using the configured API Key and Access URL. + | Quarantine Item IDs | string | Yes | A comma-separated list of quarantine item + IDs to be removed. Maximum of 100 items per request. | - 2. **Parameter Extraction**: It retrieves the target service type and the list - of quarantine item IDs from the action parameters. - 3. **Task Creation**: The action sends a `createRemoveQuarantineItemTask` request - to the Bitdefender API, targeting the specified service (Computers or Exchange). + ### Additional Notes - 4. **Execution Status**: It evaluates the API response to determine if the task - was successfully created and reports the final status back to Google SecOps. + This action performs a direct mutation on the external Bitdefender GravityZone + system. Ensure that the provided API credentials have the necessary permissions + to manage quarantine items. capabilities: can_create_case_comments: false can_create_insight: false @@ -1268,12 +2074,19 @@ Quarantine - Remove Items: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates a task in Bitdefender GravityZone to permanently remove specified items - from the quarantine, effectively deleting them from the external system. + Removes items from quarantine in the Bitdefender GravityZone platform. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a POST request to the Bitdefender GravityZone API to remove + items from quarantine. This is a state-changing operation on an external system. + It does not fetch data for enrichment, nor does it modify internal SOAR case + data or entities. categories: enrichment: false + reasoning: >- + The action is a mutation action (removing items from quarantine) and does not + fetch data for enrichment purposes. Therefore, it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1289,64 +2102,93 @@ Quarantine - Remove Items: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with SOAR entities. It operates based on parameters + provided directly in the action configuration (Service and Quarantine Item IDs). Quarantine - Restore Exchange Items: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action restores quarantined items in Bitdefender GravityZone. This does + not align with the provided categories such as IOC enrichment, identity management, + host containment, or ticket management. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - This action creates a new task in Bitdefender GravityZone to restore specific - items from the quarantine for Exchange Servers. It is designed to move items previously - identified as threats or suspicious back to their original location within the - Exchange environment. - + This action restores quarantined items from the Bitdefender GravityZone Exchange + environment. It allows analysts to recover items that were previously quarantined + by the security solution, facilitating the restoration of legitimate files or + messages that may have been incorrectly flagged. - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - | :--- | :--- | :--- | :--- | + ### Flow Description - | **Quarantine Item IDs** | String | Yes | A comma-separated list of unique identifiers - for the items to be restored. Note: The maximum number of items that can be processed - in a single request is 100. | + 1. **Initialization**: The action connects to the Bitdefender GravityZone Control + Center using the provided API key and SSL verification settings. - | **Username** | String | Yes | The username of a Microsoft Exchange user, which - must include the domain name (e.g., domain\user). | + 2. **Parameter Extraction**: It retrieves the required parameters, including the + list of `Quarantine Item IDs`, `Username`, `Password`, and optional parameters + like `Email` and `EWS URL`. - | **Password** | Password | Yes | The password associated with the provided Exchange - username. | + 3. **Execution**: It invokes the `createRestoreQuarantineExchangeItemTask` method + via the Bitdefender GravityZone API to initiate the restoration process. - | **Email** | String | No | The email address of the Exchange user. This is required - if the email address differs from the username. | + 4. **Completion**: The action logs the status of the operation and returns a success + or failure message to the SOAR platform. - | **EWS URL** | String | No | The Exchange Web Services (EWS) URL. This should - be provided if Exchange Autodiscovery is not functioning in the environment. | + ### Parameters Description - ### Additional Notes + | Parameter | Type | Mandatory | Description | - - This action does not automatically process entities from the Google SecOps case; - it relies entirely on the provided action parameters. + | :--- | :--- | :--- | :--- | - - The action interacts with the Bitdefender GravityZone API via a POST request - to initiate a restoration task. + | EWS URL | string | No | The Exchange Web Services URL. Required if Exchange + Autodiscovery is not functional. | + | Email | string | No | The email address of the Exchange user. Required if the + email address differs from the username. | - ### Flow Description + | Password | password | Yes | The password of the Exchange user. | - 1. **Configuration Extraction:** The action retrieves the API Key, Access URL, - and SSL verification settings from the integration configuration. + | Username | string | Yes | The username of the Microsoft Exchange user (must + include the domain name). | - 2. **Parameter Extraction:** It extracts the specific item IDs and Exchange credentials - provided by the user. + | Quarantine Item IDs | string | Yes | A comma-separated list of quarantine item + IDs to be restored (maximum 100 items). | - 3. **Manager Initialization:** It initializes the Bitdefender GravityZone Manager - to establish a connection to the Control Center. - 4. **Task Creation:** It calls the `createRestoreQuarantineExchangeItemTask` method, - sending the item IDs and credentials to the Bitdefender API. + ### Additional Notes - 5. **Result Reporting:** The action checks the API response and reports whether - the restoration task was successfully created or if the operation failed. + This action performs a direct mutation on the external Bitdefender GravityZone + system. Ensure that the provided credentials have the necessary permissions to + perform restoration tasks within the Exchange environment. capabilities: can_create_case_comments: false can_create_insight: false @@ -1355,13 +2197,18 @@ Quarantine - Restore Exchange Items: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - This action creates a task in Bitdefender GravityZone to restore items from - the Exchange quarantine, which changes the state of the quarantined items in - the external Exchange environment. + Restores quarantined items in the Bitdefender GravityZone Exchange environment. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a POST request to the Bitdefender GravityZone API to restore + quarantined items. It does not fetch data, update entities, or create insights. + It is a pure mutation action on an external system. categories: enrichment: false + reasoning: >- + The action is a mutation action (restoring items) and does not fetch data for + enrichment. Therefore, it does not meet the criteria for an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1377,57 +2224,88 @@ Quarantine - Restore Exchange Items: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not use `siemplify.target_entities`. It relies entirely on action + parameters provided by the user to identify the items to restore. Quarantine - Restore Items: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action restores items from quarantine in Bitdefender GravityZone. This is + a remediation action. It does not match any of the provided categories (Enrichment, + Ticket, Blocklist, Identity, Host Containment, Email, etc.). + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description + Restores quarantined items in Bitdefender GravityZone. This action interacts with + the Bitdefender API to move files from quarantine back to their original or specified + location on the target endpoint. - The **Quarantine - Restore Items** action allows users to restore files or items - previously quarantined by Bitdefender GravityZone. It creates a restoration task - in the GravityZone Control Center for specific items identified by their IDs. - This action is useful for recovering false positives or restoring files for forensic - analysis. + ### Flow Description - ### Parameters Description - - | Parameter | Type | Mandatory | Description | + 1. Connects to the Bitdefender GravityZone Control Center using the provided API + key and URL. - | :--- | :--- | :--- | :--- | + 2. Extracts the action parameters: `Quarantine Item IDs`, `Service`, `Add Exclusion + in Policy`, and `Location to Restore`. - | **Quarantine Item IDs** | String | Yes | A comma-separated list of unique identifiers - for the items to be restored from quarantine. Maximum of 100 items per request. - | + 3. Invokes the `quarantine_item_restore` method, which sends a `POST` request + to the Bitdefender API to initiate the restoration task for the specified items. - | **Service** | DDL | Yes | Specifies the service context: 'Computers' for endpoint - files or 'Exchange' for email-related items. | + 4. Returns the operation status (success or failure) to the SOAR platform. - | **Location to Restore** | String | No | The absolute file path where items should - be restored. If left empty, the original location is used. | - | **Add Exclusion in Policy** | Boolean | No | If set to true, the restored items - will be added as exclusions in the current policy to prevent them from being quarantined - again in future scans. | + ### Parameters Description + | Parameter | Type | Mandatory | Description | - ### Flow Description + | :--- | :--- | :--- | :--- | - 1. **Authentication**: Connects to the Bitdefender GravityZone API using the provided - API Key and Access URL. + | Quarantine Item IDs | string | Yes | Comma-separated list of quarantine item + IDs. The maximum number of items that can be removed once is 100. | - 2. **Parameter Extraction**: Retrieves the list of item IDs, the target service, - and optional restoration settings (location and exclusions) from the action parameters. + | Service | ddl | Yes | The service type. Allowed values are: "Computers" (for + Computers and Virtual Machines) or "Exchange" (for Security for Exchange). | - 3. **Task Creation**: Sends a POST request to the Bitdefender API to initiate - a `createRestoreQuarantineItemTask` for the specified service. + | Add Exclusion in Policy | boolean | No | If set to true, excludes the files + to be restored from future scans. Exclusions do not apply to items with the Default + Policy assigned. | - 4. **Completion**: Returns a success status if the task was successfully created - in the external system, or a failure status if the API request failed. + | Location to Restore | string | No | The absolute path to the folder where the + items will be restored. If not set, the original location will be used. | ### Additional Notes - This action does not process Google SecOps entities; it relies entirely on the - provided Quarantine Item IDs. + - This action performs a mutation on the external Bitdefender GravityZone system. + + - The `Service` parameter is mandatory and must be one of the allowed values ("Computers" + or "Exchange"). capabilities: can_create_case_comments: false can_create_insight: false @@ -1436,13 +2314,19 @@ Quarantine - Restore Items: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates a task in Bitdefender GravityZone to restore specific items from quarantine - to their original or a specified location and optionally adds scan exclusions - to the security policy. + Restores quarantined items in Bitdefender GravityZone, changing their status + from quarantined to restored on the target endpoint. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a `POST` request to the Bitdefender API to restore quarantined + items. This is a state-changing operation on an external system. It does not + fetch data for enrichment or modify internal SOAR data. categories: enrichment: false + reasoning: >- + The action is a remediation/mutation action, not an enrichment action. It does + not fetch data for the purpose of enriching entities or alerts. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1458,52 +2342,73 @@ Quarantine - Restore Items: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over `siemplify.target_entities` or use entity-specific + identifiers. It relies on parameters provided in the action configuration to + perform its task. Reports - Get Download Links: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves report download links from Bitdefender GravityZone. It + does not match any of the defined categories such as Enrich IOC, Enrich Asset, + or Ticket management, as it is a specific utility for report retrieval. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - Retrieves download links for a specific report from Bitdefender GravityZone. This - action is used to obtain the necessary URLs to download generated reports, whether - they are instant (available for less than 24 hours) or scheduled (stored in the - GravityZone database). + This action retrieves download links for a specific report from the Bitdefender + GravityZone platform. It allows users to fetch the availability status and download + URLs for reports generated within the GravityZone environment. ### Parameters Description - | Parameter | Description | Type | Mandatory | + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Report ID | The unique identifier of the report for which you want to retrieve - download links. | String | Yes | - - - ### Additional Notes - - - Instant reports are temporary and typically expire within 24 hours of creation. - - - Scheduled reports are persistent and saved within the Bitdefender database. - - - This action requires a valid API Key and Access URL configured in the integration - settings. + | Report ID | string | Yes | The unique identifier of the report to fetch. | ### Flow Description - 1. **Configuration Extraction**: The action retrieves the API Key, Access URL, - and SSL verification settings from the integration configuration. + 1. The action initializes the Bitdefender GravityZone Manager using the provided + API Key and Access URL. - 2. **Parameter Extraction**: The action extracts the mandatory `Report ID` provided - by the user. + 2. It extracts the `Report ID` from the action parameters. - 3. **Manager Initialization**: It initializes the `BitdefenderGravityZoneManager` - to handle communication with the Control Center. + 3. The action calls the `getDownloadLinks` method via the Bitdefender API to retrieve + the report's download information. - 4. **API Request**: The action calls the `getDownloadLinks` method via the Bitdefender - JSON-RPC API using the provided Report ID. + 4. The retrieved report data is added to the action result as a JSON object. - 5. **Result Processing**: The retrieved download link information is added to - the action's JSON results, and the execution is marked as completed. + 5. The action completes and returns the status. capabilities: can_create_case_comments: false can_create_insight: false @@ -1514,8 +2419,17 @@ Reports - Get Download Links: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a retrieval operation (GET/POST to fetch data) from the + Bitdefender GravityZone API. It does not modify any external system state, nor + does it modify internal SOAR case data, entities, or insights. It simply returns + the requested report information as a result. categories: - enrichment: true + enrichment: false + reasoning: >- + The action is a utility task for retrieving report information. It does not + run on entities, nor does it gather supplemental context about alerts or entities + as defined by the Enrichment Action criteria. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1531,14 +2445,49 @@ Reports - Get Download Links: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with or iterate over any entities. It operates + solely based on the provided 'Report ID' parameter. Reports - List All: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves a list of reports from the Bitdefender GravityZone platform. + It does not match any of the specific operational categories such as IOC enrichment, + asset enrichment, containment, or ticket management. It is a general data retrieval + action. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - Retrieves a list of scheduled reports from the Bitdefender GravityZone Control - Center. This action allows users to query and filter reports based on their name - or specific type, providing visibility into the reporting configuration and history - within the Bitdefender environment. + This action retrieves a list of scheduled reports from the Bitdefender GravityZone + Control Center. It allows users to filter the retrieved reports by name or type, + providing visibility into the reporting configuration within the Bitdefender environment. ### Parameters Description @@ -1547,38 +2496,25 @@ Reports - List All: | :--- | :--- | :--- | :--- | - | Report Name | String | No | Filters the list to only include reports with a - specific name. | - - | Report Type | DDL | No | Filters the list by a specific report category, such - as 'Malware Status', 'Firewall Activity', or 'Network Incidents'. | + | Report Name | string | No | The specific name of the report to filter the results + by. | - - ### Additional Notes - - - This action does not require any entities to run; it performs a global query - against the Bitdefender API. - - - If no parameters are provided, the action will attempt to retrieve all available - scheduled reports. + | Report Type | ddl | No | The category of the report to filter by (e.g., 'Antiphishing + Activity', 'Malware Status', 'Network Incidents'). | ### Flow Description - 1. **Authentication**: The action establishes a connection to the Bitdefender - GravityZone API using the configured API Key and Access URL. - - 2. **Parameter Extraction**: It retrieves the optional 'Report Name' and 'Report - Type' filters from the action configuration. + 1. **Authentication**: The action connects to the Bitdefender GravityZone API + using the provided API Key and Access URL. - 3. **Type Mapping**: If a 'Report Type' is specified, the action maps the human-readable - string to the internal integer ID required by the Bitdefender API. + 2. **Request**: It sends a request to the API to fetch the list of reports, applying + optional filters for `Report Name` and `Report Type` if provided. - 4. **Data Retrieval**: The action executes a paginated request to the Bitdefender - `getReportsList` endpoint. + 3. **Data Retrieval**: The API returns the list of reports, which is then processed + and added to the action's result JSON. - 5. **Output**: The collected list of reports is returned as a JSON result, making - the data available for downstream playbook logic. + 4. **Completion**: The action concludes by outputting the retrieved data. capabilities: can_create_case_comments: false can_create_insight: false @@ -1589,8 +2525,17 @@ Reports - List All: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET-like request (via RPC POST) to retrieve a list of + reports from the Bitdefender GravityZone API. It does not modify any external + systems, nor does it modify internal SOAR case data, entities, or insights. + It simply fetches and returns data. categories: - enrichment: false + enrichment: true + reasoning: >- + The action fetches data (list of reports) from an external source without mutating + any external or internal state. It does not perform any prohibited actions (like + Ping or file downloads). Therefore, it qualifies as an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1606,48 +2551,77 @@ Reports - List All: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with any entities. It operates globally on the + Bitdefender GravityZone configuration to list reports. Restore Isolated Endpoint: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action restores an endpoint from isolation in Bitdefender GravityZone. This + directly matches the 'Uncontain Host' category, which involves removing network + isolation and restoring full communication capabilities. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: true + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - Restores a specified endpoint from network isolation within the Bitdefender GravityZone - environment. This action is used to reverse a previous isolation command, allowing - the endpoint to resume normal network communications. + This action restores a previously isolated endpoint in the Bitdefender GravityZone + environment. By triggering a restoration task, it removes the network isolation + applied to the specified endpoint, allowing it to resume normal network communication. ### Parameters Description - | Parameter | Description | Type | Mandatory | + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Endpoint ID | The unique identifier of the endpoint to be restored from isolation. - | String | True | - - - ### Additional Notes - - This action does not process entities from the Google SecOps scope; it relies - solely on the provided 'Endpoint ID' parameter to identify the target system in - Bitdefender GravityZone. + | Endpoint ID | string | Yes | The unique identifier of the endpoint to be restored + from isolation. | ### Flow Description - 1. **Configuration Extraction**: Retrieves the API Key, Access URL, and SSL verification - settings from the integration configuration. + 1. **Configuration Extraction**: The action retrieves the necessary API credentials + (API Key, Access URL, and SSL verification settings) from the integration configuration. - 2. **Parameter Extraction**: Retrieves the mandatory 'Endpoint ID' from the action - parameters. + 2. **Parameter Extraction**: The action extracts the `Endpoint ID` provided by + the user. - 3. **Manager Initialization**: Establishes a connection to the Bitdefender GravityZone - Control Center using the provided credentials. + 3. **Manager Initialization**: The `BitdefenderGravityZoneManager` is initialized + with the provided credentials. - 4. **Task Creation**: Executes the `createRestoreEndpointFromIsolationTask` API - method to trigger the restoration process for the specified endpoint. + 4. **Execution**: The action calls the `isolate_endpoint_restore` method, which + sends a request to the Bitdefender GravityZone API to create a task for restoring + the specified endpoint. - 5. **Result Reporting**: Evaluates the API response and returns a success or failure - status to the Google SecOps workbench. + 5. **Result Handling**: The action logs the outcome of the API request and terminates + with a success or failure status. capabilities: can_create_case_comments: false can_create_insight: false @@ -1656,12 +2630,18 @@ Restore Isolated Endpoint: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates a task in Bitdefender GravityZone to restore an endpoint from isolation, - which changes the network connectivity state of the target machine. + Restores an endpoint from network isolation in Bitdefender GravityZone. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a POST request to the Bitdefender GravityZone API to trigger + an endpoint restoration task. It does not fetch data for enrichment, nor does + it modify internal SOAR data or entities. categories: enrichment: false + reasoning: >- + The action is a remediation/containment action (un-isolating a host), not an + enrichment action. It does not fetch data to enrich entities. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1677,46 +2657,55 @@ Restore Isolated Endpoint: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action uses an 'Endpoint ID' provided as a parameter, not an entity from + the SOAR case. Therefore, it does not run on entities. Set Endpoint Label: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action updates the label of an endpoint in Bitdefender GravityZone. This + is an administrative update to an asset's metadata. It does not match any of + the predefined categories (e.g., it is not an enrichment, containment, or alert/ticket + update action). + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description - - Sets or resets a label for a specific endpoint in Bitdefender GravityZone. This - action allows administrators to organize or tag endpoints within the Bitdefender - Control Center by applying a string label (up to 64 characters) to a target endpoint - identified by its ID. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Label | string | Yes | A string representing the label to be applied. The maximum - allowed length is 64 characters. To reset/remove a previously set label, provide - an empty string. | - - | Endpoint ID | string | Yes | The unique identifier of the endpoint for which - the label will be set. | - - - ### Flow Description - - 1. **Configuration Extraction**: Retrieves the API Key, Access URL, and SSL verification - settings from the integration configuration. - - 2. **Parameter Extraction**: Retrieves the target `Endpoint ID` and the desired - `Label` from the action parameters. - - 3. **Manager Initialization**: Connects to the Bitdefender GravityZone Control - Center using the provided credentials. - - 4. **API Execution**: Calls the `setEndpointLabel` method via the Bitdefender - API, passing the endpoint ID and the label string. - - 5. **Result Handling**: Evaluates the API response and terminates the action with - a success or failure status based on whether the label was successfully applied. + This action updates the label of a specific endpoint within the Bitdefender GravityZone + platform. The action flow is as follows: 1. It extracts the necessary configuration + parameters (API Key, Access URL, and SSL verification) from the integration settings. + 2. It extracts the action-specific parameters: Endpoint ID and Label. 3. It initializes + the BitdefenderGravityZoneManager to communicate with the Bitdefender API. 4. + It executes the label_endpoint_set method, which sends a POST request to the Bitdefender + API to update the endpoint's label. 5. It logs the success or failure of the operation + and terminates the action. Parameters: Label (string, mandatory): The new label + to assign to the endpoint. The maximum allowed length is 64 characters. Enter + an empty string to reset a previously set label. Endpoint ID (string, mandatory): + The ID of the endpoint for which the details will be returned. capabilities: can_create_case_comments: false can_create_insight: false @@ -1725,12 +2714,18 @@ Set Endpoint Label: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates the label attribute of a specific endpoint in the Bitdefender GravityZone - Control Center. + Updates the label of an endpoint in the Bitdefender GravityZone system. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a POST request to the Bitdefender GravityZone API to set + a label on an endpoint. This is an external mutation. It does not fetch data, + nor does it modify internal SOAR data (entities, insights, etc.). categories: enrichment: false + reasoning: >- + The action is a mutation action (setting a label), not an enrichment action + (fetching data). Therefore, it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1746,3 +2741,7 @@ Set Endpoint Label: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action uses Endpoint ID as a direct input parameter provided by the user, + not by iterating over siemplify.target_entities. Therefore, it does not use + entities. diff --git a/content/response_integrations/third_party/community/bitdefender_gravity_zone/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/bitdefender_gravity_zone/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..5250f9acf --- /dev/null +++ b/content/response_integrations/third_party/community/bitdefender_gravity_zone/resources/ai/integration_ai_description.yaml @@ -0,0 +1,22 @@ +product_categories: + asset_inventory: true + cloud_security: false + collaboration: false + edr: true + email_security: false + iam_and_identity_management: false + itsm: false + network_security: false + reasoning: >- + The bitdefender_gravity_zone integration provides comprehensive endpoint management + capabilities, including host isolation ('Isolate Endpoint'), restoration ('Restore + Isolated Endpoint'), and remote scanning ('Create Scan Task'), which directly + align with the EDR category. Additionally, the integration offers robust asset + visibility through actions like 'Get Endpoints List' and 'Get Network Inventory + Items', which fulfill the requirements for the Asset Inventory category. The integration + does not provide SIEM log analysis, network gateway security, threat intelligence + enrichment (reputation scoring), email security (phishing management), IAM, ITSM, + Vulnerability Management, or Collaboration features. + siem: false + threat_intelligence: false + vulnerability_management: false diff --git a/content/response_integrations/third_party/community/chronicle_support_tools/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/chronicle_support_tools/resources/ai/actions_ai_description.yaml index eb999a1a9..7624b2c21 100644 --- a/content/response_integrations/third_party/community/chronicle_support_tools/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/chronicle_support_tools/resources/ai/actions_ai_description.yaml @@ -1,26 +1,82 @@ Gather Remote Agent Datapoints: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action is a diagnostic tool that collects local logs and system information. + It does not perform any of the defined product category operations (e.g., enrichment, + containment, ticketing, etc.). + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description\n\nGathers comprehensive diagnostic data and logs from - a Remote Agent to assist in troubleshooting integration and connector issues. - It retrieves system performance metrics, agent status, and parses log files for - error patterns.\n\n### Parameters Description\n\n| Parameter | Type | Mandatory - | Description |\n| :--- | :--- | :--- | :--- |\n| IntegrationName | String | Yes - | The name of the integration for which logs and data should be collected. |\n| - ConnectorName | String | No | The specific connector name to target for log collection. - If provided, the action will attempt to locate and parse the specific connector - runner logs. |\n\n### Flow Description\n\n1. **Configuration Extraction**: Retrieves - the target Integration and Connector names from the action parameters.\n2. **Agent - Status Collection**: Reads and parses `agent_status.json` to identify installed - integration versions and general agent health, while masking sensitive information - like IP and MAC addresses.\n3. **System Load Analysis**: Executes system commands - (`lscpu`, `uptime`, `free`) to capture CPU, memory, and uptime statistics.\n4. - **Environment & File Audit**: Captures environment variables (excluding secrets) - and performs a directory listing of the agent's working directory.\n5. **Log Parsing**: - Scans the main agent log (`agent.log`) and specific connector logs (`connectors_runner.log`) - for error-level entries, capturing the most recent occurrences for analysis.\n\n### - Additional Notes\n\nThis action is a diagnostic tool. All collected information - is written to the action's execution logs (LOGGER) rather than being returned - as structured case data or insights. + ### General Description + + The 'Gather Remote Agent Datapoints' action is a diagnostic tool designed to collect + comprehensive system and log information from a remote agent machine. It executes + a series of local shell commands to gather data such as system load, environment + variables, file information, and agent logs. This information is then logged to + the SOAR logger for troubleshooting and support purposes. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | --- | --- | --- | --- | + + | IntegrationName | string | Yes | The name of the integration for which to analyze + logs. | + + | ConnectorName | string | No | The name of the connector to filter logs. | + + + ### Additional Notes + + This action does not interact with external APIs or modify any internal SOAR data. + It is strictly a diagnostic tool that reads local system information and logs + it to the SOAR logger. + + + ### Flow Description + + 1. **Extract Parameters**: The action extracts the `IntegrationName` and `ConnectorName` + parameters from the configuration. + + 2. **Initialize Collectors**: It initializes several collector classes (`RALogsCollector`, + `AgentLoadInfoCollector`, `CollectFileInformation`, `CollectAgentLogs`) to prepare + for data gathering. + + 3. **Execute Commands**: The action runs local shell commands (e.g., `cat`, `lscpu`, + `uptime`, `free`, `env`, `ls`, `date`) on the agent machine to collect diagnostic + data. + + 4. **Log Information**: The collected data is logged to the `siemplify.LOGGER` + for analyst review. + + 5. **Complete**: The action returns a completed status. capabilities: can_create_case_comments: false can_create_insight: false @@ -29,10 +85,21 @@ Gather Remote Agent Datapoints: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null - fetches_data: true + fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action executes local shell commands (e.g., `cat`, `lscpu`, `uptime`, `free`, + `env`, `ls`, `date`) on the agent machine to collect diagnostic logs and system + information. It does not interact with external APIs, nor does it modify any + internal SOAR data (entities, insights, comments). It is a diagnostic tool for + support purposes. categories: enrichment: false + reasoning: >- + The action is a diagnostic tool that collects local logs and system information. + It does not fetch data from external sources to enrich alerts or entities, nor + does it modify any internal or external data. Therefore, it does not meet the + criteria for an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -48,3 +115,6 @@ Gather Remote Agent Datapoints: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with entities. It operates based on configuration + parameters provided to the action. diff --git a/content/response_integrations/third_party/community/chronicle_support_tools/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/chronicle_support_tools/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..d683c5b0f --- /dev/null +++ b/content/response_integrations/third_party/community/chronicle_support_tools/resources/ai/integration_ai_description.yaml @@ -0,0 +1,21 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: false + reasoning: >- + The 'chronicle_support_tools' integration is a diagnostic utility designed solely + for troubleshooting and maintaining the integration's own operations. It collects + local system logs and performance metrics from the host machine. It does not perform + any security-related functions such as threat intelligence enrichment, incident + response, asset management, or identity management. It does not interact with + external security APIs or modify SOAR case data. Consequently, it does not align + with any of the provided product categories, which are centered on security operations + and incident response workflows. + siem: false + threat_intelligence: false + vulnerability_management: false diff --git a/content/response_integrations/third_party/community/country_flags/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/country_flags/resources/ai/actions_ai_description.yaml index f9a853e74..684133cb8 100644 --- a/content/response_integrations/third_party/community/country_flags/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/country_flags/resources/ai/actions_ai_description.yaml @@ -1,26 +1,88 @@ Get Country Flag: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: true + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves contextual metadata (a country flag) for entities or a + provided code. This aligns with the 'Enrich Asset' category as it provides contextual + metadata for a resource. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - The **Get Country Flag** action retrieves a base64-encoded image of a country's - flag from the `countryflags.io` service. This utility is used to provide visual - context for countries associated with entities or provided as direct input. The - action maintains a local cache to optimize performance and reduce API calls.\n\n### - Parameters Description\n| Parameter | Type | Mandatory | Description |\n| :--- - | :--- | :--- | :--- |\n| Country Code Two Digit | string | No | A 2-letter ISO - country code (e.g., 'us', 'fr') to fetch the flag for. |\n| Country Code From - Entity Field | string | No | A comma-separated list of field names to look for - in an entity's `additional_properties` (e.g., 'country', 'location'). |\n\n### - Additional Notes\n- The action uses a local `flags.json` file in the run folder - for caching.\n- If no country code is found and no parameter is provided, the - action completes without fetching data.\n\n### Flow Description\n1. **Load Cache**: - Attempts to read existing flag data from a local JSON file.\n2. **Identify Country - Codes**: Checks the `Country Code Two Digit` parameter and iterates through entities - to find codes in specified `additional_properties` fields.\n3. **Fetch Missing - Flags**: For any code not in the cache, it performs a GET request to the external - flag service.\n4. **Process and Encode**: Converts the image content to a base64 - string.\n5. **Update and Output**: Updates the local cache file and adds the base64 - strings to the action's JSON result. + This action retrieves a country flag image from `countryflags.io` based on a provided + country code or an entity's property. It supports caching the retrieved flags + in a local file to optimize performance and reduce external API calls. The action + returns the base64-encoded flag data in the result JSON. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Country Code Two Digit | string | No | The 2-digit country code (e.g., "us") + to fetch the flag for. | + + | Country Code From Entity Field | string | No | The name of the field in the + entity's additional properties that contains the country code. If provided, the + action will extract the code from the entity and fetch the corresponding flag. + | + + + ### Additional Notes + + Either the `Country Code Two Digit` parameter or the `Country Code From Entity + Field` parameter should be configured for the action to perform its task. If both + are provided, the action will process both. + + + ### Flow Description + + 1. **Initialization**: The action initializes by attempting to load a local cache + file (`flags.json`) containing previously fetched flags. + + 2. **Entity Processing**: If `Country Code From Entity Field` is provided, the + action iterates through all target entities. For each entity, it checks the specified + field in `additional_properties` to extract the country code. + + 3. **Flag Retrieval**: For each identified country code (either from the parameter + or the entity), the action checks the local cache. If the flag is not in the cache, + it performs an HTTP GET request to `countryflags.io` to download the flag image. + + 4. **Caching**: The downloaded flag is base64-encoded and stored in the local + cache. + + 5. **Result Generation**: The action adds the base64-encoded flag data to the + result JSON. + + 6. **Cache Update**: If any new flags were fetched, the action updates the local + cache file. capabilities: can_create_case_comments: false can_create_insight: false @@ -31,8 +93,18 @@ Get Country Flag: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs an HTTP GET request to an external service (`countryflags.io`) + to fetch data (flag images). It does not modify any external system state (no + POST/PUT/DELETE). It does not modify internal SOAR data (entities, insights, + or case comments). While it writes to a local cache file, this is not considered + a mutation of internal SOAR data. categories: enrichment: true + reasoning: >- + The action fetches data (country flags) to provide context for entities or specific + codes. It does not mutate external systems or internal SOAR data. It fits the + definition of an enrichment action as it gathers supplemental context. entity_usage: entity_types: - ADDRESS @@ -70,7 +142,7 @@ Get Country Flag: - DestinationURL - USB - USERUNIQNAME - filters_by_additional_properties: true + filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false filters_by_creation_time: false @@ -83,46 +155,66 @@ Get Country Flag: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action iterates over `siemplify.target_entities` to extract country codes + from `additional_properties`. It does not filter by entity type, meaning it + processes all entity types provided in the target list. Ping: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action is a connectivity test ('Ping') and does not perform any of the defined + product category operations (e.g., enriching IOCs/assets, updating tickets, + etc.). + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description + General description: This action tests connectivity to the Country Flags service + by attempting to retrieve a flag image for a hardcoded country code ('us'). It + serves as a diagnostic tool to verify network reachability and service availability. - The **Ping** action is designed to verify connectivity between Google SecOps and - the Country Flags service. It performs a test request to ensure that the integration - can successfully reach the external API and retrieve data. + Flow description: - ### Parameters Description + 1. Initialize the SiemplifyAction. - There are no parameters for this action. + 2. Attempt to read a local cache file ('flags.json') from the run folder. + 3. If the country flag is not found in the cache, perform an HTTP GET request + to 'https://www.countryflags.io/'. - ### Additional Notes - - This action uses a hardcoded country code ("us") to perform the connectivity test. - It also utilizes a local cache file (`flags.json`) within the execution environment - to store previously retrieved flag data. Note that while the action fetches data, - it is named 'Ping' and therefore is not categorized as an enrichment action per - standard guidelines. + 4. Encode the retrieved image content to base64 and update the local cache dictionary. + 5. Return success or failure based on the retrieval outcome. - ### Flow Description - - 1. **Initialize**: The script initializes the Siemplify action and attempts to - load existing flag data from a local cache file named `flags.json` in the run - folder. - 2. **Cache Check**: It checks if the flag for the hardcoded country code "us" - is already present in the loaded cache. + Parameters description: - 3. **API Request**: If the flag is not found in the cache, it sends a GET request - to the Country Flags API (`https://www.countryflags.io/us/flat/64.png`). - - 4. **Data Processing**: The retrieved image content is encoded into a base64 string - and added to the local cache object. - - 5. **Completion**: The action concludes with a success status if the flag data - is successfully obtained (either from the cache or the external API). + There are no parameters for this action. capabilities: can_create_case_comments: false can_create_insight: false @@ -133,8 +225,16 @@ Ping: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs an HTTP GET request to an external service to fetch an image. + It does not modify external systems, nor does it modify internal SecOps data + (entities, insights, etc.). It uses a local file for caching, which is not considered + internal data mutation in the context of SecOps case data. categories: enrichment: false + reasoning: >- + The action is named 'Ping' and is explicitly excluded from being an enrichment + action per the instructions. It does not perform any enrichment on entities. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -150,3 +250,6 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with target_entities. It uses a hardcoded country + code 'us' and does not perform any operations on entities. diff --git a/content/response_integrations/third_party/community/country_flags/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/country_flags/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..c717cb966 --- /dev/null +++ b/content/response_integrations/third_party/community/country_flags/resources/ai/integration_ai_description.yaml @@ -0,0 +1,23 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: false + reasoning: >- + The country_flags integration is a utility tool designed to provide visual context + (country flags) for entities. It does not perform any of the security-specific + functions defined in the product categories. It does not analyze logs (SIEM), + investigate hosts (EDR), manage network traffic (Network Security), provide threat + intelligence (Threat Intelligence), manage emails (Email Security), manage identities + (IAM), manage cloud resources (Cloud Security), handle ticketing (ITSM), assess + vulnerabilities (Vulnerability Management), provide asset inventory details (Asset + Inventory), or facilitate collaboration (Collaboration). While it performs enrichment, + it is purely cosmetic and does not meet the specific 'Expected Outcome' criteria + for any of the listed categories. + siem: false + threat_intelligence: false + vulnerability_management: false diff --git a/content/response_integrations/third_party/community/cybersixgill_actionable_alerts/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/cybersixgill_actionable_alerts/resources/ai/actions_ai_description.yaml index 2912cfc33..e5e8e2bd0 100644 --- a/content/response_integrations/third_party/community/cybersixgill_actionable_alerts/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/cybersixgill_actionable_alerts/resources/ai/actions_ai_description.yaml @@ -1,12 +1,41 @@ Ping: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action is a connectivity test (Ping) and does not perform any of the defined + operational tasks like enriching IOCs, blocking, or creating tickets. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - The **Ping** action is a connectivity test designed to verify the communication - between Google SecOps and the Cybersixgill API. Its primary purpose is to ensure - that the provided credentials (Client ID and Client Secret) are valid and that - the network configuration allows for a successful connection to the Cybersixgill - service. + Tests connectivity to the Cybersixgill API by validating the provided credentials. + This action ensures that the integration is correctly configured and can communicate + with the external service. ### Parameters Description @@ -15,35 +44,25 @@ Ping: | :--- | :--- | :--- | :--- | - | Client Id | password | Yes | The unique identifier for the Cybersixgill API - client. | + | Client Id | password | Yes | The client ID used for authentication with the + Cybersixgill service. | - | Client Secret | password | Yes | The secret key associated with the Client ID - used for authentication. | + | Client Secret | password | Yes | The client secret used for authentication with + the Cybersixgill service. | ### Flow Description - 1. **Parameter Extraction**: The action retrieves the `Client Id` and `Client - Secret` from the integration configuration. + 1. The action retrieves the `Client Id` and `Client Secret` from the integration + configuration. - 2. **Manager Initialization**: It initializes the `SixgillEnrichManager` using - the provided credentials. + 2. It initializes the `SixgillEnrichManager` using these credentials. - 3. **Authentication Test**: The manager attempts to create a `SixgillBaseClient` - and calls the `get_access_token` method to verify connectivity. + 3. It attempts to authenticate with the Cybersixgill API by requesting an access + token. - 4. **Result Reporting**: If an access token is successfully retrieved, the action - returns a success message. If an exception occurs or the token cannot be retrieved, - it returns a failure message with the error details. - - - ### Additional Notes - - - This action does not interact with any entities or modify any data within Google - SecOps or Cybersixgill. - - - It is strictly used for configuration validation. + 4. The action returns a success or failure status based on the authentication + attempt. capabilities: can_create_case_comments: false can_create_insight: false @@ -54,8 +73,15 @@ Ping: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a connectivity test (Ping) to the Cybersixgill API. It does + not fetch contextual data, mutate external systems, or modify internal SOAR + data. It is strictly a validation step. categories: enrichment: false + reasoning: >- + The action is named 'Ping' and performs a connectivity test. Per the instructions, + 'Ping' actions are explicitly excluded from being enrichment actions. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -71,3 +97,6 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with any entities; it only performs a connectivity + test using configuration parameters. diff --git a/content/response_integrations/third_party/community/cybersixgill_actionable_alerts/resources/ai/connectors_ai_description.yaml b/content/response_integrations/third_party/community/cybersixgill_actionable_alerts/resources/ai/connectors_ai_description.yaml new file mode 100644 index 000000000..d1a8d0de8 --- /dev/null +++ b/content/response_integrations/third_party/community/cybersixgill_actionable_alerts/resources/ai/connectors_ai_description.yaml @@ -0,0 +1,63 @@ +Cybersixgill Actionable Alerts: + ai_description: >- + ### General Description + + This connector integrates with Cybersixgill to fetch actionable threat intelligence + alerts. It retrieves alerts based on configured filters (threat level, threat + type) and ingests them into Google SecOps as cases, providing detailed context + including CVE information, threat assessments, and associated assets. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Alerts Limit | Integer | Yes | The maximum number of alerts to fetch in a single + execution. | + + | Client Id | Password | Yes | The Client ID for Cybersixgill API authentication. + | + + | Client Secret | Password | Yes | The Client Secret for Cybersixgill API authentication. + | + + | DeviceProductField | String | Yes | The field name used to determine the device + product. | + + | EventClassId | String | Yes | The field name used to determine the event name + (sub-type). | + + | Organization id | String | No | The specific Organization ID to filter alerts. + | + + | PythonProcessTimeout | String | Yes | The timeout limit (in seconds) for the + Python process. | + + | Threat Level | String | No | Filter alerts by threat level (e.g., imminent). + | + + | Threat Type | String | No | Filter alerts by threat type (comma-separated). + | + + + ### Flow Description + + 1. Authenticates with the Cybersixgill API using the provided Client ID and Client + Secret. + + 2. Calculates the time range for fetching alerts based on the last run timestamp + or a default lookback period. + + 3. Queries the Cybersixgill API for actionable alerts, applying filters for threat + level, threat type, and organization ID if provided. + + 4. For each retrieved alert, fetches detailed information, including threat assessments, + recommendations, and associated CVE data. + + 5. Maps the alert data into the Google SecOps AlertInfo format, including raw + JSON, portal URLs, and sub-alert details. + + 6. Updates the connector timestamp to the latest alert creation time and returns + the processed alerts to the SOAR platform. diff --git a/content/response_integrations/third_party/community/cybersixgill_actionable_alerts/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/cybersixgill_actionable_alerts/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..27fadb659 --- /dev/null +++ b/content/response_integrations/third_party/community/cybersixgill_actionable_alerts/resources/ai/integration_ai_description.yaml @@ -0,0 +1,22 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: false + reasoning: >- + The integration is primarily a Threat Intelligence solution, as it provides actionable + intelligence from deep, dark, and surface web sources, including risk assessments + and threat data for IPs, domains, and vulnerabilities. It qualifies for the Threat + Intelligence category because it enriches alerts with external threat data. It + also qualifies for the Vulnerability Management category because it specifically + monitors for vulnerabilities and provides CVE information, which helps in assessing + the susceptibility of assets to known exploits. It does not qualify as a SIEM, + EDR, Network Security, Email Security, IAM, Cloud Security, ITSM, Asset Inventory, + or Collaboration tool based on the provided descriptions. + siem: false + threat_intelligence: true + vulnerability_management: true diff --git a/content/response_integrations/third_party/community/cybersixgill_darkfeed/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/cybersixgill_darkfeed/resources/ai/actions_ai_description.yaml index e25b1bf71..bf97c0225 100644 --- a/content/response_integrations/third_party/community/cybersixgill_darkfeed/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/cybersixgill_darkfeed/resources/ai/actions_ai_description.yaml @@ -1,38 +1,45 @@ Ping: - ai_description: >- - ### General Description - - Verifies connectivity to the Cybersixgill Darkfeed API. This action is used to - validate that the provided credentials (Client ID and Client Secret) are correct - and that the Google SecOps environment can successfully communicate with the Cybersixgill - service. - - - ### Parameters Description - - There are no parameters for this action. - - - ### Additional Notes - - This action is a standard connectivity test and does not process any entities - or modify any data. - - - ### Flow Description - - 1. **Configuration Extraction**: The action retrieves the `Client Id` and `Client - Secret` from the integration's configuration settings. - - 2. **Client Initialization**: It initializes the `SixgillEnrichManager` with the - retrieved credentials. - - 3. **Authentication Check**: The manager attempts to create a Sixgill client and - requests an access token via the `get_access_token` method. - - 4. **Result Reporting**: If the token is successfully retrieved, the action completes - with a success message. If an error occurs during the process, an exception is - raised, indicating a connection failure. + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action is a connectivity test ('Ping') to verify credentials against the + Cybersixgill API. It does not perform any of the listed functional operations + (enrichment, containment, etc.). + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: "Tests connectivity to the Cybersixgill service by validating the\ + \ provided API credentials. \n\n### Parameters\n| Parameter | Type | Mandatory\ + \ | Description |\n| --- | --- | --- | --- |\n| Client Id | String | Yes | The\ + \ Client ID for Cybersixgill authentication. |\n| Client Secret | String | Yes\ + \ | The Client Secret for Cybersixgill authentication. |\n\n### Flow Description\n\ + 1. Extract the `Client Id` and `Client Secret` from the integration configuration.\n\ + 2. Initialize the `SixgillEnrichManager` with the provided credentials.\n3. Attempt\ + \ to authenticate with the Cybersixgill API to retrieve an access token.\n4. Return\ + \ the connection status and a success/failure message." capabilities: can_create_case_comments: false can_create_insight: false @@ -43,8 +50,15 @@ Ping: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a connectivity check (Ping) to verify API credentials. It + does not fetch data for entities, mutate external systems, or modify internal + SOAR data. categories: enrichment: false + reasoning: >- + The action is named 'Ping', which is explicitly excluded from being an enrichment + action per the provided guidelines. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -60,3 +74,6 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with any entities. It is a standalone connectivity + test. diff --git a/content/response_integrations/third_party/community/cybersixgill_darkfeed/resources/ai/connectors_ai_description.yaml b/content/response_integrations/third_party/community/cybersixgill_darkfeed/resources/ai/connectors_ai_description.yaml new file mode 100644 index 000000000..64afb9c62 --- /dev/null +++ b/content/response_integrations/third_party/community/cybersixgill_darkfeed/resources/ai/connectors_ai_description.yaml @@ -0,0 +1,55 @@ +Cybersixgill - Darkfeed Connector: + ai_description: >- + ### General Description + + The Cybersixgill Darkfeed Connector integrates Google SecOps SOAR with the Cybersixgill + Darkfeed service. It automatically ingests real-time threat intelligence, specifically + malicious indicators of compromise (IOCs) such as domains, URLs, file hashes, + and IP addresses. By fetching these indicators, the connector enables organizations + to preemptively identify and block threats identified on the deep and dark web. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | PythonProcessTimeout | String | Yes | The timeout limit (in seconds) for the + python process running the script. | + + | EventClassId | String | Yes | The field name used to determine the event name + (sub-type). | + + | DeviceProductField | String | Yes | The field name used to determine the device + product. | + + | Client Secret | Password | Yes | The secret key for Cybersixgill API authentication. + | + + | Client Id | String | Yes | The Client ID for Cybersixgill API authentication. + | + + | Alerts Limit | Integer | Yes | The maximum number of alerts to be ingested into + the platform per run. | + + + ### Flow Description + + 1. The connector initializes the connection to the Cybersixgill Darkfeed API using + the provided Client ID and Client Secret. + + 2. It queries the Darkfeed stream to retrieve a bundle of threat intelligence + records. + + 3. The retrieved records are filtered to ensure only valid indicators are processed + and that revoked items are ignored. + + 4. For each valid indicator, the connector parses the pattern data using regex + to extract specific IOC types (File Hashes, URLs, Domains, IP addresses). + + 5. It maps the indicator data into a standardized SOAR Alert format, including + metadata such as threat actor, confidence score, severity, and MITRE ATT&CK mapping. + + 6. The processed alerts are ingested into the SOAR platform, and the connector + commits the indicators to the Cybersixgill client. diff --git a/content/response_integrations/third_party/community/cybersixgill_darkfeed/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/cybersixgill_darkfeed/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..f3e045257 --- /dev/null +++ b/content/response_integrations/third_party/community/cybersixgill_darkfeed/resources/ai/integration_ai_description.yaml @@ -0,0 +1,21 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: false + reasoning: >- + The Cybersixgill Darkfeed integration is a dedicated threat intelligence feed. + Its primary function, as described in the connector metadata, is to ingest real-time + malicious indicators of compromise (IOCs) such as domains, URLs, file hashes, + and IP addresses from the deep and dark web into the SOAR platform. This directly + aligns with the Threat Intelligence category, which focuses on providing reputation + data and IOCs to confirm alerts. It does not perform SIEM log analysis, EDR host-level + containment, network gateway blocking, or identity management, and therefore does + not qualify for those categories. + siem: false + threat_intelligence: true + vulnerability_management: false diff --git a/content/response_integrations/third_party/community/cybersixgill_darkfeed_enrichment/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/cybersixgill_darkfeed_enrichment/resources/ai/actions_ai_description.yaml index 3da7a9b58..e5dcf961c 100644 --- a/content/response_integrations/third_party/community/cybersixgill_darkfeed_enrichment/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/cybersixgill_darkfeed_enrichment/resources/ai/actions_ai_description.yaml @@ -1,56 +1,55 @@ Enrich Actor: - ai_description: >- - ### General Description - - Enriches **Threat Actor** entities using Cybersixgill Darkfeed intelligence. This - action retrieves comprehensive data regarding a threat actor's activities in the - underground, including IOCs shared within the last 90 days, their primary areas - of activity, preferred targets, and utilized techniques. The retrieved data is - used to update entity attributes, provide detailed insights, and populate data - tables within the case. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Client Id | String | Yes | The API Client ID used to authenticate with the Cybersixgill - service. | - - | Client Secret | String | Yes | The API Client Secret used to authenticate with - the Cybersixgill service. | - - - ### Flow Description - - 1. **Authentication**: Extracts the Client ID and Client Secret from the integration - configuration to initialize the Cybersixgill manager. - - 2. **Entity Filtering**: Identifies all entities of type `THREATACTOR` within - the current alert context. - - 3. **Data Retrieval**: Queries the Cybersixgill API for each identified threat - actor to fetch enrichment data and associated indicators. - - 4. **Entity Enrichment**: Updates the entity's status to `is_enriched` and `is_suspicious`. - It also populates the entity's `additional_properties` with metadata such as description, - feed name, source, actor details, confidence, and severity. - - 5. **Insight Generation**: Creates a detailed case insight for each actor, summarizing - the intelligence found. - - 6. **Data Visualization**: Adds a data table to the entity containing structured - records of the actor's activity and provides external links to the Cybersixgill - portal and other sources like VirusTotal or MITRE ATT&CK. - - - ### Additional Notes - - This action specifically targets the `THREATACTOR` entity type. While the underlying - processor supports other types, this specific action script restricts processing - to threat actors only. + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves threat intelligence (attribution, techniques, activity) + for a Threat Actor. This aligns with the 'Enrich IOC' category, which covers + returning threat intelligence for indicators. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: "Enriches Threat Actor entities using the Cybersixgill Darkfeed\ + \ Enrichment integration. This action retrieves detailed threat intelligence,\ + \ including associated IOCs, areas of activity, target preferences, and techniques\ + \ used by the actor over the last 90 days. \n\n### Flow Description\n1. The action\ + \ initializes the Sixgill client using the provided credentials.\n2. It iterates\ + \ through the target entities, specifically filtering for `THREATACTOR` types.\n\ + 3. For each entity, it queries the Sixgill API to retrieve actor-specific intelligence.\n\ + 4. If data is found, it updates the entity's properties (e.g., `is_enriched`,\ + \ `is_suspicious`, and `additional_properties`) within the SOAR platform.\n5.\ + \ It generates a detailed entity table and a case insight containing the retrieved\ + \ intelligence, including VirusTotal and MITRE ATT&CK references.\n6. Finally,\ + \ it updates the entities and adds the results to the case.\n\n### Parameters\n\ + | Parameter | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n\ + | Client Id | String | Yes | The Client ID for authenticating with the Sixgill\ + \ API. |\n| Client Secret | String | Yes | The Client Secret for authenticating\ + \ with the Sixgill API. |\n\n### Additional Notes\nThis action is specifically\ + \ designed to process `THREATACTOR` entities. While the underlying processor supports\ + \ other entity types, this specific action implementation restricts processing\ + \ to `THREATACTOR` only." capabilities: can_create_case_comments: false can_create_insight: true @@ -61,11 +60,19 @@ Enrich Actor: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - The action updates entity attributes (is_enriched, is_suspicious), populates - additional properties with threat intelligence, creates case insights, and adds - data tables and external links to the entities. + Updates entity properties (is_enriched, is_suspicious, additional_properties) + and creates case insights and entity tables within the SOAR platform. + reasoning: >- + The action fetches threat intelligence data from the Sixgill API (fetches_data=true). + It does not modify any external systems (can_mutate_external_data=false). It + performs internal mutations by updating entity properties, creating case insights, + and adding entity tables (can_mutate_internal_data=true). categories: enrichment: true + reasoning: >- + The action fetches data from an external source (Sixgill) and performs allowed + internal mutations (updating entities, creating insights). It does not mutate + external systems, making it a valid enrichment action. entity_usage: entity_types: - THREATACTOR @@ -82,58 +89,67 @@ Enrich Actor: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action iterates over `siemplify.target_entities` and explicitly filters + for `THREATACTOR` entities as defined in the `main` function of the script. Enrich Domain: - ai_description: >- - ### General Description - - Enriches Hostname (Domain) entities using Cybersixgill Darkfeed threat intelligence. - This action identifies if a domain is associated with compromised sites or is - for sale on the dark web, providing critical context for security investigations. - It retrieves detailed threat indicators, including feed names, actors, severity, - and confidence scores, and maps them to the entity's profile in Google SecOps. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Client Id | String | Yes | The Client ID for the Cybersixgill API, configured - at the integration level. | - - | Client Secret | String | Yes | The Client Secret for the Cybersixgill API, configured - at the integration level. | - - - ### Additional Notes - - There are no action-specific parameters; the action relies on integration-level - configuration. It automatically marks entities as suspicious and enriched if threat - data is found. It also parses STIX patterns to identify related file hashes (MD5, - SHA-1, SHA-256) and integrates external references from VirusTotal and MITRE ATT&CK - where available. - - - ### Flow Description - - 1. **Credential Retrieval**: Extracts the Client ID and Client Secret from the - integration configuration. - - 2. **Entity Filtering**: Identifies Hostname entities from the target entities - list. - - 3. **API Query**: Queries the Cybersixgill Darkfeed API for each identified Hostname - to retrieve enrichment indicators. - - 4. **Data Processing**: If enrichment data is found, the action: - * Marks the entity as 'Enriched' and 'Suspicious'. - * Updates the entity's additional properties with threat details such as Feed - Name, Source, Actor, Severity, and Confidence. - * Parses STIX patterns within the results to find and map related file hashes. - 5. **Output Generation**: Creates a detailed case insight and an entity table - containing the full threat context. It also adds external links to the Cybersixgill - portal and relevant third-party sources like VirusTotal or MITRE ATT&CK. + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves threat intelligence (reputation, feed data, actor info) + for a domain (IOC). This aligns with the 'Enrich IOC' category. It does not + perform asset-specific metadata retrieval (Enrich Asset), nor does it perform + any containment or ticketing actions. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: "### General Description\nThe **Enrich Domain** action leverages\ + \ the Cybersixgill Darkfeed Enrichment integration to gather threat intelligence\ + \ regarding domain entities. It queries the Sixgill API to identify if a domain\ + \ is associated with compromised sites, dark web activity, or other malicious\ + \ indicators. The action retrieves detailed threat data, including feed names,\ + \ actor information, confidence scores, severity levels, and associated MITRE\ + \ ATT&CK techniques.\n\n### Flow Description\n1. **Initialization**: The action\ + \ initializes the `SixgillEnrichManager` using the provided client credentials.\n\ + 2. **Entity Processing**: It iterates through the target entities, specifically\ + \ filtering for `HOSTNAME` types.\n3. **Data Retrieval**: For each valid domain,\ + \ it queries the Sixgill API to fetch relevant threat intelligence.\n4. **Enrichment**:\ + \ \n - Updates the entity's `is_enriched` and `is_suspicious` status.\n -\ + \ Populates the entity's `additional_properties` with retrieved threat data (e.g.,\ + \ feed source, confidence, severity).\n - Updates the entity within the SOAR\ + \ platform.\n5. **Reporting**: \n - Generates a case insight containing the\ + \ detailed threat report.\n - Adds a data table to the entity's result view.\n\ + \ - Attaches the raw JSON response to the action results.\n\n### Parameters\ + \ Description\n| Parameter | Type | Mandatory | Description |\n| :--- | :--- |\ + \ :--- | :--- |\n| Client Id | String | Yes | The Client ID used to authenticate\ + \ with the Cybersixgill API. |\n| Client Secret | String | Yes | The Client Secret\ + \ used to authenticate with the Cybersixgill API. |\n\n### Additional Notes\n\ + This action is specifically configured to process `HOSTNAME` entities. While the\ + \ underlying processor supports other types (IP, Hash, URL, Actor), this specific\ + \ action implementation restricts execution to domains." capabilities: can_create_case_comments: false can_create_insight: true @@ -145,9 +161,21 @@ Enrich Domain: fetches_data: true internal_data_mutation_explanation: >- Updates entity attributes (is_enriched, is_suspicious, additional_properties) - and creates case insights, entity tables, and entity links within Google SecOps. + and creates case insights and data tables within the SOAR platform. + reasoning: >- + The action fetches threat intelligence data from the external Sixgill API (fetches_data=true). + It does not modify external systems (can_mutate_external_data=false). It performs + internal mutations by updating entity attributes (is_enriched, is_suspicious, + additional_properties), creating case insights, and adding data tables to the + SOAR case (can_mutate_internal_data=true). categories: enrichment: true + reasoning: >- + The action is designed to retrieve threat intelligence for domain entities and + update the SOAR platform with this context. It does not modify external systems + or perform containment. It meets the criteria for an enrichment action as it + fetches data and only performs allowed internal mutations (updating entities + and creating insights). entity_usage: entity_types: - HOSTNAME @@ -164,57 +192,62 @@ Enrich Domain: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action iterates over `siemplify.target_entities` and explicitly filters + for `HOSTNAME` entities via the `sixgill_process.entity_data([EntityTypes.HOSTNAME])` + and `sixgill_process.enrich([EntityTypes.HOSTNAME])` calls in the main script. Enrich Hash: - ai_description: >- - ### General Description - - Enriches File Hash entities using Cybersixgill Darkfeed threat intelligence. This - action proactively analyzes and investigates malware hashes as they emerge on - the dark web, providing context even for malware undetected by traditional antivirus - vendors. It retrieves comprehensive metadata, including actor information, severity, - confidence scores, and cross-references with VirusTotal and MITRE ATT&CK. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Client Id | String | Yes | The API Client ID for Cybersixgill authentication. - | - - | Client Secret | String | Yes | The API Client Secret for Cybersixgill authentication. - | - - - ### Additional Notes - - This action specifically targets `FILEHASH` entities. It automatically marks enriched - entities as suspicious if threat data is found in the Cybersixgill database. - - - ### Flow Description - - 1. **Authentication**: Initializes the Cybersixgill manager using the provided - Client ID and Secret. - - 2. **Entity Identification**: Filters the target entities to identify all `FILEHASH` - objects. - - 3. **Threat Intelligence Query**: For each hash, it queries the Cybersixgill Darkfeed - API for matching indicators. - - 4. **Internal Data Mutation**: If a match is found, the action updates the entity's - `is_enriched` and `is_suspicious` flags and populates its `additional_properties` - with detailed threat metadata. - - 5. **Insight Generation**: Creates a detailed Case Insight summarizing the findings, - including feed names, actor details, and severity. - - 6. **Contextual Enrichment**: Adds a data table to the entity, attaches raw JSON - results, and provides external links to the Cybersixgill Portal, VirusTotal, and - MITRE ATT&CK documentation. + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves threat intelligence (reputation, actor, MITRE mappings) + for file hashes, which directly matches the 'Enrich IOC' category. It does not + perform asset enrichment, ticket management, or containment actions. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: "Enriches File Hash entities using Cybersixgill Darkfeed intelligence.\ + \ This action proactively investigates malware hashes by querying the Sixgill\ + \ platform for associated threat intelligence, including actor information, feed\ + \ sources, and MITRE ATT&CK mappings. \n\n### Flow Description\n1. **Authentication**:\ + \ Extracts the Client ID and Client Secret from the integration configuration.\n\ + 2. **Entity Processing**: Iterates through the target entities, specifically filtering\ + \ for `FILEHASH` types.\n3. **Data Retrieval**: Queries the Sixgill API for threat\ + \ intelligence related to the hash.\n4. **Internal Update**: Updates the entity's\ + \ profile in Google SecOps by setting `is_enriched` and `is_suspicious` flags\ + \ to true, and populating `additional_properties` with retrieved metadata.\n5.\ + \ **Insight Generation**: Creates a case insight containing the detailed threat\ + \ report, including VirusTotal reputation data and MITRE ATT&CK tactics/techniques,\ + \ and adds a data table to the action results.\n\n### Parameters\n| Parameter\ + \ | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| Client\ + \ Id | String | Yes | The Client ID for authenticating with the Cybersixgill API.\ + \ |\n| Client Secret | String | Yes | The Client Secret for authenticating with\ + \ the Cybersixgill API. |\n\n### Additional Notes\nThis action is strictly for\ + \ enrichment and does not perform any external mutations (e.g., blocking or containment).\ + \ It specifically targets `FILEHASH` entities." capabilities: can_create_case_comments: false can_create_insight: true @@ -225,10 +258,19 @@ Enrich Hash: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - The action updates entity attributes (is_enriched, is_suspicious, additional_properties) - and creates case insights based on the retrieved threat intelligence from Cybersixgill. + Updates entity attributes (is_enriched, is_suspicious, additional_properties) + and creates case insights within Google SecOps. + reasoning: >- + The action fetches threat intelligence data from the Sixgill API (fetches_data=true). + It does not mutate external systems (can_mutate_external_data=false). It performs + internal mutations by updating entity attributes (is_enriched, is_suspicious, + additional_properties) and creating case insights (can_mutate_internal_data=true). categories: enrichment: true + reasoning: >- + The action retrieves threat intelligence data from an external source (Sixgill) + and updates internal SOAR entities and insights without modifying external systems. + This aligns with the definition of an enrichment action. entity_usage: entity_types: - FILEHASH @@ -245,31 +287,62 @@ Enrich Hash: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action iterates over `siemplify.target_entities` and is explicitly configured + in the main script (`EnrichHash.py`) to process only `FILEHASH` entities. Enrich IP: - ai_description: "### General Description\nEnriches IP Address entities using Cybersixgill\ - \ Darkfeed threat intelligence. This action identifies malicious IP addresses\ - \ associated with Command and Control (C&C) servers, botnets, DDoS attacks, proxy\ - \ anonymization, and compromised RDP addresses. It provides deep context by retrieving\ - \ feed names, actor information, confidence scores, and severity levels, while\ - \ also integrating external references from VirusTotal and MITRE ATT&CK.\n\n###\ - \ Parameters Description\n| Parameter Name | Type | Mandatory | Description |\n\ - | :--- | :--- | :--- | :--- |\n| Client Id | String | Yes | The Client ID for\ - \ authenticating with the Cybersixgill API. |\n| Client Secret | String | Yes\ - \ | The Client Secret for authenticating with the Cybersixgill API. |\n\n### Flow\ - \ Description\n1. **Authentication**: Initializes the Cybersixgill manager using\ - \ the provided Client ID and Client Secret.\n2. **Entity Filtering**: Identifies\ - \ all IP Address entities within the current context.\n3. **Data Retrieval**:\ - \ Queries the Cybersixgill Darkfeed API for each IP address to retrieve threat\ - \ indicators and metadata.\n4. **Internal Enrichment**: \n * Marks the entity\ - \ as 'Enriched' and 'Suspicious'.\n * Populates entity attributes with detailed\ - \ metadata (e.g., Feed Name, Actor, Confidence, Severity).\n * Parses STIX\ - \ patterns to identify related file hashes (MD5, SHA-1, SHA-256).\n5. **Reporting**:\ - \ \n * Creates a detailed Case Insight for each entity containing the threat\ - \ analysis.\n * Adds a data table to the entity with structured enrichment\ - \ results.\n * Attaches external links to the entity for the Cybersixgill Portal,\ - \ VirusTotal, and MITRE ATT&CK documentation.\n6. **Finalization**: Updates the\ - \ entities in the Google SecOps platform and returns a summary of processed, missing,\ - \ or failed entities." + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: true + enrich_ioc: true + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves threat intelligence for IOCs (IPs, Hashes, URLs) and assets + (Hostnames), which aligns with both 'Enrich IOC' and 'Enrich Asset' categories. + It does not perform any other listed actions. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: "### General Description\nThis action enriches various entity types\ + \ (IP Address, Hostname, FileHash, URL, and ThreatActor) using the Cybersixgill\ + \ Darkfeed intelligence platform. It retrieves threat intelligence, including\ + \ malware associations, actor information, and MITRE ATT&CK mappings, to provide\ + \ context for security investigations.\n\n### Parameters\n| Parameter | Type |\ + \ Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| Client Id | String\ + \ | Yes | The Client ID used to authenticate with the Cybersixgill API. |\n| Client\ + \ Secret | String | Yes | The Client Secret used to authenticate with the Cybersixgill\ + \ API. |\n\n### Flow Description\n1. **Authentication**: The action extracts the\ + \ `Client Id` and `Client Secret` from the integration configuration to initialize\ + \ the `SixgillEnrichManager`.\n2. **Entity Iteration**: The action iterates through\ + \ all `target_entities` provided in the case.\n3. **Filtering**: It filters entities\ + \ based on supported types: `ADDRESS`, `HOSTNAME`, `FILEHASH`, `URL`, and `THREATACTOR`.\n\ + 4. **Data Retrieval**: For each valid entity, it queries the Cybersixgill API\ + \ to fetch relevant threat intelligence.\n5. **Internal Update**: \n - Updates\ + \ the entity's `is_enriched` and `is_suspicious` flags.\n - Populates the entity's\ + \ `additional_properties` with detailed Sixgill data.\n - Creates a case insight\ + \ containing the enriched data.\n - Adds an entity table to the SOAR platform\ + \ for quick reference.\n6. **Finalization**: Updates the entities in the SOAR\ + \ platform and returns the execution status." capabilities: can_create_case_comments: false can_create_insight: true @@ -281,13 +354,27 @@ Enrich IP: fetches_data: true internal_data_mutation_explanation: >- Updates entity attributes (is_enriched, is_suspicious, additional_properties), - creates case insights, adds entity tables, and adds entity links within Google - SecOps. + creates case insights, and adds entity tables within the SOAR platform. + reasoning: >- + The action fetches threat intelligence data from the external Cybersixgill API + (fetches_data=true). It does not perform any actions that change the state of + external systems (can_mutate_external_data=false). It performs internal mutations + by updating entity attributes, creating case insights, and adding entity tables + (can_mutate_internal_data=true). categories: enrichment: true + reasoning: >- + The action is designed to retrieve supplemental context (threat intelligence) + for entities. It does not mutate external systems and only performs allowed + internal mutations (updating entities and creating insights). Therefore, it + qualifies as an enrichment action. entity_usage: entity_types: - ADDRESS + - FILEHASH + - HOSTNAME + - THREATACTOR + - DestinationURL filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -301,60 +388,83 @@ Enrich IP: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action iterates over `siemplify.target_entities` and explicitly filters + them by type (`HOSTNAME`, `FILEHASH`, `ADDRESS`, `URL`, `THREATACTOR`) before + performing enrichment queries. Enrich URL: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves threat intelligence for URLs, which aligns with the 'Enrich + IOC' category. It does not perform any containment, ticketing, or alert modification + actions. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - Enriches URL entities using Cybersixgill Darkfeed threat intelligence. This action - identifies, investigates, and retrieves context for URLs that have been shared - or hosted on underground file-sharing and paste sites. It provides deep visibility - into the dark web context of a URL, including associated actors, feed sources, - and severity levels. + This action enriches URL entities using the Cybersixgill Darkfeed platform. It + retrieves threat intelligence, including feed information, actor details, and + associated MITRE ATT&CK tactics, to provide context for URLs identified in alerts. + The action updates the entity's profile with enriched data and suspicious status, + and generates case insights for analysts. - ### Parameters Description + ### Parameters | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Client Id | String | Yes | The Client ID for authenticating with the Cybersixgill + | Client Id | String | Yes | The Client ID used to authenticate with the Cybersixgill API. | - | Client Secret | String | Yes | The Client Secret for authenticating with the + | Client Secret | String | Yes | The Client Secret used to authenticate with the Cybersixgill API. | - ### Additional Notes - - * This action automatically marks enriched entities as **suspicious** and **enriched** - within the Google SecOps environment if data is found. - - * It integrates external references from VirusTotal and MITRE ATT&CK when available - in the Cybersixgill data. - - ### Flow Description - 1. **Configuration Extraction:** Retrieves the Cybersixgill API credentials from - the integration settings. + 1. **Authentication**: The action extracts the `Client Id` and `Client Secret` + from the integration configuration to authenticate with the Sixgill API. - 2. **Entity Filtering:** Identifies all URL entities within the current alert - context. + 2. **Data Retrieval**: It queries the Sixgill Darkfeed service for intelligence + related to the provided URL entities. - 3. **Threat Intelligence Retrieval:** For each URL, it queries the Cybersixgill - Darkfeed API to find matches in underground sources. + 3. **Processing**: The action parses the returned data, extracting relevant fields + such as feed name, source, actor, confidence, severity, and external references + (VirusTotal, MITRE ATT&CK). - 4. **Entity Enrichment:** If data is found, it updates the entity's additional - properties with metadata such as the Sixgill Feed Name, Source, Actor, Confidence, - and Severity. + 4. **Entity Update**: It updates the entity's `is_enriched` and `is_suspicious` + flags and populates `additional_properties` with the retrieved intelligence. - 5. **Insight Generation:** Creates a detailed Case Insight containing a summary - of the threat intelligence and external references. - - 6. **Data Visualization:** Adds a data table to the entity and attaches external - links (e.g., to the Cybersixgill Portal, VirusTotal, or MITRE ATT&CK) for further - investigation. + 5. **Reporting**: It creates a case insight containing the detailed intelligence + and adds a data table to the action results for the analyst to review. capabilities: can_create_case_comments: false can_create_insight: true @@ -365,13 +475,24 @@ Enrich URL: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates entity attributes with Cybersixgill threat intelligence, marks entities - as suspicious and enriched, adds data tables, creates case insights, and attaches - external links for further investigation. + Updates entity properties (is_enriched, is_suspicious, additional_properties) + and creates case insights within the SOAR platform. + reasoning: >- + The action fetches threat intelligence from the Sixgill API (fetches_data=true). + It does not modify external systems (can_mutate_external_data=false). It performs + internal mutations by updating entity attributes (is_enriched, is_suspicious, + additional_properties) and creating case insights (can_mutate_internal_data=true). categories: enrichment: true + reasoning: >- + The action is designed to fetch threat intelligence and enrich entities without + modifying external systems. It updates internal entity data and creates insights, + which is permitted under the enrichment criteria. entity_usage: entity_types: + - DESTINATIONDOMAIN + - DOMAIN + - SOURCEDOMAIN - DestinationURL filters_by_additional_properties: false filters_by_alert_identifier: false @@ -386,53 +507,68 @@ Enrich URL: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action explicitly filters and processes only URL entities as defined in + the EnrichUrl.py script, which passes [EntityTypes.URL] to the processing methods. Ping: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action is a connectivity test and does not perform any of the defined product + operations such as enrichment, containment, or ticketing. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - The **Ping** action is a diagnostic utility designed to verify the connectivity - between the Google SecOps platform and the Cybersixgill Darkfeed Enrichment service. - Its primary purpose is to ensure that the provided API credentials (Client ID - and Client Secret) are valid and that the network path to the Cybersixgill API - is open. - - - ### Parameters Description - - This action does not require any user-provided input parameters at runtime. It - relies entirely on the integration's global configuration settings. - - - | Parameter Name | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | None | N/A | N/A | This action uses no runtime parameters. | - + Tests connectivity to the Cybersixgill Darkfeed Enrichment service. This action + verifies that the provided API credentials are valid by performing a test query + against the Sixgill API. It does not process any entities or modify system state. - ### Additional Notes - - This action uses a hardcoded IP address (8.8.8.8) to perform a test enrichment - query to validate the API connection. + ### Parameters - - It is typically used during the initial setup of the integration or for troubleshooting - communication issues. + There are no parameters for this action. ### Flow Description - 1. **Credential Retrieval**: The action extracts the `Client Id` and `Client Secret` - from the integration's configuration parameters. + 1. **Configuration Extraction**: The action extracts the `Client Id` and `Client + Secret` from the integration configuration. - 2. **Manager Initialization**: It initializes the `SixgillEnrichManager` and the - `SixgillActionResultProcessor` using the retrieved credentials. + 2. **Manager Initialization**: It initializes the `SixgillEnrichManager` using + the extracted credentials. - 3. **Connectivity Test**: The processor attempts to create a Cybersixgill client - and executes a test enrichment call for the IP `8.8.8.8`. + 3. **Connectivity Test**: The action invokes the `test_connectivity` method, which + performs a sample enrichment query (`enrich_ioc`) against the Sixgill API using + a dummy IP address (`8.8.8.8`). - 4. **Status Reporting**: If the API call is successful, the action returns a success - message. If an exception occurs (e.g., authentication failure or network timeout), - it logs the error and returns a failure status. + 4. **Result Reporting**: The action returns the connectivity status (success or + failure) and a corresponding message to the user. capabilities: can_create_case_comments: false can_create_insight: false @@ -443,8 +579,15 @@ Ping: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a connectivity test by calling the external API. It does + not modify external systems, update entities, or create insights. It fetches + data only for the purpose of verifying credentials. categories: enrichment: false + reasoning: >- + The action is named 'Ping' and is a connectivity test. According to the instructions, + actions named 'Ping' must not be categorized as enrichment actions. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -460,3 +603,6 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with entities. It is a global connectivity test + that does not iterate over the `target_entities` list. diff --git a/content/response_integrations/third_party/community/cybersixgill_darkfeed_enrichment/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/cybersixgill_darkfeed_enrichment/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..38cb308cb --- /dev/null +++ b/content/response_integrations/third_party/community/cybersixgill_darkfeed_enrichment/resources/ai/integration_ai_description.yaml @@ -0,0 +1,22 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: false + reasoning: >- + The cybersixgill_darkfeed_enrichment integration is designed to provide threat + intelligence context for various indicators of compromise (IOCs). Its primary + actions (Enrich Actor, Enrich Domain, Enrich Hash, Enrich IP, Enrich URL) all + focus on fetching external threat data (reputation, actor details, MITRE mappings) + and updating internal SOAR entities with this information. It does not perform + SIEM log analysis, EDR host containment, network security blocking, email management, + IAM operations, cloud resource management, ITSM ticketing, vulnerability scanning, + asset inventory lookups, or collaboration/notification tasks. Therefore, it is + exclusively classified under the Threat Intelligence category. + siem: false + threat_intelligence: true + vulnerability_management: false diff --git a/content/response_integrations/third_party/community/cybersixgill_dve_enrichment/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/cybersixgill_dve_enrichment/resources/ai/actions_ai_description.yaml index b1721c2ad..51c3bb490 100644 --- a/content/response_integrations/third_party/community/cybersixgill_dve_enrichment/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/cybersixgill_dve_enrichment/resources/ai/actions_ai_description.yaml @@ -1,46 +1,69 @@ Enrich CVE: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves threat intelligence (DVE scores, exploitability) for CVE + entities, which aligns with the 'Enrich IOC' category as it provides context + for a vulnerability indicator. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description + Enriches CVE entities using the Cybersixgill Dynamic Vulnerability Exploit (DVE) + intelligence service. This action retrieves comprehensive vulnerability data, + including DVE scores, exploitability probabilities, and NVD details, to help analysts + prioritize remediation efforts. - Enriches CVE entities using Cybersixgill's Dynamic Vulnerability Exploit (DVE) - Score. This action provides deep visibility into vulnerabilities by retrieving - real-time threat intelligence from the deep and dark web, including DVE scores, - trending status, and proof-of-concept (POC) details. It helps security teams prioritize - critical vulnerabilities based on actual exploitation risk rather than static - scores alone. + ### Flow - ### Parameters - - | Parameter | Type | Mandatory | Description | + 1. The action retrieves the configured Cybersixgill `Client Id` and `Client Secret`. - | :--- | :--- | :--- | :--- | + 2. It iterates through the provided `CVE` entities. - | Client Id | String | Yes | The Client ID for Cybersixgill API authentication. - | + 3. For each entity, it queries the Cybersixgill API to fetch the latest DVE intelligence. - | Client Secret | String | Yes | The Client Secret for Cybersixgill API authentication. - | + 4. It updates the entity's `additional_properties` with the retrieved data and + marks the entity as enriched. + 5. It generates a case insight and an entity table containing the vulnerability + details and adds them to the SOAR case. - ### Flow Description - 1. **Authentication:** Retrieves API credentials (Client ID and Secret) from the - integration configuration. - - 2. **Entity Filtering:** Identifies CVE entities within the current context. + ### Parameters - 3. **Data Retrieval:** Queries the Cybersixgill API for each CVE to fetch DVE - scores and associated metadata (NVD links, CVSS scores, exploitability probability). + | Parameter | Type | Mandatory | Description | - 4. **Internal Enrichment:** Updates the entity's additional properties with the - retrieved data and marks the entity as enriched. + | :--- | :--- | :--- | :--- | - 5. **Insight Generation:** Creates a detailed case insight for each CVE containing - a summary of the threat intelligence. + | Client Id | String | Yes | The Client ID for authenticating with the Cybersixgill + API. | - 6. **Data Visualization:** Adds a structured data table to the entity results - for easy review of vulnerability details. + | Client Secret | String | Yes | The Client Secret for authenticating with the + Cybersixgill API. | capabilities: can_create_case_comments: false can_create_insight: true @@ -51,10 +74,17 @@ Enrich CVE: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates entity properties with Cybersixgill DVE scores and metadata, and creates - case insights for the enriched CVEs. + Updates entity properties and adds insights/tables to the case. + reasoning: >- + The action fetches external threat intelligence (DVE scores) for CVE entities. + It updates the entity's internal properties and creates case insights and tables. + It does not perform any external mutations. categories: enrichment: true + reasoning: >- + The action fetches data from an external source (Cybersixgill) and performs + allowed internal mutations (updating entities, creating insights). It does not + mutate external systems. Therefore, it is classified as an enrichment action. entity_usage: entity_types: - CVE @@ -71,43 +101,80 @@ Enrich CVE: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action iterates over `siemplify.target_entities` and explicitly filters + for entities where `entity.entity_type == EntityTypes.CVE`. Ping: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action is a connectivity test ('Ping') used to verify authentication credentials + with the Cybersixgill API. It does not perform any enrichment, containment, + or other operational tasks defined in the product categories. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description + ### General description + + Tests connectivity to the Cybersixgill API. This action validates the provided + Client ID and Client Secret by attempting to retrieve an access token from the + Cybersixgill service. It returns a success or failure status based on the ability + to authenticate. + + + ### Parameters description + + | Parameter | Type | Mandatory | Description | - The Ping action is a diagnostic utility designed to verify the connectivity between - Google SecOps and the Cybersixgill DVE Enrichment service. Its primary purpose - is to ensure that the provided API credentials (Client ID and Client Secret) are - valid and that the network path to the Cybersixgill API is open. + | --- | --- | --- | --- | + | Client Id | String | Yes | The Client ID for authentication with the Cybersixgill + API. | - ### Parameters Description + | Client Secret | String | Yes | The Client Secret for authentication with the + Cybersixgill API. | - There are no input parameters for this action. It relies entirely on the global - integration configuration for authentication. + ### Additional notes - ### Additional Notes + None. - This action is typically used during the initial setup of the integration or for - troubleshooting authentication issues. It does not process entities or modify - any data within the SOAR or the external system. + ### Flow description - ### Flow Description + 1. Extract Client ID and Client Secret from configuration. - 1. **Configuration Extraction**: The action retrieves the 'Client Id' and 'Client - Secret' from the integration's global settings. + 2. Initialize the SixgillEnrichManager. - 2. **Manager Initialization**: It initializes the `SixgillEnrichManager` with - the extracted credentials. + 3. Call test_connectivity(). - 3. **Connectivity Test**: The manager attempts to obtain an access token from - the Cybersixgill API using the `SixgillBaseClient`. + 4. Attempt to retrieve an access token using the provided credentials. - 4. **Result Reporting**: If the token is successfully retrieved, the action returns - a success status. If an exception occurs (e.g., invalid credentials or network - timeout), it returns a failure status with the error details. + 5. Return success or failure status. capabilities: can_create_case_comments: false can_create_insight: false @@ -118,8 +185,16 @@ Ping: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a connectivity test by attempting to authenticate with the + Cybersixgill API. It does not fetch contextual data, mutate external or internal + data, or interact with entities. categories: enrichment: false + reasoning: >- + The action is named 'Ping', which is explicitly excluded from being an enrichment + action. It does not fetch contextual data about entities or alerts, nor does + it mutate any systems. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -135,3 +210,6 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with any entities. It is a standalone connectivity + test. diff --git a/content/response_integrations/third_party/community/cybersixgill_dve_enrichment/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/cybersixgill_dve_enrichment/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..1dc1a76a1 --- /dev/null +++ b/content/response_integrations/third_party/community/cybersixgill_dve_enrichment/resources/ai/integration_ai_description.yaml @@ -0,0 +1,21 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: false + reasoning: >- + The integration is designed to enrich CVE entities with threat intelligence data, + specifically DVE scores and exploitability metrics from Cybersixgill. This functionality + directly aligns with the Threat Intelligence category, as it provides risk context + for vulnerability indicators. Additionally, the integration is explicitly focused + on helping analysts prioritize CVEs based on real-world exploitability, which + fits the Vulnerability Management category's goal of assessing the impact and + risk of vulnerabilities. It does not perform functions related to SIEM, EDR, Network + Security, Email Security, IAM, Cloud Security, ITSM, Asset Inventory, or Collaboration. + siem: false + threat_intelligence: true + vulnerability_management: true diff --git a/content/response_integrations/third_party/community/cybersixgill_dve_feed/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/cybersixgill_dve_feed/resources/ai/actions_ai_description.yaml index 9c4d9a81c..1b3e66ca6 100644 --- a/content/response_integrations/third_party/community/cybersixgill_dve_feed/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/cybersixgill_dve_feed/resources/ai/actions_ai_description.yaml @@ -1,54 +1,65 @@ Ping: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action is a connectivity test (Ping) and does not perform any functional + operations like enrichment, containment, or ticket management. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - The **Ping** action is a diagnostic tool designed to verify the connectivity and - authentication configuration between Google SecOps and the Cybersixgill platform. - Its primary purpose is to ensure that the provided API credentials (Client ID - and Client Secret) are valid and that the SecOps environment can successfully - communicate with the Cybersixgill API. + Verifies connectivity to the Cybersixgill service by authenticating with the provided + credentials. This action ensures that the integration is correctly configured + and can communicate with the Cybersixgill API. ### Parameters Description - | Parameter Name | Type | Mandatory | Description | + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | **Client Id** | String | Yes | The unique identifier for the Cybersixgill API - account, configured at the integration level. | + | Client Id | String | Yes | The client ID for Cybersixgill authentication. | - | **Client Secret** | String | Yes | The secret key associated with the Cybersixgill - API account, configured at the integration level. | - - - *Note: This action does not have specific runtime parameters; it relies entirely - on the integration's global configuration.* - - - ### Additional Notes - - - This action is typically used during the initial setup of the Cybersixgill integration - or for troubleshooting connection issues. - - - It does not process any entities or modify any data within Google SecOps or - Cybersixgill. + | Client Secret | String | Yes | The client secret for Cybersixgill authentication. + | ### Flow Description - 1. **Configuration Extraction:** The action retrieves the `Client Id` and `Client - Secret` from the integration's configuration settings. + 1. Extract `Client Id` and `Client Secret` from the integration configuration. - 2. **Manager Initialization:** It initializes the `SixgillEnrichManager` using - the extracted credentials. + 2. Initialize the `SixgillEnrichManager` with these credentials. - 3. **Connectivity Test:** The manager attempts to create a `SixgillBaseClient` - and requests an access token from the Cybersixgill authentication endpoint. + 3. Attempt to create a `SixgillBaseClient` and retrieve an access token to validate + the connection. - 4. **Result Reporting:** If an access token is successfully retrieved, the action - returns a success status and message. If the authentication fails or a network - error occurs, an exception is raised, and the action reports a failure. + 4. Return the connection status to the SOAR platform. capabilities: can_create_case_comments: false can_create_insight: false @@ -59,8 +70,15 @@ Ping: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a connectivity check (Ping) to the Cybersixgill API. It + does not fetch contextual data for entities, nor does it mutate any external + or internal systems. categories: enrichment: false + reasoning: >- + The action is a 'Ping' action. According to the guidelines, Ping actions are + explicitly excluded from being categorized as enrichment actions. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -76,3 +94,5 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with any entities. diff --git a/content/response_integrations/third_party/community/cybersixgill_dve_feed/resources/ai/connectors_ai_description.yaml b/content/response_integrations/third_party/community/cybersixgill_dve_feed/resources/ai/connectors_ai_description.yaml new file mode 100644 index 000000000..53ebd07bf --- /dev/null +++ b/content/response_integrations/third_party/community/cybersixgill_dve_feed/resources/ai/connectors_ai_description.yaml @@ -0,0 +1,53 @@ +Cybersixgill - DVE Connector: + ai_description: >- + ### General Description + + The Cybersixgill DVE Connector integrates with the Cybersixgill Dynamic Vulnerability + Exploit (DVE) feed to ingest vulnerability intelligence into Google SecOps. It + retrieves real-time data regarding CVEs, including DVE scores, exploitability + status, and NVD details, allowing security teams to track and prioritize vulnerabilities + based on actual threat actor intent and exploit probability. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | PythonProcessTimeout | String | Yes | The timeout limit (in seconds) for the + python process running the script. | + + | EventClassId | String | Yes | The field name used to determine the event name + (sub-type). | + + | DeviceProductField | String | Yes | The field name used to determine the device + product. | + + | Client Secret | Password | Yes | The secret key for Cybersixgill API authentication. + | + + | Client Id | String | Yes | The client ID for Cybersixgill API authentication. + | + + | Alerts Limit | Integer | Yes | The maximum number of alerts to be ingested into + the platform per run. | + + + ### Flow Description + + 1. The connector initializes the connection to the Cybersixgill API using the + provided Client ID and Client Secret. + + 2. It queries the DVE feed stream to retrieve a bundle of vulnerability records. + + 3. The retrieved records are filtered to identify valid indicators. + + 4. For each indicator, the connector maps the data into a structured alert format, + including critical fields like DVE scores, CVSS metrics, and NVD publication details. + + 5. The connector commits the processed indicators to the Cybersixgill feed to + acknowledge receipt. + + 6. Finally, the aggregated alerts are ingested into Google SecOps for further + analysis and response. diff --git a/content/response_integrations/third_party/community/cybersixgill_dve_feed/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/cybersixgill_dve_feed/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..136e05a45 --- /dev/null +++ b/content/response_integrations/third_party/community/cybersixgill_dve_feed/resources/ai/integration_ai_description.yaml @@ -0,0 +1,23 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: false + reasoning: >- + The cybersixgill_dve_feed integration is primarily designed to ingest vulnerability + intelligence, specifically Dynamic Vulnerability Exploit (DVE) scores, CVE data, + and exploitability status. This aligns directly with the 'Threat Intelligence' + category, as it provides risk scores and context for vulnerabilities, and the + 'Vulnerability Management' category, as it enables security teams to track and + prioritize vulnerabilities based on threat actor intent and exploit probability. + It does not perform EDR, Network Security, Email Security, IAM, Cloud Security, + ITSM, Asset Inventory, or Collaboration functions. While it ingests data into + Google SecOps, it is not a SIEM integration in the context of log analysis or + IOC searching, but rather a specialized intelligence feed. + siem: false + threat_intelligence: true + vulnerability_management: true diff --git a/content/response_integrations/third_party/community/data_dog/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/data_dog/resources/ai/actions_ai_description.yaml index 956084b4c..599f54fe1 100644 --- a/content/response_integrations/third_party/community/data_dog/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/data_dog/resources/ai/actions_ai_description.yaml @@ -1,50 +1,68 @@ Get Beautiful Metric: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action performs statistical calculations on a provided dataset. It does + not match any of the defined product categories (Enrichment, Containment, Ticket + management, etc.) as it is a pure data processing utility. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description - - The **Get Beautiful Metric** action is a data processing utility designed to analyze - and summarize DataDog metric timeseries data. Instead of fetching data directly - from the DataDog API, this action takes a JSON-formatted series of data points - as input and performs statistical calculations to provide a clear overview of - the metric's behavior over a specific time range. + Processes a provided timeseries metric dataset to calculate statistical summaries. + This action takes a JSON-formatted series object as input, extracts the raw metric + values, and computes the sum, average, minimum, and maximum values. The resulting + statistical analysis is returned as a JSON object for further use in the playbook. - ### Parameters Description + ### Parameters | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | **Series** | Code (JSON) | Yes | A JSON string containing the DataDog timeseries - data. It must include a `pointlist` (list of [timestamp, value] pairs), `start` - and `end` timestamps, and metadata like `unit` and `aggr`. | + | Series | code | Yes | The timeseries points you want to analyze, provided as + a JSON object. | ### Flow Description - 1. **Input Parsing**: The action extracts the `Series` parameter and parses it - from a JSON string into a Python dictionary. + 1. The action extracts the 'Series' parameter, which is expected to be a JSON + string containing a 'pointlist' of metric values. - 2. **Validation**: It verifies the presence of the `pointlist` key to ensure the - input is valid for analysis. + 2. It parses the JSON input and validates the presence of the 'pointlist'. - 3. **Statistical Analysis**: The script iterates through the `pointlist`, extracting - the raw metric values. It then calculates the **Sum**, **Average**, **Minimum**, - and **Maximum** values for the dataset. + 3. It iterates through the 'pointlist' to extract raw metric values. - 4. **Result Construction**: It compiles these statistics along with the original - metadata (unit, aggregation type, time range, and expression) into a structured - JSON object. - - 5. **Output**: The final analysis is attached to the action's JSON results for - use in subsequent playbook steps. + 4. It calculates the sum, average, minimum, and maximum of these values. + 5. It constructs a result JSON containing the calculated statistics, the unit, + aggregation type, and the original timeseries data. - ### Additional Notes - - * This action does not make external API calls. It processes data provided in - the `Series` parameter, which is typically output by a preceding DataDog "Get - Metrics" or "Query Metrics" action. + 6. The final result is added to the action output. capabilities: can_create_case_comments: false can_create_insight: false @@ -55,8 +73,18 @@ Get Beautiful Metric: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs local statistical calculations (sum, average, min, max) + on a provided JSON input parameter ('Series'). It does not perform any external + API calls, nor does it modify any internal SOAR data or entities. Although a + DataDogManager is instantiated, it is not utilized in the script logic. categories: enrichment: false + reasoning: >- + The action is a data processing utility that calculates statistics on provided + input. It does not fetch data from external sources, nor does it modify any + internal or external systems. Therefore, it does not meet the criteria for an + Enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -72,22 +100,76 @@ Get Beautiful Metric: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with the `target_entities` list or any entity-specific + logic. It operates solely on the provided 'Series' input parameter. Get Event Details: - ai_description: "### General Description\nRetrieves detailed information about a\ - \ specific event from DataDog using its unique Event ID. This action allows users\ - \ to fetch the full context of a DataDog event, including its message, tags, priority,\ - \ and metadata, by querying the DataDog API directly.\n\n### Parameters Description\n\ - | Parameter | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n\ - | Event ID | string | Yes | The unique identifier of the DataDog event you want\ - \ to retrieve. |\n\n### Flow Description\n1. **Authentication**: The action extracts\ - \ the API Key and APP Key from the integration configuration to authenticate with\ - \ DataDog.\n2. **Input Retrieval**: The action retrieves the `Event ID` provided\ - \ as an input parameter.\n3. **Data Retrieval**: It calls the DataDog API's GET\ - \ events endpoint (`/api/v1/events/{event_id}`) via the `DataDogManager`.\n4.\ - \ **Result Handling**: \n * If the event details are successfully retrieved,\ - \ the data is added to the action's JSON result, and the action completes with\ - \ a success status.\n * If the event cannot be found or the API call fails,\ - \ the action completes with a failure status and an appropriate log message." + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: true + reasoning: >- + The action fetches specific event details from DataDog. This aligns with the + 'Get Alert Information' category, as it retrieves contextual data about an event/alert + from the third-party product. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: >- + ### General Description + + This action retrieves detailed information for a specific event from DataDog using + the provided Event ID. It is designed to fetch raw event data from the DataDog + platform to assist analysts in investigating specific occurrences. + + + ### Parameters + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Event ID | string | Yes | The unique identifier of the event in DataDog to be + retrieved. | + + + ### Flow Description + + 1. The action extracts the required `API Key` and `APP Key` from the integration + configuration. + + 2. It retrieves the `Event ID` from the action parameters. + + 3. The `DataDogManager` is initialized with the provided credentials. + + 4. The action calls the `get_event_details` method to fetch the event data from + DataDog. + + 5. If the event is found, the action logs a success message and attaches the event + details as a JSON result to the action output. + + 6. If the event is not found, the action logs the failure and completes. capabilities: can_create_case_comments: false can_create_insight: false @@ -98,8 +180,17 @@ Get Event Details: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the DataDog API to retrieve event details. + It does not modify any external systems, nor does it update internal SOAR entities, + insights, or case data. It simply returns the fetched data as a JSON result. categories: enrichment: false + reasoning: >- + While the action fetches data, it does not perform any of the allowed internal + mutations (updating entities, creating insights, or adding comments) required + to be classified as an Enrichment action in the SOAR context. It is a data retrieval + action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -115,15 +206,49 @@ Get Event Details: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with or iterate over any SOAR entities. It operates + solely based on the provided Event ID parameter. Get Events: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves a collection of historical events from Datadog based on + time and source parameters. This directly aligns with the 'Search Events' category. + It does not perform any other actions like ticketing, blocking, or identity + management. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: true + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - This action retrieves event logs from DataDog based on a specified time range - and filtering criteria. It is designed to fetch historical or real-time event - data from various sources within the DataDog environment, allowing analysts to - review triggered monitors, alerts, or other system events directly within Google - SecOps. + This action retrieves events from Datadog within a specified time range and filter + criteria. It allows users to query Datadog for events based on sources, priority, + and tags, providing visibility into system or monitor activity. ### Parameters Description @@ -132,46 +257,38 @@ Get Events: | :--- | :--- | :--- | :--- | - | Sources | String | Yes | Specifies the sources to retrieve events from (e.g., - 'alert' to see events from triggered monitors). | - - | Start Time | String | Yes | The start time for the event search in Unix timestamp - format. | - - | End Time | String | Yes | The end time for the event search in Unix timestamp - format. | - - | Priority | DDL | No | Filters events by priority level. Options include 'all', - 'normal', or 'low'. Default is 'all'. | + | Sources | string | Yes | The sources to retrieve the events from (e.g., 'alert'). + | - | Tags | String | No | A comma-separated list of tags to filter the events by - scope (e.g., 'monitor'). | + | Start Time | string | Yes | The start time of the events in Unixtime. | - | Unaggregated | Boolean | No | If set to 'true', retrieves the full list of events. - If 'false', retrieves an aggregated list. | + | End Time | string | Yes | The end time of the events in Unixtime. | + | Priority | ddl | No | The priority of the events to retrieve (all, normal, low). + Default is 'all'. | - ### Additional Notes + | Tags | string | No | A comma-separated list of tags that will filter the list + of monitors by scope. Default is 'monitor'. | - This action does not operate on specific entities within the case; instead, it - performs a global search based on the provided time and filter parameters. The - results are returned as a JSON array. + | Unaggregated | boolean | No | True to retrieve the full list of events; False + to retrieve an aggregated list. Default is 'true'. | ### Flow Description - 1. **Configuration Extraction:** The action retrieves the API Key and APP Key - from the DataDog integration settings. + 1. **Initialization**: The action extracts the necessary configuration (API Key, + APP Key) and action parameters (Sources, Start Time, End Time, etc.) from the + SecOps environment. - 2. **Parameter Processing:** It extracts the search filters including time range - (Start/End), sources, priority, tags, and aggregation preference. + 2. **Data Retrieval**: It initializes the `DataDogManager` and calls the `get_datadog_events` + method, which performs a GET request to the Datadog API (`/api/v1/events`) with + the provided filters. - 3. **API Interaction:** The action uses the `DataDogManager` to perform a GET - request to the DataDog `/api/v1/events` endpoint with the specified query parameters. + 3. **Result Processing**: The retrieved events are printed to the logs and added + to the action's result JSON. - 4. **Result Handling:** If events are successfully retrieved, they are attached - to the action's JSON results. The action then concludes with a status message - indicating whether data was found. + 4. **Completion**: The action concludes by logging the success or failure of the + retrieval and setting the final output message. capabilities: can_create_case_comments: false can_create_insight: false @@ -182,8 +299,16 @@ Get Events: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the Datadog API to retrieve event data. + It does not perform any POST/PUT/DELETE operations on external systems, nor + does it modify any internal SOAR case data, entities, or insights. categories: enrichment: false + reasoning: >- + The action retrieves data (events) from an external system. While it fetches + data, it is a general search/retrieval action rather than an enrichment action + specifically designed to augment entity or alert context within the SOAR platform. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -199,60 +324,83 @@ Get Events: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with or filter by any entities. It operates based + on time-based and source-based parameters provided by the user. Get Logs: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves historical logs from Datadog based on search parameters + (namespace and time range). This directly aligns with the 'Search Events' category. + It does not perform any other actions like ticketing, blocking, or identity + management. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: true + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - Retrieves Kubernetes logs from DataDog for specific namespaces within a defined - time range. This action allows security analysts to gather log data for troubleshooting - or investigation purposes directly from DataDog's log management system. The results - are returned as a JSON object containing the log entries for each requested namespace. + This action retrieves logs from Datadog for specified Kubernetes namespaces within + a defined time range. It allows analysts to query historical log data directly + from Datadog to support investigation and troubleshooting workflows. - ### Parameters Description + ### Parameters | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Namespace | String | Yes | A comma-separated list of Kubernetes namespaces to - retrieve logs for (e.g., 'name_space1, name_space2'). | - - | Start Time | String | Yes | The start time for the log retrieval in ISO 8601 - format (e.g., '2020-02-02T02:02:02Z'). | - - | End Time | String | Yes | The end time for the log retrieval in ISO 8601 format - (e.g., '2020-02-02T02:02:02Z'). | + | Namespace | string | Yes | The Kubernetes namespace(s) to retrieve logs for. + Multiple namespaces can be provided as a comma-separated list. | + | Start Time | string | Yes | The start time for the log retrieval (e.g., 2020-02-02T02:02:02Z). + | - ### Additional Notes - - - The action uses the DataDog Logs API (`/api/v1/logs-queries/list`) via a POST - request to perform the query. - - - Multiple namespaces can be queried in a single execution by providing them as - a comma-separated string. + | End Time | string | Yes | The end time for the log retrieval (e.g., 2020-02-02T02:02:02Z). + | ### Flow Description - 1. **Configuration Extraction**: The action retrieves the DataDog API Key and - APP Key from the integration's global configuration. + 1. **Initialization**: The action extracts the Datadog API and APP keys from the + integration configuration and retrieves the action parameters (Namespace, Start + Time, End Time). - 2. **Parameter Parsing**: It extracts the target namespaces, start time, and end - time from the action parameters. The namespace string is split into a list for - processing. + 2. **Processing**: The action iterates through the provided list of namespaces. - 3. **Data Retrieval**: For each namespace provided, the action calls the DataDog - manager to fetch logs filtered by the `kube_namespace` tag and the specified time - range. + 3. **Data Retrieval**: For each namespace, it calls the Datadog API (`/api/v1/logs-queries/list`) + to fetch the relevant logs. - 4. **Result Aggregation**: The action checks if logs were returned for each namespace. - If logs exist, they are added to a cumulative JSON result object. + 4. **Result Aggregation**: If logs are found, they are added to a JSON result + object. If no logs are found for a namespace, an error is logged. - 5. **Completion**: The action concludes by providing a summary message of which - namespaces were successfully queried and attaches the aggregated log data to the - action's JSON result. + 5. **Completion**: The action concludes by attaching the aggregated JSON results + to the action output and providing a summary message. capabilities: can_create_case_comments: false can_create_insight: false @@ -263,8 +411,18 @@ Get Logs: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a POST request to the Datadog API to search and retrieve + logs. This is a read-only operation (fetching data). It does not modify any + external systems, nor does it update internal SOAR entities, insights, or case + data. categories: enrichment: false + reasoning: >- + The action is a search/retrieval utility. While it fetches data, it does not + enrich specific entities or alerts within the SOAR platform. It does not meet + the criteria for an Enrichment Action as it is not designed to gather supplemental + context about specific entities or alerts. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -280,55 +438,62 @@ Get Logs: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with `siemplify.target_entities`. It relies entirely + on user-provided parameters (Namespace, Start Time, End Time) to perform its + query. Get Metric Snapshot Graph: - ai_description: >- - ### General Description - - This action retrieves a metric snapshot graph from DataDog based on a specific - metric query and a defined time range. It is primarily used for visual investigation - and monitoring, allowing analysts to see historical metric data directly within - the Google SecOps platform. The action generates a snapshot URL which is then - provided as a clickable link in the case. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Query | String | Yes | The DataDog metric query to visualize. For example: `avg:aws.rds.cpuutilization{cloud_env:production}by{dbinstanceidentifier}`. - | - - | Start Time | String | Yes | The start time for the snapshot graph in Unix timestamp - format (e.g., `1400000470`). | - - | End Time | String | Yes | The end time for the snapshot graph in Unix timestamp - format (e.g., `1610557457`). | - - - ### Flow Description - - 1. **Configuration Extraction**: The action retrieves the DataDog API Key and - APP Key from the integration configuration. - - 2. **Parameter Retrieval**: It extracts the user-provided metric query, start - time, and end time. - - 3. **API Interaction**: The action uses the `DataDogManager` to send a GET request - to the DataDog API's `/api/v1/graph/snapshot` endpoint. - - 4. **Result Processing**: If a snapshot is successfully generated, the action - extracts the `snapshot_url` from the response. - - 5. **Output Generation**: The snapshot URL is added as a link to the SOAR case, - and the full JSON response is attached as a result for further use in playbooks. - - - ### Additional Notes - - This action does not process entities; it operates solely on the provided query - string and time parameters. + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves a metric snapshot graph, which is a form of telemetry data. + This aligns with the 'Search Events' category, which covers retrieving historical + logs or telemetry data. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: true + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: "### General Description\nThis action retrieves a metric snapshot\ + \ graph from DataDog for a specified query and time range. It allows analysts\ + \ to visualize metric data directly within the SOAR platform by fetching a snapshot\ + \ URL and the associated JSON data from the DataDog API.\n\n### Parameters\n|\ + \ Parameter | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n\ + | Query | string | Yes | The metric query to generate the snapshot graph for (e.g.,\ + \ 'avg:aws.rds.cpuutilization{cloud_env:production}by{dbinstanceidentifier}').\ + \ |\n| Start Time | string | Yes | The start time of the metric snapshot graph\ + \ in Unixtime. |\n| End Time | string | Yes | The end time of the metric snapshot\ + \ graph in Unixtime. |\n\n### Flow Description\n1. **Extraction**: The action\ + \ extracts the `Query`, `Start Time`, and `End Time` parameters from the action\ + \ configuration.\n2. **Initialization**: It initializes the `DataDogManager` using\ + \ the API and Application keys configured in the integration settings.\n3. **Data\ + \ Retrieval**: It calls the `get_graph_snapshot` method of the `DataDogManager`,\ + \ which performs a GET request to the DataDog API to retrieve the snapshot graph.\n\ + 4. **Result Reporting**: \n - If the snapshot is successfully retrieved, it\ + \ adds the snapshot URL as a link to the action result.\n - It adds the raw\ + \ snapshot JSON data to the action result.\n - It ends the action with a success\ + \ message and status." capabilities: can_create_case_comments: false can_create_insight: false @@ -339,8 +504,17 @@ Get Metric Snapshot Graph: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the DataDog API to retrieve a metric snapshot + graph. It does not modify any external systems (read-only). It does not modify + internal SOAR data (entities, case wall, or alert fields); it only reports results + using standard result methods (add_link, add_result_json). categories: enrichment: false + reasoning: >- + The action does not operate on entities (it is a standalone utility action), + therefore it does not meet the criteria for an Enrichment Action, which requires + gathering context about alerts or entities. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -356,54 +530,53 @@ Get Metric Snapshot Graph: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not reference `siemplify.target_entities` or any entity-specific + logic. It operates independently of entities. Get Metric Timeseries Points: - ai_description: >- - ### General Description - - Retrieves timeseries data points for a specific metric query from Datadog within - a defined time range. This action allows analysts to fetch granular monitoring - data directly into a case for investigation, performance analysis, or anomaly - detection. - - - ### Parameters - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Query | string | Yes | The Datadog metric query to execute. Example: `avg:aws.rds.dbload{dbinstanceidentifier:db}by{dbinstanceidentifier}`. - | - - | Start Time | string | Yes | The start time of the timeseries points in Unix - timestamp format (e.g., 1400000470). | - - | End Time | string | Yes | The end time of the timeseries points in Unix timestamp - format (e.g., 1610557457). | - - - ### Flow Description - - 1. **Initialization**: The action extracts the Datadog API Key and APP Key from - the integration configuration. - - 2. **Input Retrieval**: It captures the user-provided metric query and the start/end - Unix timestamps. - - 3. **API Execution**: The action calls the Datadog `v1/query` endpoint via the - `DataDogManager` to fetch the requested timeseries data. - - 4. **Validation**: It verifies if the API response status is "ok" and checks if - any data series were returned. - - 5. **Output**: The raw JSON response from Datadog is attached to the action results, - and a success message is generated if data points were found. - - - ### Additional Notes - - This action is a utility query tool and does not automatically map data to specific - entities in the Google SecOps environment. + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves historical telemetry data (timeseries points) from Datadog + based on a query, which aligns with the 'Search Events' category. It does not + perform any other actions like ticketing, blocking, or identity management. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: true + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: "This action retrieves timeseries metric points from Datadog for\ + \ a specified query and time range. \n\n### Parameters\n| Parameter | Type | Mandatory\ + \ | Description |\n| :--- | :--- | :--- | :--- |\n| End Time | string | Yes |\ + \ The end time of the timeseries points in Unixtime. |\n| Start Time | string\ + \ | Yes | The start time of the timeseries points in Unixtime. |\n| Query | string\ + \ | Yes | The metric query to retrieve timeseries points for. |\n\n### Flow\n\ + 1. Extract configuration parameters (API Key, APP Key).\n2. Extract action parameters\ + \ (Query, Start Time, End Time).\n3. Initialize the DataDogManager.\n4. Call the\ + \ `get_timeseries_point_metrics` method via the Datadog API.\n5. Add the retrieved\ + \ JSON result to the action output.\n6. End the action with a success or failure\ + \ message." capabilities: can_create_case_comments: false can_create_insight: false @@ -414,8 +587,17 @@ Get Metric Timeseries Points: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the Datadog API to retrieve timeseries + metric data based on a provided query and time range. It does not modify any + external systems or internal SOAR data. It only adds the retrieved data to the + action result. categories: enrichment: false + reasoning: >- + The action fetches metric data from Datadog. While it retrieves data, it does + not operate on entities or alerts to provide context, so it is not classified + as an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -431,63 +613,92 @@ Get Metric Timeseries Points: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with `siemplify.target_entities`. It operates solely + on the provided input parameters. Get Pod Metric: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: true + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves performance metrics (CPU, Memory) and process lists for + a specific resource (Pod). This aligns with the 'Enrich Asset' category, as + it provides contextual metadata for a resource. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - The **Get Pod Metric** action retrieves performance data and process information - for one or more Kubernetes Pods from DataDog. It specifically fetches CPU utilization, - memory usage percentages, and a list of active processes associated with the specified - pods within a defined time range. This action is useful for troubleshooting performance - issues or investigating suspicious activity within a Kubernetes environment. + This action retrieves performance metrics and process information for specified + Kubernetes pods from Datadog. It allows analysts to gather contextual data regarding + CPU usage, memory consumption, and active processes for a given pod within a specified + time range, aiding in troubleshooting and performance analysis. - ### Parameters + ### Flow Description - | Parameter | Type | Mandatory | Description | + 1. **Initialization**: The action extracts the Datadog API and App keys from the + integration configuration. - | :--- | :--- | :--- | :--- | + 2. **Parameter Extraction**: It retrieves the `Pod Name` (a comma-separated list + of pods), `Start Time`, and `End Time` from the action parameters. + + 3. **Data Retrieval**: The action iterates through the provided list of pods. + For each pod, it performs the following operations via the Datadog API: + * Fetches CPU metrics. + * Fetches memory usage metrics. + * Retrieves a list of running processes associated with the pod. + 4. **Aggregation**: The retrieved metrics and process data are aggregated into + a structured JSON object. - | Pod Name | String | Yes | A comma-separated list of Kubernetes Pod names to - retrieve metrics for. | + 5. **Output**: The final JSON result is added to the action execution summary, + and the action concludes with a status message indicating success or failure for + each pod. - | Start Time | String | Yes | The start time for the metric query in Unix timestamp - format (e.g., 1507040000). | - | End Time | String | Yes | The end time for the metric query in Unix timestamp - format (e.g., 1610557457). | + ### Parameters Description + | Parameter | Type | Mandatory | Description | - ### Additional Notes + | :--- | :--- | :--- | :--- | - This action does not automatically iterate over Google SecOps entities. It relies - entirely on the pod names provided in the `Pod Name` parameter. If multiple pod - names are provided, the action will iterate through each and aggregate the results - into a single JSON output. + | Pod Name | string | Yes | A comma-separated list of pod names or namespaces + to query. | + | Start Time | string | Yes | The start time for the metric query in Unixtime + format. | + + | End Time | string | Yes | The end time for the metric query in Unixtime format. + | - ### Flow Description - 1. **Initialization**: The action extracts the DataDog API Key and APP Key from - the integration configuration. - - 2. **Parameter Parsing**: It retrieves the `Pod Name`, `Start Time`, and `End - Time` from the action parameters. The `Pod Name` string is split by commas into - a list of individual pod identifiers. - - 3. **Data Retrieval**: For each pod in the list, the action performs three distinct - queries to DataDog: - * **CPU Metrics**: Fetches the average CPU system total for the pod. - * **Memory Metrics**: Fetches the average memory usage percentage for the - pod. - * **Process Information**: Retrieves a list of active processes tagged with - the specific `pod_name`. - 4. **Result Aggregation**: The retrieved metrics and process data for each pod - are stored in a structured dictionary. - - 5. **Final Output**: The action adds the aggregated data as a JSON result to the - action execution and provides a summary message indicating which metrics were - successfully retrieved. + ### Additional Notes + + This action does not interact with SOAR entities directly; it relies entirely + on the input parameters provided by the user. capabilities: can_create_case_comments: false can_create_insight: false @@ -498,8 +709,15 @@ Get Pod Metric: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs GET requests to the Datadog API to retrieve performance + metrics and process lists for specific pods. It does not modify any external + systems or internal SOAR data (entities, insights, or comments). categories: - enrichment: false + enrichment: true + reasoning: >- + The action fetches data from an external system (Datadog) without mutating any + external or internal state. This qualifies as an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -515,15 +733,50 @@ Get Pod Metric: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with `siemplify.target_entities`. It uses a user-provided + parameter for the pod name, so no entity types are processed. Get RDS Metric: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: true + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves performance metrics (CPU, memory, storage) for a database + instance. This provides contextual metadata about a resource, aligning with + the 'Enrich Asset' category. It does not perform IOC enrichment, alert updates, + or containment actions. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - Retrieves AWS RDS performance metrics from DataDog for specific database instances. - This action fetches time-series data for CPU utilization, freeable memory, and - free storage space within a user-defined time range. It is designed to provide - visibility into the health and resource consumption of RDS databases directly - within the SOAR platform. + This action retrieves AWS RDS performance metrics (CPU, memory, and storage) for + specified database instances from Datadog. It allows analysts to query historical + performance data within a defined time range to assist in troubleshooting or monitoring + database health. ### Parameters Description @@ -532,38 +785,35 @@ Get RDS Metric: | :--- | :--- | :--- | :--- | - | Database Instance Identifier | String | Yes | A comma-separated list of AWS - RDS database instance identifiers (e.g., 'db-1, db-2') to query metrics for. | + | Database Instance Identifier | string | Yes | The identifier(s) of the database + instance(s) to retrieve metrics for. Multiple identifiers can be provided as a + comma-separated string. | - | Start Time | String | Yes | The start of the metric query period in Unix timestamp - format (e.g., '1507040000'). | + | Start Time | string | Yes | The start time for the metric query in Unixtime + format. | - | End Time | String | Yes | The end of the metric query period in Unix timestamp - format (e.g., '1610557457'). | + | End Time | string | Yes | The end time for the metric query in Unixtime format. + | ### Flow Description - 1. **Parameter Extraction**: The action extracts the DataDog API and APP keys - from the integration configuration and the database identifiers and time range - from the action parameters. + 1. **Initialization**: The action extracts the Datadog API and Application keys + from the integration configuration and retrieves the action parameters (Database + identifiers, Start Time, End Time). - 2. **Identifier Parsing**: The provided string of database identifiers is split - into a list for individual processing. + 2. **Data Retrieval**: The action iterates through the provided list of database + instance identifiers. - 3. **Metric Retrieval**: For each database identifier, the action performs three - distinct API calls to DataDog: - * Fetches CPU utilization metrics (`aws.rds.cpuutilization`). - * Fetches freeable memory metrics (`aws.rds.freeable_memory`). - * Fetches free storage space metrics (`aws.rds.free_storage_space`). - 4. **Data Validation**: The action verifies that the API responses have a status - of 'ok' and contain actual time-series data points. + 3. **Metric Fetching**: For each identifier, it calls the `DataDogManager` to + fetch CPU utilization, memory usage, and free storage space metrics from Datadog + using the specified time range. - 5. **Result Aggregation**: Successful metrics are aggregated into a JSON result - object, while identifiers that returned no data are tracked separately. + 4. **Result Aggregation**: Successfully fetched metrics are aggregated into a + JSON object. - 6. **Final Output**: The action returns the aggregated JSON data and a summary - message indicating success or failure for the requested identifiers. + 5. **Output**: The action adds the aggregated JSON result to the SOAR action results + and terminates with a success status and a summary message. capabilities: can_create_case_comments: false can_create_insight: false @@ -574,8 +824,16 @@ Get RDS Metric: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs GET requests to the Datadog API to retrieve RDS metrics. + It does not modify any external systems or internal SOAR data (entities, insights, + comments). categories: - enrichment: false + enrichment: true + reasoning: >- + The action fetches data from an external source (Datadog) without mutating external + or internal systems. It qualifies as an enrichment action because it retrieves + contextual information about a resource. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -591,41 +849,73 @@ Get RDS Metric: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not use `siemplify.target_entities`. It accepts a string parameter + for the database identifier, meaning it does not operate on SOAR entities. Ping: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action is a connectivity test (Ping) and does not perform any of the defined + product category operations such as enrichment, containment, ticketing, or alert + management. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description - - The **Ping** action is a diagnostic tool designed to verify the connectivity between - Google SecOps and the DataDog platform. It ensures that the provided API Key and - Application Key are valid and that the network path to the DataDog API is open. + Tests the connectivity between the SOAR platform and the DataDog service. This + action validates the provided API and Application keys by making a request to + the DataDog validation endpoint. It returns a success or failure status based + on the response. ### Parameters - There are no action-specific parameters for this task. It relies entirely on the - integration's global configuration parameters: + | Parameter | Type | Mandatory | Description | - * **API Key**: The secret key used to authenticate requests to DataDog. + | --- | --- | --- | --- | - * **APP Key**: The application key used to identify the specific application making - the request. + | API Key | String | Yes | The API key used to authenticate with the DataDog API. + | + | APP Key | String | Yes | The Application key used to authenticate with the DataDog + API. | - ### Flow Description - 1. **Configuration Extraction**: The action retrieves the `API Key` and `APP Key` - from the DataDog integration settings. + ### Flow Description - 2. **Manager Initialization**: It initializes the `DataDogManager` with the retrieved - credentials. + 1. The action extracts the API Key and APP Key from the integration configuration. - 3. **Connectivity Test**: The action calls the DataDog `/api/v1/validate` endpoint - via a GET request. + 2. It initializes the DataDogManager with the provided credentials. - 4. **Validation**: It checks the response for a `valid: True` status. + 3. It calls the `test_connectivity` method, which sends a GET request to the DataDog + validation endpoint (`/api/v1/validate`). - 5. **Result Reporting**: If valid, it returns a success message; otherwise, it - reports a connection failure. + 4. If the response indicates a valid connection, the action returns a success + message. Otherwise, it returns a failure message. capabilities: can_create_case_comments: false can_create_insight: false @@ -634,10 +924,18 @@ Ping: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null - fetches_data: true + fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a simple connectivity check (Ping) by sending a GET request + to the DataDog API validation endpoint. It does not fetch contextual data for + entities, nor does it mutate any external or internal data. categories: enrichment: false + reasoning: >- + The action is named 'Ping', which is explicitly excluded from being an enrichment + action per the provided instructions. It does not perform any data retrieval + or modification tasks. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -653,3 +951,6 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with any entities; it is a global connectivity + test. diff --git a/content/response_integrations/third_party/community/data_dog/resources/ai/connectors_ai_description.yaml b/content/response_integrations/third_party/community/data_dog/resources/ai/connectors_ai_description.yaml new file mode 100644 index 000000000..9c608995d --- /dev/null +++ b/content/response_integrations/third_party/community/data_dog/resources/ai/connectors_ai_description.yaml @@ -0,0 +1,73 @@ +DataDog Connector: + ai_description: >- + ### General Description + + The DataDog Connector is designed to ingest events from DataDog into Google SecOps. + It allows security teams to monitor DataDog-generated incidents, such as monitor + triggers, by fetching event data based on configurable filters like tags, priority, + and source types. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | API Key | Password | Yes | The API Key used to authenticate with the DataDog + API. | + + | APP Key | Password | Yes | The Application Key used to authenticate with the + DataDog API. | + + | Base URL | String | Yes | The base URL for the DataDog API (default: https://api.datadoghq.com). + | + + | DeviceProductField | String | Yes | The field name used to determine the device + product. | + + | EventClassId | String | Yes | The field name used to determine the event name + (sub-type). | + + | Max Days Back | Integer | Yes | The maximum number of days to look back when + fetching events. | + + | Priority | String | No | The priority of events to retrieve (e.g., 'low', 'normal', + 'all'). | + + | PythonProcessTimeout | String | Yes | The timeout limit (in seconds) for the + Python process. | + + | Sources | String | Yes | The sources to retrieve events from (e.g., 'alert'). + | + + | Tags | String | No | A comma-separated list of tags to filter the list of monitors. + | + + | Unaggregated | Boolean | No | If true, retrieves the full list of events; if + false, retrieves an aggregated list. | + + + ### Flow Description + + 1. **Initialization**: Connects to the DataDog API using the provided API and + Application keys. + + 2. **Time Range Calculation**: Determines the time range for fetching events based + on the last successful run's timestamp or the configured `Max Days Back`. + + 3. **Event Retrieval**: Queries the DataDog API (`/api/v1/events`) for events + matching the specified sources, tags, priority, and aggregation settings. + + 4. **Filtering**: Iterates through the retrieved events, filtering for those with + "error" or "warning" alert types. + + 5. **Data Processing**: For each relevant event, fetches full details, maps the + data (including tags, metrics, and URLs) into a standardized `AlertInfo` format, + and identifies child events if present. + + 6. **Ingestion**: Creates and ingests the processed alerts into the Google SecOps + platform. + + 7. **State Management**: Updates the last saved timestamp to ensure subsequent + runs only fetch new events. diff --git a/content/response_integrations/third_party/community/data_dog/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/data_dog/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..707e5ec4c --- /dev/null +++ b/content/response_integrations/third_party/community/data_dog/resources/ai/integration_ai_description.yaml @@ -0,0 +1,23 @@ +product_categories: + asset_inventory: true + cloud_security: true + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: false + reasoning: >- + The Datadog integration is primarily a monitoring and observability platform that + provides Cloud SIEM capabilities. The connector ingests alerts and events into + the SOAR platform, which is a core SIEM function. Several actions (Get Events, + Get Logs, Get Event Details) allow for searching and investigating historical + activity, further supporting the SIEM classification. Additionally, the integration + provides visibility into cloud-native resources (Kubernetes pods, AWS RDS) through + actions like 'Get Pod Metric' and 'Get RDS Metric', which aligns with Cloud Security + and Asset Inventory categories by providing performance and health context for + these assets. It does not perform EDR, Network Security, Threat Intelligence, + Email Security, IAM, ITSM, or Collaboration functions. + siem: true + threat_intelligence: false + vulnerability_management: false diff --git a/content/response_integrations/third_party/community/docker_hub/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/docker_hub/resources/ai/actions_ai_description.yaml index 203b61c45..4f9d7f727 100644 --- a/content/response_integrations/third_party/community/docker_hub/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/docker_hub/resources/ai/actions_ai_description.yaml @@ -1,19 +1,64 @@ Invite User: - ai_description: "Invites a user to a specific team within a Docker Hub organization\ - \ using their email address. This action facilitates user management by automating\ - \ the invitation process to organizational groups.\n\n### Parameters\n| Parameter\ - \ | Description | Type | Mandatory | \n| --- | --- | --- | --- |\n| Organization\ - \ | The name of the Docker Hub organization where the team resides. | string |\ - \ Yes |\n| Team | The specific team name within the organization to which the\ - \ user will be invited. | string | Yes |\n| Email | The email address of the user\ - \ to receive the invitation. | string | Yes |\n\n### Flow Description\n1. **Authentication**:\ - \ The action authenticates with the Docker Hub API using the credentials (Username\ - \ and Password) provided in the integration configuration.\n2. **Parameter Retrieval**:\ - \ It extracts the Organization, Team, and Email values from the action parameters.\n\ - 3. **API Request**: It executes a POST request to the Docker Hub endpoint `orgs/{org}/groups/{team}/members`\ - \ with the user's email.\n4. **Outcome Reporting**: The action returns a success\ - \ status if the invitation is sent successfully or logs the error if the request\ - \ fails." + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action invites a user to a team in Docker Hub. This does not match any of + the provided categories (Enrichment, Containment, Ticketing, etc.). + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: >- + Invites a user to a specific team in a given organization in Docker Hub. This + action automates the process of adding a user to a team by sending an invitation + request to the Docker Hub API. + + + ### Flow + + 1. Retrieves configuration (credentials) and parameters (Organization, Team, Email). + + 2. Initializes the Docker Hub client with the provided credentials. + + 3. Sends an invitation request to the specified organization and team using the + provided email address. + + 4. Logs the outcome and ends the action. + + + ### Parameters + + | Parameter | Type | Mandatory | Description | + + | --- | --- | --- | --- | + + | Team | string | Yes | The name of the team within the organization. | + + | Organization | string | Yes | The name of the organization. | + + | Email | string | Yes | The email address of the user to invite. | capabilities: can_create_case_comments: false can_create_insight: false @@ -22,12 +67,19 @@ Invite User: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates a new user invitation record within the specified Docker Hub organization - and team. + Invites a user to a Docker Hub team by sending a POST request to the Docker + Hub API. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a POST request to the Docker Hub API to invite a user to + a team. This is an external mutation. It does not fetch data, update entities, + or create insights. categories: enrichment: false + reasoning: >- + The action performs an external mutation (inviting a user) and does not fetch + data for enrichment. Therefore, it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -43,47 +95,75 @@ Invite User: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with `target_entities`. It uses parameters provided + in the action settings. Ping: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action is a connectivity test (Ping) and does not perform any of the defined + product category operations (e.g., enrichment, blocking, ticketing). + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - The Ping action is designed to verify the connectivity between Google SecOps and - the Docker Hub instance. It ensures that the provided credentials (Username and - Password) are valid and that the environment can successfully communicate with - the Docker Hub API. + Verifies connectivity to the Docker Hub API by authenticating with the provided + credentials and performing a catalog request. This action is used to ensure that + the integration is correctly configured and that the service is reachable from + the SOAR platform. ### Parameters Description - There are no parameters for this action. It relies entirely on the integration's - global configuration for authentication. + There are no input parameters for this action. The action utilizes the integration-level + configuration (Username and Password) to authenticate and test the connection. ### Additional Notes - - This action is a standard connectivity test and does not process any entities - or modify any data. - - - Although the metadata description mentions inviting users, the actual implementation - code performs a connectivity check via the `test_connectivity` method. + This action is a connectivity test (Ping) and does not perform any data enrichment + or state changes. It is intended for diagnostic purposes to validate the integration + setup. ### Flow Description - 1. **Initialization**: The action initializes the Siemplify SDK and sets the script - name. + 1. Initialize the `SiemplifyAction` and retrieve the integration configuration + (Username and Password). - 2. **Configuration Retrieval**: It fetches the Username and Password from the - Docker Hub integration configuration. + 2. Instantiate the `DockerHub` client with the provided credentials. - 3. **Authentication**: It instantiates the Docker Hub manager, which triggers - a login process (POST request) to obtain a JWT authentication token. + 3. Execute the `test_connectivity` method, which performs a GET request to the + Docker Hub `_catalog` endpoint. - 4. **Connectivity Test**: It calls the `test_connectivity` method, which performs - a GET request to the `_catalog` endpoint of the Docker Hub API. - - 5. **Completion**: If the request is successful, the action terminates with a - success status. + 4. If the request is successful, the action completes successfully. If an authentication + or connection error occurs, the action fails. capabilities: can_create_case_comments: false can_create_insight: false @@ -92,10 +172,17 @@ Ping: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null - fetches_data: false + fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the Docker Hub API to verify connectivity. + It does not modify external systems, update internal entities, or create insights. + It is a standard connectivity test. categories: enrichment: false + reasoning: >- + The action is named 'Ping' and performs a connectivity test. Per the instructions, + 'Ping' actions must not be categorized as enrichment actions. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -111,3 +198,6 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with any entities; it performs a global connectivity + check. diff --git a/content/response_integrations/third_party/community/docker_hub/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/docker_hub/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..ebc015a5a --- /dev/null +++ b/content/response_integrations/third_party/community/docker_hub/resources/ai/integration_ai_description.yaml @@ -0,0 +1,22 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: false + reasoning: >- + The Docker Hub integration provides administrative capabilities, specifically + the ability to invite users to teams and perform connectivity tests. It does not + perform security-focused operations such as log analysis (SIEM), host investigation + (EDR), network traffic blocking (Network Security), threat intelligence enrichment, + email security management, security-focused identity remediation (e.g., suspending + accounts or resetting passwords), cloud infrastructure security monitoring, ticketing + (ITSM), vulnerability management, asset inventory tracking, or collaboration/notification. + As the actions are purely administrative and do not address the security-specific + outcomes defined for these categories, none of the categories are applicable. + siem: false + threat_intelligence: false + vulnerability_management: false diff --git a/content/response_integrations/third_party/community/duo/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/duo/resources/ai/actions_ai_description.yaml index 8370e257a..72d13c93c 100644 --- a/content/response_integrations/third_party/community/duo/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/duo/resources/ai/actions_ai_description.yaml @@ -1,52 +1,92 @@ Get Authentication Logs for User: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: true + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves authentication logs and user metadata, which provides context + for a user (Enrich Asset). It also retrieves historical logs matching specific + criteria (Search Events). + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: true + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - This action retrieves user profile information and authentication logs from DUO - MFA for a specific username. It is designed to provide visibility into a user's - authentication patterns over a specified period (defaulting to 1 day). The action - also performs a frequency analysis on successful authentication sources (IP addresses, - states, operating systems, applications, devices, and factors) and filters them - based on a user-defined threshold to identify 'known' or 'safe' sources. + This action retrieves authentication logs and user data from DUO MFA for a specified + user. It aggregates authentication sources (such as IP addresses, operating systems, + and applications) and filters them based on a provided success threshold to help + identify known-good authentication patterns. - ### Parameters Description + ### Flow Description - | Parameter | Type | Mandatory | Description | + 1. **Configuration Extraction**: The action retrieves the DUO API hostname, Admin + Secret Key, and Admin Integration Key from the integration configuration. - | :--- | :--- | :--- | :--- | + 2. **Parameter Extraction**: It extracts the `Username`, `Number Days Back`, and + `Authentication Threshold` from the action parameters. - | Authentication Threshold | string | Yes | The minimum number of successful authentications - required for an authentication source (e.g., an IP or device) to be included in - the summary lists. Default is 2. | + 3. **Authentication**: It initializes the DUO Admin API client using the extracted + credentials. - | Number Days Back | string | Yes | The number of days prior to the current time - to retrieve logs for. Default is 1. | + 4. **User Retrieval**: It queries the DUO API to find the `user_id` associated + with the provided `Username`. - | Username | string | No | The DUO username for which to retrieve data. | + 5. **Log Retrieval**: It fetches authentication logs for the identified user within + the specified timeframe (calculated from `Number Days Back`). + 6. **Data Aggregation**: It iterates through the logs, counting occurrences of + various authentication attributes (IP, state, OS, application, device, factor). - ### Flow Description + 7. **Filtering**: It filters the aggregated counts, removing any sources that + do not meet the `Authentication Threshold`. - 1. **Authentication**: Connects to the DUO Admin API using the configured Hostname, - Integration Key, and Secret Key. + 8. **Result Output**: It compiles the user data, raw logs, and aggregated statistics + into a JSON object and adds it to the action results. - 2. **User Identification**: Queries DUO to find the `user_id` associated with - the provided `Username` parameter. - 3. **Log Retrieval**: Fetches all authentication logs for that user within the - time window defined by `Number Days Back`. + ### Parameters Description - 4. **Data Processing**: Iterates through the logs to identify successful authentications. + | Parameter | Type | Mandatory | Description | - 5. **Frequency Analysis**: Counts occurrences of specific metadata fields (IP, - OS, Location, Device, etc.) for successful logins. + | :--- | :--- | :--- | :--- | - 6. **Filtering**: Removes entries from the frequency counts that do not meet the - `Authentication Threshold`. + | Authentication Threshold | string | Yes | Number of successful authentications + required to consider an authentication source as a known safe entity. | - 7. **Output**: Returns a comprehensive JSON object containing the user's profile, - raw logs, and the filtered frequency analysis. + | Number Days Back | string | Yes | Number of days back to obtain authentication + logs from. | + + | Username | string | No | The username to retrieve logs for. | + + + ### Additional Notes + + If the `Username` is not provided, the action will fail to retrieve user-specific + logs. The action relies on the DUO Admin API and may implement a retry mechanism + (sleep) if rate limiting is encountered. capabilities: can_create_case_comments: false can_create_insight: false @@ -57,8 +97,17 @@ Get Authentication Logs for User: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the DUO Admin API to fetch authentication + logs and user data. It does not modify any external systems (no POST/PUT/DELETE). + It does not modify internal SOAR data (entities, insights, or case comments), + it only returns a result JSON. categories: - enrichment: false + enrichment: true + reasoning: >- + The action fetches data (logs) from an external source (DUO) and does not mutate + any external or internal systems. It qualifies as an enrichment action as it + provides context about a user's authentication history. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -74,53 +123,49 @@ Get Authentication Logs for User: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action uses a 'Username' parameter provided by the user to query the DUO + API. It does not iterate over or process 'siemplify.target_entities'. Get Trust Monitor Events: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves historical logs (Trust Monitor events) from an external + service. This aligns with the 'Search Events' category. It does not perform + enrichment, ticketing, or containment. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: true + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description - - Retrieves Trust Monitor events from DUO Security for a specified lookback period. - This action interacts with the DUO Admin API to fetch security events that help - monitor trust assessments and potential security anomalies within the DUO environment. - It is primarily used for data gathering and auditing purposes. - - - ### Parameters Description - - | Parameter Name | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Number Days Back | String | Yes | The number of days prior to the current time - to retrieve events from. The value is converted to an integer and used to calculate - the start timestamp for the API request. Default is '1'. | - - - ### Additional Notes - - - This action requires valid DUO Admin API credentials (API Hostname, Admin Secret - Key, and Admin Integration Key) to be configured in the integration settings. - - - The action does not process specific entities; it performs a global fetch of - events based on the time range provided. - - - ### Flow Description - - 1. **Configuration Retrieval**: The action extracts the DUO API Hostname, Admin - Secret Key, and Admin Integration Key from the integration's provider configuration. - - 2. **Time Calculation**: It calculates the start and end timestamps in milliseconds. - The start timestamp is determined by subtracting the specified number of days - (converted from the `Number Days Back` parameter) from the current time. - - 3. **API Initialization**: Initializes the DUO Admin API client using the provided - credentials. - - 4. **Data Retrieval**: Calls the DUO SDK method `get_trust_monitor_events_by_offset` - using the calculated time range to fetch Trust Monitor events. - - 5. **Result Processing**: Formats the retrieved events into a JSON structure and - attaches them to the action's result object for use in subsequent playbook steps. + Retrieves DUO Trust Monitor events from the DUO Admin API for a specified lookback + period. The action extracts configuration parameters (API Hostname, Admin Secret + Key, Admin Integration Key) and the 'Number Days Back' parameter to calculate + the time range. It then queries the DUO Admin API using the 'get_trust_monitor_events_by_offset' + method and returns the events as a JSON result. Parameters: 'Number Days Back' + (String, Mandatory) - The number of days to look back for events. capabilities: can_create_case_comments: false can_create_insight: false @@ -131,8 +176,15 @@ Get Trust Monitor Events: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the DUO Admin API to retrieve logs/events. + It does not modify any external or internal systems. categories: enrichment: false + reasoning: >- + While the action fetches data, it does not enrich specific entities or alerts. + It retrieves a list of events, which classifies it as a search/retrieval action + rather than an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -148,43 +200,77 @@ Get Trust Monitor Events: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with siemplify.target_entities. It operates independently + of any specific entity. Get Users by Name: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: true + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action fetches contextual metadata (user information) from the DUO platform, + which aligns with the 'Enrich Asset' category. It does not perform any other + actions like blocking, ticketing, or alert modification. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description + Queries the DUO Admin API to retrieve user information for a specified username. + This action fetches authentication and device data associated with the user from + the DUO platform and returns it as a JSON result. - Retrieves detailed user information from DUO MFA using the Admin API based on - a specific username. This action is designed to fetch user-specific metadata, - including user IDs, authentication details, and device data, providing visibility - into a user's status within the DUO ecosystem. + ### Flow Description - ### Parameters Description + 1. Extract configuration parameters (API Hostname, Admin Secret Key, Admin Integration + Key) from the integration settings. - | Parameter | Type | Mandatory | Description | + 2. Extract the `Username` parameter provided by the user. - | :--- | :--- | :--- | :--- | + 3. Initialize the DUO Admin API client using the extracted credentials. - | Username | String | Yes | The specific username to query in the DUO Admin API - to retrieve associated data. | + 4. Call the `get_users_by_name` method to fetch user data from the DUO platform. + 5. Format the retrieved user data into a JSON structure and add it to the action + result using `add_result_json`. - ### Flow Description - 1. **Configuration Extraction**: Retrieves the DUO API Hostname, Admin Secret - Key, and Admin Integration Key from the integration's configuration settings. + ### Parameters Description + + | Parameter | Type | Mandatory | Description | - 2. **Parameter Extraction**: Retrieves the target `Username` provided as an action - input. + | :--- | :--- | :--- | :--- | - 3. **API Initialization**: Initializes the DUO Admin API client using the extracted - credentials. + | Username | string | Yes | The username to query in the DUO platform. | - 4. **Data Retrieval**: Calls the `get_users_by_name` endpoint to fetch all records - associated with the provided username. - 5. **Result Processing**: Iterates through the returned data to identify the `user_id` - and aggregates the full response into a structured JSON result for use in subsequent - playbook steps. + ### Additional Notes + + This action requires valid DUO Admin API credentials (API Hostname, Admin Secret + Key, and Admin Integration Key) to be configured in the integration settings for + successful execution. capabilities: can_create_case_comments: false can_create_insight: false @@ -195,8 +281,16 @@ Get Users by Name: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action fetches user data from the DUO API (fetches_data=true). It does not + mutate external data, update entities, create insights, or modify internal SOAR + data. categories: enrichment: false + reasoning: >- + The action fetches data from an external system (DUO) but does not update any + entities or create insights within the SOAR platform. Therefore, it does not + meet the criteria for an Enrichment Action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -212,36 +306,52 @@ Get Users by Name: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over `target_entities` or use entity-specific identifiers. + It takes a `Username` parameter directly. Ping: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action is a connectivity test (Ping) and does not perform any of the defined + operational tasks such as enrichment, ticketing, or containment. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description - - Verifies the connectivity and credentials for the DUO Auth API. This action uses - the DUO Python SDK to call the `/check` endpoint, ensuring that the provided API - Hostname, Secret Key, and Integration Key are valid and that the request signature - is generated correctly. - - - ### Parameters - - There are no input parameters for this action. It relies entirely on the integration's - configuration settings (API Hostname, Auth Secret Key, and Auth Integration Key). - - - ### Flow Description - - 1. **Configuration Extraction**: Retrieves the `API Hostname`, `Auth Secret Key`, - and `Auth Integration Key` from the DUO integration settings. - - 2. **Client Initialization**: Initializes the DUO Auth API client using the retrieved - credentials. - - 3. **Connectivity Check**: Executes the `check()` method against the DUO API to - verify the integration setup. - - 4. **Result Handling**: If the check is successful, it returns a confirmation - message. If an exception occurs, it reports a failure with the specific error - details. + This action verifies the connectivity and validity of the DUO Auth API credentials + by performing a connectivity check against the DUO service. Parameters: API Hostname + (String, Mandatory) - The hostname for the DUO API. Auth Secret Key (String, Mandatory) + - The secret key for the DUO Auth API. Auth Integration Key (String, Mandatory) + - The integration key for the DUO Auth API. Flow: 1. Extract the required configuration + parameters (API Hostname, Auth Secret Key, Auth Integration Key) from the integration + settings. 2. Initialize the DUO Auth client using the provided credentials. 3. + Execute the check() method to validate the connection to the DUO API. 4. Return + a success message if the connection is verified, or a failure message if an exception + occurs during the process. capabilities: can_create_case_comments: false can_create_insight: false @@ -250,10 +360,17 @@ Ping: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null - fetches_data: true + fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a connectivity test (Ping) to verify API credentials. It + does not fetch contextual data for entities or alerts, nor does it mutate any + external or internal data. categories: enrichment: false + reasoning: >- + The action is a Ping action designed to verify connectivity. According to the + guidelines, Ping actions must not be categorized as enrichment actions. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -269,3 +386,6 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with any entities. It is a global connectivity + test. diff --git a/content/response_integrations/third_party/community/duo/resources/ai/connectors_ai_description.yaml b/content/response_integrations/third_party/community/duo/resources/ai/connectors_ai_description.yaml new file mode 100644 index 000000000..e64505864 --- /dev/null +++ b/content/response_integrations/third_party/community/duo/resources/ai/connectors_ai_description.yaml @@ -0,0 +1,54 @@ +DUO - Trust Monitor Connector: + ai_description: >- + ### General Description + + The DUO - Trust Monitor Connector integrates with the Duo Security Admin API to + monitor and ingest Trust Monitor events. It retrieves security events from the + specified timeframe, maps them into structured cases, and ingests them into Google + SecOps for further investigation and response. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | PythonProcessTimeout | String | Yes | The timeout limit (in seconds) for the + python process running the script. | + + | EventClassId | String | Yes | The field name used to determine the event name + (sub-type). | + + | DeviceProductField | String | Yes | The field name used to determine the device + product. | + + | Days Back | Integer | Yes | The maximum number of days back to retrieve data + from. | + + | API Hostname | String | Yes | API hostname for your tenant (e.g., api-XXXXXXXX.duosecurity.com). + | + + | Admin Secret Key | Password | Yes | DUO Admin API Secret Key. | + + | Admin Integration Key | Password | Yes | DUO Admin API Integration Key. | + + + ### Flow Description + + 1. The connector initializes the connection to the Duo Security Admin API using + the provided API Hostname, Integration Key, and Secret Key. + + 2. It calculates the time range based on the configured 'Days Back' parameter. + + 3. It queries the Duo Trust Monitor API to fetch events that occurred within the + specified timeframe. + + 4. For each retrieved event, the connector flattens the nested event data into + a structured format. + + 5. It maps the event details (such as user, timestamp, and event type) into a + Google SecOps CaseInfo object. + + 6. Finally, it packages the created alerts and returns them to the SOAR platform + for ingestion. diff --git a/content/response_integrations/third_party/community/duo/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/duo/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..0d07406e5 --- /dev/null +++ b/content/response_integrations/third_party/community/duo/resources/ai/integration_ai_description.yaml @@ -0,0 +1,23 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: true + itsm: false + network_security: false + reasoning: >- + The Duo integration is primarily an Identity and Access Management (IAM) solution, + as it provides visibility into user authentication logs, user metadata, and MFA + events, which are essential for investigating suspicious user behavior. Additionally, + it qualifies as a SIEM integration because the 'DUO - Trust Monitor Connector' + ingests security events into Google SecOps, and the available actions allow analysts + to search for and retrieve authentication activity related to users, aligning + with the SIEM capability of finding activity related to users across logs. It + does not meet the criteria for EDR, Network Security, Cloud Security, or other + categories as it does not manage endpoints, network traffic, or cloud infrastructure + resources. + siem: true + threat_intelligence: false + vulnerability_management: false diff --git a/content/response_integrations/third_party/community/eclectic_iq/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/eclectic_iq/resources/ai/actions_ai_description.yaml index df7c29bf1..09fb3e228 100644 --- a/content/response_integrations/third_party/community/eclectic_iq/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/eclectic_iq/resources/ai/actions_ai_description.yaml @@ -1,43 +1,78 @@ Enrich Entities: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: true + enrich_ioc: true + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action fetches reputation and threat intelligence for indicators (Enrich + IOC) and contextual metadata for assets (Enrich Asset). It does not perform + containment or ticket management. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description + Enriches entities using the EclecticIQ platform. This action retrieves threat + intelligence, entity details, and platform links for the provided entities, updates + the entities with this information, and adds entity links and tables to the SOAR + case. - Enriches entities by querying the EclecticIQ Threat Intelligence Platform. This - action retrieves comprehensive context for entities, including observable details, - associated threat entities, confidence levels (maliciousness), and source information. - It enhances the visibility of potential threats within the Google SecOps environment - by attaching external intelligence directly to the entities. + ### Flow Description - ### Parameters + 1. Initialize `EclecticIQManager` with configuration. - There are no parameters for this action. + 2. Fetch observables and entity information from EclecticIQ for the provided target + entities. + 3. Parse the retrieved data into enrichment details, links, and tables. - ### Flow Description + 4. Update the entities in the SOAR platform with the enriched data. + + 5. Add entity links and tables to the action results. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | - 1. **Initialization**: The action initializes the EclecticIQ manager using the - URL and API token retrieved from the integration configuration. + | --- | --- | --- | --- | - 2. **Data Retrieval**: It performs a bulk lookup for all target entities to find - matching observables in the EclecticIQ database. + | EclecticIQ URL | String | Yes | The base URL for the EclecticIQ instance. | - 3. **Context Enrichment**: For identified observables, it fetches related entity - data and resolves source identifiers to human-readable names. + | API Token | String | Yes | The authentication token for the EclecticIQ API. + | - 4. **Entity Update**: It flattens the retrieved intelligence data, applies an - 'EIQ' prefix, and updates the `additional_properties` of the SecOps entities. - It also marks the entities as enriched (`is_enriched = True`). + | Verify SSL | Boolean | Yes | Boolean flag to enable/disable SSL verification. + | - 5. **UI Enhancement**: It adds direct links to the EclecticIQ platform and populates - data tables for each entity to provide a detailed view of the findings within - the case wall. - 6. **Completion**: The action returns the count of enriched entities and lists - any entities that were not found in EclecticIQ in the output message. + ### Additional Notes + + None. capabilities: can_create_case_comments: false - can_create_insight: false + can_create_insight: true can_modify_alert_data: false can_mutate_external_data: false can_mutate_internal_data: true @@ -45,47 +80,40 @@ Enrich Entities: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates entity additional properties with threat intelligence data from EclecticIQ - and sets the 'is_enriched' flag to true. + Updates entity additional properties and adds entity links/tables to the SOAR + case. + reasoning: >- + The action fetches threat intelligence data from EclecticIQ (fetches_data=true). + It does not modify external systems (can_mutate_external_data=false). It updates + internal SOAR entities with the retrieved data (can_mutate_internal_data=true, + can_update_entities=true). It adds entity links and tables, which are forms + of insights (can_create_insight=true). categories: enrichment: true + reasoning: >- + The action fetches data from an external source (EclecticIQ) and updates internal + entities without modifying external systems. This fits the definition of an + Enrichment action. entity_usage: entity_types: - ADDRESS - - ALERT - - APPLICATION - CHILDHASH - CHILDPROCESS - - CLUSTER - - CONTAINER - CREDITCARD - CVE - CVEID - - DATABASE - - DEPLOYMENT - DESTINATIONDOMAIN - DOMAIN - - EMAILSUBJECT - - EVENT - FILEHASH - FILENAME - - GENERICENTITY - HOSTNAME - - IPSET - - MacAddress - PARENTHASH - PARENTPROCESS - PHONENUMBER - - POD - PROCESS - - SERVICE - SOURCEDOMAIN - THREATACTOR - - THREATCAMPAIGN - - THREATSIGNATURE - DestinationURL - - USB - - USERUNIQNAME filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -99,24 +127,52 @@ Enrich Entities: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action iterates over `siemplify.target_entities` without explicit type filtering + in the main loop, meaning it attempts to enrich all provided entities. The `EclecticIQManager` + uses an `ENTITY_MAP` to handle various types. Ping: - ai_description: "### General Description\nThe Ping action is a utility designed\ - \ to verify the connectivity between Google SecOps and the EclecticIQ platform.\ - \ It ensures that the provided configuration parameters, such as the URL and API\ - \ Token, are correct and that the network path is open.\n\n### Parameters\nThis\ - \ action does not require any input parameters.\n\n### Flow Description\n1. **Configuration\ - \ Retrieval**: The action starts by fetching the integration's global configuration,\ - \ including the EclecticIQ URL, API Token, and SSL verification settings.\n2.\ - \ **Manager Initialization**: It initializes the `EclecticIQManager` with the\ - \ retrieved credentials.\n3. **Connectivity Test**: The manager executes the `test_connectivity`\ - \ method, which performs a GET request to the `/api/v2/sources` endpoint of the\ - \ EclecticIQ API.\n4. **Result Handling**: \n * If the API call is successful\ - \ (returns a 200 OK status), the action completes with a success message.\n \ - \ * If an exception occurs (e.g., authentication failure, timeout, or invalid\ - \ URL), the action catches the error, logs the details, and returns a failure\ - \ status.\n\n### Additional Notes\nThis action is primarily used during the initial\ - \ setup of the integration or for troubleshooting communication issues. It does\ - \ not process any entities or modify any data." + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action is a connectivity test ('Ping'). It does not match any of the functional + categories like Enrich IOC, Create Ticket, etc. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: >- + This action facilitates testing connectivity with EclecticIQ. It verifies that + the SOAR platform can successfully communicate with the EclecticIQ instance using + the provided credentials. The action flow is as follows: 1. Retrieve configuration + parameters (EclecticIQ URL, API Token, Verify SSL). 2. Initialize the EclecticIQ + Manager. 3. Perform a test GET request to the EclecticIQ API. 4. Return a success + or failure status based on the response. Parameters: EclecticIQ URL (String, Mandatory): + The base URL of the EclecticIQ instance. API Token (String, Mandatory): The authentication + token for the EclecticIQ API. Verify SSL (Boolean, Mandatory): Whether to verify + SSL certificates. capabilities: can_create_case_comments: false can_create_insight: false @@ -127,8 +183,14 @@ Ping: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to test connectivity. It does not modify external + or internal data, nor does it update entities or create insights. categories: enrichment: false + reasoning: >- + The action is named 'Ping' and is used for connectivity testing, not for enriching + data. Therefore, it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -144,65 +206,77 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with entities. Send Entities to EclecticIQ: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action exports case entities to an external threat intelligence platform + (EclecticIQ) to create sightings or indicators. It does not match any of the + provided categories (e.g., it is not an enrichment, ticket, or containment action). + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description - - This action sends entities from a Google SecOps case to the EclecticIQ Intelligence - Center. Its primary purpose is to record sightings of specific entities within - the threat intelligence platform. By default, the action creates 'sighting' objects - in EclecticIQ, but it can be configured to also create 'indicator' objects. This - integration helps in synchronizing local security findings with a centralized - threat intelligence management system. + Sends entities from a Google SecOps case to the EclecticIQ Intelligence Center + as sightings or indicators. The action retrieves the source ID for the specified + group, constructs a sighting object (and optionally an indicator object) using + case and entity data, and sends the data to EclecticIQ via a PUT request. Finally, + it adds a comment to the case and links the EclecticIQ entity in the results. - ### Parameters Description + ### Parameters | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | **Group Name** | string | Yes | The name of the EclecticIQ Intelligence Center - Group (e.g., 'Testing Group') where the entities will be created. | + | Group Name | string | Yes | The EclecticIQ Intelligence Center Group Name. | - | **Create Indicator** | boolean | No | If set to `true`, the action creates both - a sighting and an indicator in EclecticIQ. If `false` (default), only a sighting - is created. | + | Create Indicator | boolean | No | If true, creates both a sighting and an indicator; + otherwise, only a sighting. | ### Flow Description - 1. **Initialization**: The action retrieves the EclecticIQ URL, API Token, and - SSL verification settings from the integration configuration, along with the user-provided - 'Group Name' and 'Create Indicator' flag. - - 2. **Group Identification**: It queries the EclecticIQ API to find the internal - source ID associated with the provided 'Group Name'. + 1. Extracts configuration (URL, API Token, SSL verification) and action parameters + (Group Name, Create Indicator). - 3. **Data Preparation**: The action constructs a detailed description for the - EclecticIQ objects using metadata from the current SecOps case (e.g., Title, Priority, - Status, Sla Expiration). + 2. Initializes the EclecticIQManager. - 4. **Entity Mapping**: It iterates through the target entities in the case, filtering - for supported types (IPs, Hostnames, Hashes, URLs, etc.) and mapping them to EclecticIQ - observable types. + 3. Retrieves the source ID for the specified group from EclecticIQ. - 5. **External Creation**: A PUT request is sent to the EclecticIQ `/api/v2/entities` - endpoint to create the sighting (and optionally the indicator) containing the - mapped entities. + 4. Constructs a sighting object containing case details and entity information. - 6. **Internal Updates**: Upon success, the action adds a comment to the SecOps - case wall and attaches a direct platform link to the newly created EclecticIQ - entity. + 5. Optionally constructs an indicator object if 'Create Indicator' is true. + 6. Sends the data to EclecticIQ via a PUT request. - ### Additional Notes - - - The action only processes entities that match the internal `ENTITY_MAP` (e.g., - ADDRESS, HOSTNAME, FILEHASH, etc.). Entities not in this map are ignored. - - - The action uses UUID v5 (namespace X500) based on the case identifier to generate - consistent IDs for the created EclecticIQ objects. + 7. Adds a comment to the case and links the EclecticIQ entity in the results. capabilities: can_create_case_comments: true can_create_insight: false @@ -211,39 +285,45 @@ Send Entities to EclecticIQ: can_mutate_internal_data: true can_update_entities: false external_data_mutation_explanation: >- - Creates new sighting and/or indicator entities in the EclecticIQ Intelligence - Center platform via a PUT request. - fetches_data: false + Creates sightings and optionally indicators in the EclecticIQ Intelligence Center. + fetches_data: true internal_data_mutation_explanation: >- - Adds a case comment to the case wall and creates an entity link pointing to - the EclecticIQ platform. + Adds a case comment and an entity link to the Google SecOps case. + reasoning: >- + The action fetches the group source ID (fetches_data=true), creates entities + in EclecticIQ (can_mutate_external_data=true), and adds a case comment and entity + link (can_mutate_internal_data=true, can_create_case_comments=true). categories: enrichment: false + reasoning: >- + The action mutates external data (creates entities in EclecticIQ), so it is + not an enrichment action. entity_usage: entity_types: + - HOSTNAME - ADDRESS - - CHILDHASH + - PROCESS + - PARENTPROCESS - CHILDPROCESS - - CREDITCARD - - CVE - - CVEID - - DESTINATIONDOMAIN - - DOMAIN - - FILEHASH - FILENAME - - HOSTNAME + - FILEHASH - PARENTHASH - - PARENTPROCESS + - CHILDHASH + - DestinationURL + - EMAILSUBJECT + - CVEID + - CREDITCARD - PHONENUMBER - - PROCESS - - SOURCEDOMAIN + - CVE - THREATACTOR - - DestinationURL + - SOURCEDOMAIN + - DESTINATIONDOMAIN + - DOMAIN filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false filters_by_creation_time: false - filters_by_entity_type: true + filters_by_entity_type: false filters_by_identifier: false filters_by_is_artifact: false filters_by_is_enriched: false @@ -252,3 +332,7 @@ Send Entities to EclecticIQ: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over `siemplify.target_entities` and checks if they are in + `ENTITY_MAP`. It does not filter by specific entity types in the code, but it + only processes entities present in `ENTITY_MAP`. diff --git a/content/response_integrations/third_party/community/eclectic_iq/resources/ai/connectors_ai_description.yaml b/content/response_integrations/third_party/community/eclectic_iq/resources/ai/connectors_ai_description.yaml new file mode 100644 index 000000000..ce3e96ced --- /dev/null +++ b/content/response_integrations/third_party/community/eclectic_iq/resources/ai/connectors_ai_description.yaml @@ -0,0 +1,61 @@ +EclecticIQ - Feed Connector: + ai_description: >- + ### General Description + + This connector facilitates the ingestion of threat intelligence data from an EclecticIQ + Intelligence Center instance into Google SecOps SOAR. By polling a configured + outgoing feed, it retrieves new content blocks and transforms them into actionable + alerts, enabling security teams to integrate EclecticIQ's threat intelligence + directly into their incident response workflows. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | API Token | Password | Yes | The API token used for authentication with the + EclecticIQ instance. | + + | DeviceProductField | String | Yes | The field name used to determine the device + product. | + + | EclecticIQ URL | String | Yes | The base URL of the EclecticIQ Intelligence + Center instance. | + + | EventClassId | String | Yes | The field name used to determine the event name + (sub-type). | + + | Outgoing Feed ID | String | Yes | The ID of the outgoing feed from which to + fetch entities. | + + | PythonProcessTimeout | String | Yes | The timeout limit (in seconds) for the + Python process. | + + | Verify SSL | Boolean | No | Whether to verify SSL certificates when connecting + to the EclecticIQ API. | + + + ### Flow Description + + 1. The connector initializes a connection to the EclecticIQ Intelligence Center + using the provided URL and API token. + + 2. It validates the existence of the specified `Outgoing Feed ID`. + + 3. It retrieves a list of available content blocks from the feed. + + 4. The connector checks the local state to identify and skip previously processed + content blocks. + + 5. For each new content block, it fetches the raw data from the EclecticIQ API. + + 6. The retrieved data is parsed and mapped into `AlertInfo` objects, including + relevant metadata like entity titles, descriptions, and source information. + + 7. The generated alerts are returned to the SOAR platform for case creation and + further investigation. + + 8. The connector updates the local state with the latest processed block ID to + ensure subsequent runs only fetch new data. diff --git a/content/response_integrations/third_party/community/eclectic_iq/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/eclectic_iq/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..53935cb02 --- /dev/null +++ b/content/response_integrations/third_party/community/eclectic_iq/resources/ai/integration_ai_description.yaml @@ -0,0 +1,23 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: false + reasoning: >- + The EclecticIQ integration is primarily designed for Threat Intelligence. The + 'Enrich Entities' action retrieves threat intelligence data (reputation, metadata) + for indicators, which directly aligns with the Threat Intelligence category's + goal of determining reputation and confirming alerts. Additionally, the 'EclecticIQ + - Feed Connector' ingests threat intelligence feeds into the SOAR platform to + create alerts, further solidifying its role in threat intelligence. The integration + does not perform SIEM log analysis, EDR host containment, network security blocking, + email security, IAM management, cloud security, ITSM ticketing, vulnerability + management, asset inventory, or collaboration/approval workflows as defined in + the provided categories. + siem: false + threat_intelligence: true + vulnerability_management: false diff --git a/content/response_integrations/third_party/community/flashpoint/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/flashpoint/resources/ai/actions_ai_description.yaml index fb9e68e68..721dc3b1e 100644 --- a/content/response_integrations/third_party/community/flashpoint/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/flashpoint/resources/ai/actions_ai_description.yaml @@ -1,53 +1,70 @@ Custom Query: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action executes a custom query against the Flashpoint API and returns the + results. This aligns with the 'Search Events' category, which involves returning + a collection of historical logs or telemetry data matching specific search parameters. + It does not perform enrichment, containment, or ticket management. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: true + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description - - This action executes a custom search query against the Flashpoint API. It allows - users to define complex search criteria in JSON format and specify the target - API endpoint, providing flexibility to interact with various Flashpoint search - capabilities beyond standard enrichment actions. + Executes a custom query against the Flashpoint API. This action allows users to + send a JSON-formatted query body to a specified API endpoint to retrieve threat + intelligence or search results. The results are returned as a JSON object and + added to the action's output. - ### Parameters Description + ### Parameters | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Query Content | Code (JSON) | Yes | A JSON-formatted string containing the search - parameters. This typically includes keys like `query`, `limit`, `start_date`, - `end_date`, and `search_tags`. | + | Query Content | code | Yes | The JSON-formatted content of the query to search. + | - | New Query URL | String | Yes | The API endpoint path to append to the Flashpoint - base URL (e.g., `/all/search` or `/indicators/attribute`). | + | New Query URL | string | Yes | The API endpoint path to which the query will + be sent (e.g., /all/search). | ### Flow Description - 1. **Initialization**: The action retrieves the Flashpoint API Key from the integration - configuration and the `Query Content` and `New Query URL` from the action parameters. + 1. The action extracts the API Key from the integration configuration. - 2. **Manager Setup**: An instance of the `FlashpointManager` is created to handle - the HTTP session and authentication. + 2. It extracts the 'Query Content' and 'New Query URL' parameters provided by + the user. - 3. **Request Execution**: The action parses the `Query Content` JSON string into - a Python dictionary and sends a POST request to the constructed URL (Base API - + New Query URL). + 3. It initializes the FlashpointManager with the API Key. - 4. **Result Processing**: The JSON response from Flashpoint is retrieved and added - to the action's result JSON. - - 5. **Completion**: The action concludes by reporting whether the query was successful - or if an error occurred during the API interaction. - - - ### Additional Notes + 4. It executes a POST request to the specified API endpoint using the provided + query content. - - This action does not automatically iterate over entities in the Google SecOps - case; it is a standalone query tool. - - - The `Query Content` must be a valid JSON string, otherwise the action will fail - during the parsing stage. + 5. The retrieved results are added to the action's output as a JSON object. capabilities: can_create_case_comments: false can_create_insight: false @@ -58,8 +75,17 @@ Custom Query: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a POST request to the Flashpoint API to execute a custom + query. It retrieves data (search results) but does not modify the state of the + external system (no blocking, deleting, or updating). It does not interact with + internal SOAR entities, insights, or case comments. categories: enrichment: false + reasoning: >- + The action is a generic search tool that does not operate on specific entities + or alerts. It does not meet the criteria for an Enrichment Action, which requires + gathering supplemental context about specific alerts or entities. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -75,54 +101,83 @@ Custom Query: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not reference `siemplify.target_entities` and performs a generic + search operation. Therefore, it does not use any entity types. IOC_Enrichment: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves threat intelligence (reputation, etc.) for indicators from + Flashpoint. This aligns with the 'Enrich IOC' category. It does not perform + containment, ticket management, or other mutation operations. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - The **IOC Enrichment** action retrieves threat intelligence for entities from - the Flashpoint platform. It queries the Flashpoint Indicator Attribute API to - find matches for entity identifiers (such as IPs, Domains, or Hashes) and enriches - the Google SecOps entities with the retrieved metadata. This action helps analysts - quickly identify known malicious indicators by pulling context directly into the - case. + Enriches indicator entities using the Flashpoint threat intelligence platform. + This action retrieves threat intelligence data for provided entities, updates + their properties with enriched information, and flags them as suspicious if applicable. - ### Parameters Description + ### Flow Description - | Parameter | Type | Mandatory | Description | + 1. Iterate through the `target_entities` provided to the action. - | :--- | :--- | :--- | :--- | + 2. For each entity, query the Flashpoint API (`/indicators/attribute`) using the + entity's identifier. - | Limit | String | No | The maximum number of result objects to return from Flashpoint - for each entity. Default is "100". | + 3. If a report is returned: + - Flatten the report data and prefix keys with "FlashPoint". + - Update the entity's `additional_properties` with the enriched data. + - Set the entity's `is_enriched` flag to true. + - Mark the entity as `is_suspicious`. + - Add an entity insight to the SOAR case summarizing the enrichment. + - Store the report in the action results. + 4. If no report is found, track the entity as not found. + 5. Return the final results and output message. - ### Flow Description - 1. **Initialization**: Retrieves the Flashpoint API key from the integration configuration - and the result limit from the action parameters. + ### Parameters Description - 2. **API Query**: For each target entity in the case, the action sends a GET request - to the Flashpoint `/indicators/attribute` endpoint using the entity's identifier - as the query string. + | Parameter | Type | Mandatory | Description | - 3. **Data Processing**: If a report is found for an entity, the action: - * Flattens the nested JSON response from Flashpoint. - * Adds a `FlashPoint` prefix to the flattened keys to avoid attribute collisions. - * Updates the entity's `additional_properties` with the enriched data. - * Marks the entity as `enriched` and `suspicious` within the SOAR environment. - 4. **Insight Generation**: Creates a SOAR entity insight for each matched entity, - explicitly marking it as suspicious based on Flashpoint data. + | :--- | :--- | :--- | :--- | - 5. **Finalization**: Aggregates all retrieved reports into a single JSON result - and provides a summary message listing any entities that were not found in the - Flashpoint database. + | Limit | string | false | The maximum number of result objects to return. Defaults + to "100". | ### Additional Notes - * This action is strictly for enrichment; it does not perform any blocking or - state-changing operations in Flashpoint. + This action performs read-only operations on the Flashpoint API and updates internal + SOAR entity data. It does not perform any external mutations. capabilities: can_create_case_comments: false can_create_insight: true @@ -133,10 +188,19 @@ IOC_Enrichment: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - The action updates entity additional properties with enriched data from Flashpoint, - marks entities as enriched and suspicious, and creates entity insights. + Updates entity properties (additional_properties, is_enriched, is_suspicious) + and adds entity insights. + reasoning: >- + The action fetches threat intelligence data from the Flashpoint API via a GET + request. It performs internal mutations by updating entity properties (additional_properties, + is_enriched, is_suspicious) and adding entity insights. It does not mutate external + systems. categories: enrichment: true + reasoning: >- + The action fetches data from an external source (Flashpoint) and performs allowed + internal mutations (updating entities, adding insights). It does not mutate + external data. Therefore, it qualifies as an enrichment action. entity_usage: entity_types: - ADDRESS @@ -187,72 +251,94 @@ IOC_Enrichment: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over `siemplify.target_entities` without any type-based filtering, + meaning it attempts to enrich any entity provided to the action. Therefore, + it supports all entity types. Indicators Custom Query: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action performs a search query against the Flashpoint API to retrieve indicators. + This matches the 'Search Events' category, which involves returning a collection + of historical logs or telemetry data matching specific search parameters. It + does not enrich specific IOCs or assets, nor does it perform any mutation. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: true + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description - - This action executes a custom search query against the Flashpoint Indicators API - to retrieve specific threat intelligence data, such as events and attributes. - It allows users to perform granular searches using keywords, tags, and time-based - filters to gather indicators of compromise (IOCs) directly from Flashpoint's intelligence - database. + Executes a custom query against the Flashpoint API to retrieve indicators (events + or attributes) based on user-defined criteria. This action allows analysts to + search for specific threat intelligence data by applying filters such as date + ranges, search tags, and custom query strings. - ### Parameters Description - - | Parameter | Type | Mandatory | Description | + ### Flow Description - | :--- | :--- | :--- | :--- | + 1. The action extracts configuration parameters (API Key) and action-specific + parameters (Limit, Dates, Tags, Query, Sort, Entity Types, and Indicator Type). - | Sort By Time | ddl | No | Determines the chronological order of the results - (Ascending or Descending). | + 2. It initializes the FlashpointManager to establish a connection to the Flashpoint + API. - | Entity Types | string | No | A comma-separated list of MISP-style entity types - to retrieve (e.g., 'url,domain,ip-src'). | + 3. It executes the `indicators_custom_query` method, which performs a GET request + to the Flashpoint API endpoint based on the provided indicator type. - | Limit | string | No | The maximum number of result objects to return (default - is 10). | + 4. If the query is successful, the results are returned as a JSON object in the + action result. If no results are found or an error occurs, the action handles + the response accordingly. - | Start Date | string | No | Filters for indicators created after this specific - ISO 8601 date/time. | - | End Date | string | No | Filters for indicators created before this specific - ISO 8601 date/time. | + ### Parameters Description - | Search Tags | string | No | A comma-separated list of keywords or tags to filter - the search (e.g., 'malware,ransomware'). | + | Parameter | Type | Mandatory | Description | - | Query | string | No | The specific search query string to execute. | + | :--- | :--- | :--- | :--- | - | Indicator Type | ddl | Yes | Specifies the level of indicator data to retrieve: - 'simple' (simplified list), 'attribute' (specific IOCs), or 'event' (grouped IOCs). + | Sort By Time | ddl | No | Presents the data in a descending or ascending order. | + | Entity Types | string | No | Entity types to retrieve data for (comma separated). + | - ### Flow Description - - 1. **Configuration Extraction:** The action retrieves the Flashpoint API Key from - the integration settings and all user-defined search parameters. - - 2. **Client Initialization:** An instance of the FlashpointManager is created - to handle API communication. - - 3. **API Request:** The action calls the `indicators_custom_query` method, which - constructs a GET request to the Flashpoint `/indicators/{type}` endpoint using - the provided filters (limit, dates, tags, query, and sorting). + | Limit | string | No | The maximum number of result objects to return. | - 4. **Result Processing:** If the query returns data, the raw JSON response is - attached to the action's results in Google SecOps. + | Start Date | string | No | Retrieves values created after the specified date + (e.g., 2020-02-26T14:49:07Z). | - 5. **Completion:** The action concludes with a success message if data is found, - or a notification if no matching indicators were identified. + | End Date | string | No | Retrieves values created before the specified date + (e.g., 2020-11-25T14:49:07Z). | + | Search Tags | string | No | Search for a specific keyword (comma separated). + | - ### Additional Notes + | Query | string | No | Custom query to retrieve data for. | - This action is a standalone search utility and does not automatically iterate - over or enrich entities currently present in a Google SecOps case. It is intended - for manual or automated threat hunting and intelligence gathering. + | Indicator Type | ddl | Yes | The type of indicator to query: simple, event, + or attribute. | capabilities: can_create_case_comments: false can_create_insight: false @@ -263,8 +349,18 @@ Indicators Custom Query: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the Flashpoint API to retrieve indicator + data based on user-provided parameters. It does not modify any external systems, + nor does it update any internal SOAR data such as entities, insights, or case + comments. categories: enrichment: false + reasoning: >- + While the action fetches data, it is not classified as an enrichment action + because it does not operate on specific entities or alerts to provide context. + It is a general search/query tool that retrieves data based on global parameters + rather than enriching a specific entity profile. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -280,49 +376,64 @@ Indicators Custom Query: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over `target_entities` or use entity-specific identifiers. + It performs a global search based on provided parameters. Ping: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action is a connectivity test (Ping). It does not match any of the specific + functional categories like Enrich IOC, Contain Host, etc. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description + ### General description - The **Ping** action is a diagnostic tool used to verify the connectivity between - Google SecOps and the Flashpoint platform. Its primary purpose is to ensure that - the integration's API credentials are valid and that the Flashpoint API is reachable - over the network. + This action tests the connectivity between the SOAR platform and the Flashpoint + API. It verifies that the provided API key is valid and that the integration can + successfully communicate with the Flashpoint service. - ### Parameters Description + ### Parameters description - | Parameter | Type | Mandatory | Description | + There are no parameters for this action. - | :--- | :--- | :--- | :--- | - - | N/A | N/A | N/A | This action does not require any input parameters. | + ### Flow description - ### Additional Notes - - This action is a standard connectivity check. It does not process any entities - or modify any data within Google SecOps or Flashpoint. It is typically executed - during the initial configuration of the integration or for troubleshooting purposes. - - - ### Flow Description + 1. The action initializes the `SiemplifyAction` and extracts the API Key. - 1. **Configuration Retrieval**: The action extracts the API Key from the integration's - global configuration. + 2. It instantiates the `FlashpointManager` with the API Key. - 2. **Manager Initialization**: It initializes the `FlashpointManager` with the - provided API Key. + 3. It calls the `test_connectivity` method, which performs a GET request to the + Flashpoint API. - 3. **Connectivity Test**: The action invokes the `test_connectivity` method, which - performs a sample GET request to the Flashpoint `/all/search` endpoint using a - hardcoded query. - - 4. **Validation**: The logic checks if the API returns a successful response and - valid JSON data. - - 5. **Final Status**: If the request succeeds, the action ends with a success message; - if the request fails or returns an error, it reports a connection failure. + 4. Based on the response, it returns a success or failure message. capabilities: can_create_case_comments: false can_create_insight: false @@ -333,8 +444,14 @@ Ping: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to verify API connectivity. It does not modify + external or internal data. categories: enrichment: false + reasoning: >- + The action is named 'Ping'. Per the instructions, 'Actions named Ping must not + be categorized as enrichment actions.' Therefore, it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -350,58 +467,90 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with entities. It is a global connectivity test. Run Query: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action executes a search query against the Flashpoint platform and returns + the results. This aligns with the 'Search Events' category, which involves returning + collections of data matching specific search parameters. It does not perform + enrichment on specific IOCs or assets, nor does it perform any containment or + ticket management actions. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: true + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description - - Executes a custom search query against the Flashpoint platform to retrieve threat - intelligence data. This action allows users to perform complex searches using - Flashpoint's query syntax, filtering by tags, date ranges, and sorting preferences. - It is designed as a standalone search utility rather than an entity-specific enrichment - tool. + Executes a custom query against the Flashpoint platform to retrieve threat intelligence + or data based on user-defined parameters. This action allows analysts to perform + broad searches across Flashpoint's data sets, such as blog posts or indicators, + using specific query strings, date ranges, and filtering tags. - ### Parameters Description + ### Flow Description - | Parameter | Type | Mandatory | Description | + 1. **Parameter Extraction**: The action extracts the `Query`, `Results count limit`, + `Date Range`, `Sort By`, and `Tags` parameters provided by the user. - | :--- | :--- | :--- | :--- | + 2. **Initialization**: It initializes the `FlashpointManager` using the API key + configured in the integration settings. - | Query | String | Yes | The search query content using Flashpoint syntax (e.g., - `+basetypes:+indicator`). | + 3. **Query Execution**: It calls the Flashpoint API to execute the custom query + with the provided filters and constraints. - | Results count limit | String | No | The maximum number of results to return - (default is 100). | + 4. **Result Handling**: The raw JSON response from the Flashpoint API is added + to the action results for the analyst to review. - | Sort By | String | No | Specifies the fields and order for sorting results (e.g., - `posted_at:desc,title:asc`). | - | Tags | String | No | A comma-separated list of tags to filter the search results. - | + ### Parameters - | Date Range | String | No | The time range for the search (e.g., `[now-1y TO - now]`). | + | Parameter | Type | Mandatory | Description | + | :--- | :--- | :--- | :--- | - ### Flow Description + | Query | string | Yes | The search query content (e.g., `+basetypes:+indicator`). + | - 1. **Parameter Extraction**: The action retrieves the query string, result limit, - date range, sorting criteria, and tags from the action parameters. + | Results count limit | string | No | The maximum number of results to return. + Defaults to 100 if not specified. | - 2. **Manager Initialization**: Initializes the `FlashpointManager` using the API - Key provided in the integration configuration. + | Sort By | string | No | The fields to sort by (e.g., `posted_at:desc,title:asc`). + | - 3. **Query Execution**: Executes the custom query against the Flashpoint API using - the provided parameters. + | Tags | string | No | A comma-separated list of tags for filtering results. | - 4. **Result Processing**: Receives the query response and attaches the raw JSON - data to the action's results in Google SecOps for use in downstream playbook steps. + | Date Range | string | No | The date range to filter the data (e.g., `[now-1y + TO now]`). | ### Additional Notes - This action does not iterate over or modify entities within a case. It returns - a broad set of data based on the query provided. + This action is a generic search tool and does not operate on specific entities. + It returns raw data from the Flashpoint platform. capabilities: can_create_case_comments: false can_create_insight: false @@ -412,8 +561,18 @@ Run Query: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the Flashpoint API to retrieve search results + based on user-provided query parameters. It does not modify any external systems + (no POST/PUT/DELETE for state changes) and does not modify internal SOAR data + (entities, insights, or case comments). categories: enrichment: false + reasoning: >- + While the action fetches data, it is a generic search/query tool that does not + operate on specific entities (e.g., IP, Hash) to enrich them. It does not meet + the criteria for an Enrichment Action, which requires operating on entities + to provide supplemental context. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -429,3 +588,7 @@ Run Query: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over `siemplify.target_entities` or use any entity-specific + identifiers. It relies entirely on user-provided input parameters to construct + the search query. diff --git a/content/response_integrations/third_party/community/flashpoint/resources/ai/connectors_ai_description.yaml b/content/response_integrations/third_party/community/flashpoint/resources/ai/connectors_ai_description.yaml new file mode 100644 index 000000000..867eac001 --- /dev/null +++ b/content/response_integrations/third_party/community/flashpoint/resources/ai/connectors_ai_description.yaml @@ -0,0 +1,61 @@ +"Flashpoint - Compromised Credential Connector": + ai_description: >- + ### General Description + + The Flashpoint - Compromised Credential Connector integrates with the Flashpoint + intelligence platform to monitor and ingest compromised credential sightings. + It periodically queries the Flashpoint API for new credential-related alerts and + automatically creates cases within Google SecOps, enabling security teams to respond + to potential account takeovers or credential leaks. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | API Key | Password | Yes | The API Key used to authenticate with the Flashpoint + service. | + + | DeviceProductField | String | Yes | The field name used to determine the device + product in the case. | + + | EventClassId | String | No | The field name used to determine the event name + (sub-type). | + + | Limit | Integer | Yes | The maximum number of events to retrieve per execution. + | + + | Max Days Back | Integer | No | The maximum number of days to look back when + fetching data. | + + | Proxy Password | Password | No | The proxy password to authenticate with. | + + | Proxy Server Address | String | No | The address of the proxy server to use. + | + + | Proxy Username | String | No | The proxy username to authenticate with. | + + | PythonProcessTimeout | String | Yes | The timeout limit (in seconds) for the + Python process running the script. | + + + ### Flow Description + + 1. The connector initializes a connection to the Flashpoint API using the provided + API Key and optional proxy settings. + + 2. It calculates the time range for data retrieval based on the last successful + fetch timestamp or the configured "Max Days Back" parameter. + + 3. It queries the Flashpoint API for "credential-sighting" events that occurred + within the calculated time window. + + 4. For each retrieved alert, the connector flattens the data structure and maps + it to a Google SecOps case format. + + 5. It checks for alert overflow to prevent duplicate case creation. + + 6. Valid cases are ingested into the SOAR platform, and the latest timestamp is + saved to ensure subsequent runs only fetch new data. diff --git a/content/response_integrations/third_party/community/flashpoint/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/flashpoint/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..18b37219c --- /dev/null +++ b/content/response_integrations/third_party/community/flashpoint/resources/ai/integration_ai_description.yaml @@ -0,0 +1,24 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: false + reasoning: >- + The Flashpoint integration is primarily focused on providing risk intelligence + and threat data. The 'IOC_Enrichment' action allows users to enrich indicators + with threat intelligence, which is the core function of the Threat Intelligence + category. The connector ingests compromised credential sightings, which provides + alerts but does not perform log analysis or search internal logs, thus it does + not meet the criteria for SIEM. It does not perform host containment (EDR), network + blocking (Network Security), email management (Email Security), identity management + (IAM & Identity Management), cloud resource management (Cloud Security), ticket + creation (ITSM), vulnerability scanning (Vulnerability Management), or asset inventory + management (Asset Inventory). Therefore, it is classified solely under Threat + Intelligence. + siem: false + threat_intelligence: true + vulnerability_management: false diff --git a/content/response_integrations/third_party/community/full_contact/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/full_contact/resources/ai/actions_ai_description.yaml index 155cdd194..0ce30d04c 100644 --- a/content/response_integrations/third_party/community/full_contact/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/full_contact/resources/ai/actions_ai_description.yaml @@ -1,57 +1,78 @@ Enrich Entities: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: true + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves contextual metadata (e.g., company details, person details) + for user entities and updates their properties. This aligns with the 'Enrich + Asset' category. It does not perform IOC enrichment, ticket creation, or containment. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description + Enriches User entities using the Full Contact API. This action retrieves professional + and company-related metadata for a given user email and domain, then updates the + entity's profile within the SOAR platform. - Enriches **USER** entities (email addresses) using the Full Contact API. This - action retrieves comprehensive data about both the individual (e.g., job title, - gender, LinkedIn profile) and the organization associated with their email domain - (e.g., company name, industry, employee count, location). It enhances the context - of a case by populating entity properties with external identity and firmographic - intelligence. + ### Flow Description - ### Parameters Description - - There are no parameters for this action. - + 1. The action iterates through the provided target entities. - ### Additional Notes + 2. It filters for entities of type `USER`. - * The action requires a valid Full Contact API Key to be configured in the integration - settings. + 3. For each user, it extracts the email address and the associated domain. - * It specifically targets entities of type **USER** (interpreted as email addresses). + 4. It queries the Full Contact API (`/v3/person.enrich` and `/v3/company.enrich`) + to retrieve contextual data. - * It handles the asynchronous nature of the Full Contact API by polling when a - `202 Accepted` status is received during domain enrichment. + 5. It parses the API response to extract details such as company name, industry, + location, employee count, and person-specific details like title and LinkedIn + profile. + 6. It updates the entity's `additional_properties` with the retrieved information. - ### Flow Description + 7. Finally, it updates the entities in the SOAR platform and returns the enrichment + results. - 1. **Configuration Retrieval**: Fetches the API Key from the 'Full Contact' integration - configuration. - 2. **Entity Filtering**: Iterates through the target entities and selects those - identified as `USER` types. + ### Parameters - 3. **Domain Extraction**: Parses the email address of the user entity to extract - the domain name. + | Parameter | Type | Mandatory | Description | - 4. **Company Enrichment**: Queries the Full Contact `company.enrich` endpoint - using the extracted domain. It includes logic to retry if the API returns a 202 - status. + | :--- | :--- | :--- | :--- | - 5. **Person Enrichment**: Queries the Full Contact `person.enrich` endpoint using - the user's email address. + | API Key | String | Yes | The API key required to authenticate with the Full + Contact API. This is retrieved from the integration configuration. | - 6. **Data Mapping**: Maps the retrieved JSON data (Company Name, Industry, Founded - Year, Employees, Website, Location, Gender, Title, LinkedIn) to a local dictionary. - 7. **Internal Update**: Updates the `additional_properties` of the entity within - Google SecOps with the enriched data. + ### Additional Notes - 8. **Finalization**: Updates the entities in the case and returns a JSON result - containing the enrichment details for all processed entities. + This action only processes entities of type `USER`. If other entity types are + provided, they will be ignored. The action relies on the `Full Contact` integration + configuration to obtain the necessary API credentials. capabilities: can_create_case_comments: false can_create_insight: false @@ -62,10 +83,18 @@ Enrich Entities: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates the 'additional_properties' field of USER entities with data retrieved - from Full Contact. + Updates the entity's `additional_properties` with retrieved enrichment data. + reasoning: >- + The action fetches data from an external API (Full Contact) to enrich user entities. + It updates the entity's `additional_properties` within the SOAR platform, which + is an allowed internal mutation for enrichment actions. It does not modify external + systems or create insights/comments. categories: enrichment: true + reasoning: >- + The action fetches data from an external source (Full Contact) and updates internal + entity properties. It does not mutate external systems. This fits the definition + of an Enrichment Action. entity_usage: entity_types: - USERUNIQNAME @@ -82,42 +111,52 @@ Enrich Entities: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over `siemplify.target_entities` and explicitly checks `if + ent.entity_type == EntityTypes.USER`. Therefore, it only processes `USER` entities. Ping: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + This action is a connectivity test (Ping). It does not perform actual enrichment + of entities, update alerts, or modify external systems. It is strictly for verifying + API connectivity. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description - - The **Ping** action is designed to verify the connectivity between Google SecOps - and the Full Contact service. Its primary purpose is to ensure that the integration's - API Key is correctly configured and that the environment can successfully communicate - with the Full Contact API endpoints. - - - ### Parameters Description - - There are no user-facing parameters for this action. It relies entirely on the - 'API Key' provided in the integration's configuration settings. - - - ### Flow Description - - 1. **Configuration Retrieval**: The action fetches the 'API Key' from the Full - Contact integration configuration. - - 2. **API Connection Attempt**: It initializes a connection to the Full Contact - API and performs a test request to the company enrichment endpoint (`https://api.fullcontact.com/v3/company.enrich`) - using the hardcoded domain 'google.com'. - - 3. **Validation**: The action checks the response from the API. If a 401 Unauthorized - status is returned, it raises an exception to notify the user of invalid credentials. - - 4. **Result Reporting**: If the request is successful, the action returns a success - message and a boolean result of `True`. - - - ### Additional Notes - - This action does not interact with or process any entities within a case. It is - a diagnostic tool used for integration setup and troubleshooting. + General Description: This action verifies connectivity to the Full Contact API + by executing a sample domain enrichment request for the domain google.com. It + is designed to test the integration's authentication and network reachability. + Parameters: There are no parameters for this action. Flow Description: 1. Initialize + the SiemplifyAction object. 2. Retrieve the API Key from the Full Contact integration + configuration. 3. Instantiate the FullContactManager with the retrieved API Key. + 4. Execute the enrich_domain method using the hardcoded domain google.com. 5. + Validate the response status; if a 401 error occurs, raise an exception. 6. Terminate + the action with a success message. capabilities: can_create_case_comments: false can_create_insight: false @@ -128,8 +167,15 @@ Ping: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs an API request to verify connectivity. It fetches data from + an external source but does not modify any external or internal systems. categories: enrichment: false + reasoning: >- + Although the action performs an API call that retrieves data, it is named Ping. + According to the guidelines, actions named Ping must not be categorized as enrichment + actions. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -145,3 +191,6 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with target_entities. It uses a hardcoded domain + string (google.com) for the connectivity test. diff --git a/content/response_integrations/third_party/community/full_contact/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/full_contact/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..6a1de684f --- /dev/null +++ b/content/response_integrations/third_party/community/full_contact/resources/ai/integration_ai_description.yaml @@ -0,0 +1,22 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: false + reasoning: >- + The 'full_contact' integration provides identity resolution and enrichment services + for User entities. It retrieves professional and company-related metadata (e.g., + industry, title, location) to enrich user profiles within the SOAR platform. It + does not perform threat intelligence (reputation, risk scores, malware analysis), + nor does it manage identity (suspension, password resets) or manage hardware assets. + While it provides context about users, it does not fit the specific 'Expected + Outcome' definitions for IAM (which requires management capabilities) or Asset + Inventory (which focuses on device management). Therefore, it does not align with + any of the provided product categories. + siem: false + threat_intelligence: false + vulnerability_management: false diff --git a/content/response_integrations/third_party/community/google_docs/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/google_docs/resources/ai/actions_ai_description.yaml index 271666f70..f070246b2 100644 --- a/content/response_integrations/third_party/community/google_docs/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/google_docs/resources/ai/actions_ai_description.yaml @@ -1,56 +1,78 @@ Create Content: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action performs a write operation on an external Google Document. It does + not match any of the provided security-focused categories (e.g., IOC enrichment, + ticketing, containment, identity management, or email/file operations). Therefore, + all categories are set to false. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - The **Create Content** action allows users to programmatically insert text into - a specific Google Document. It is designed to automate document updates by taking - a structured JSON input that defines the text to be added and the specific character - offsets (indices) where the text should be placed. + This action updates a Google Document by inserting text at specified locations. + It leverages the Google Docs API to perform batch updates on a document identified + by its ID. ### Parameters Description - | Parameter | Description | Type | Mandatory | + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Document Id | The unique identifier of the Google Document. This can be extracted - from the document's URL (e.g., https://docs.google.com/document/d/**{DocumentId}**/). - | String | Yes | + | Document Id | string | Yes | The unique identifier of the Google Document to + be updated. This can be found in the document's URL. | - | Json | A JSON-formatted string containing an array of items to insert. Each - item must include an `index` (the character position) and `text` (the content - to insert). | Code/String | Yes | + | Json | code | Yes | A JSON-formatted string containing the items to insert. + Each item must specify the `index` (offset) and `text` to be inserted. | ### Flow Description - 1. **Parameter Extraction:** The action retrieves the Google service account credentials - from the integration configuration and the `Document Id` and `Json` payload from - the action parameters. + 1. The action extracts the `Document Id` and the `Json` content payload from the + action parameters. - 2. **JSON Parsing:** The provided JSON string is parsed to extract the list of - insertion items. + 2. The `Json` parameter is parsed to extract the list of items, each containing + an `index` and `text`. - 3. **Request Construction:** For each item in the input, the action constructs - a Google Docs `insertText` request object, mapping the text to the specified location - index. + 3. A batch update request is constructed for each item. - 4. **API Execution:** The action initializes the `GoogleDocsManager` and sends - a `batchUpdate` request to the Google Docs API for the specified document. + 4. The `GoogleDocsManager` executes the batch update request against the specified + Google Document. - 5. **Result Handling:** The response from the Google Docs API is attached as a - JSON result, and the action completes with a success message. + 5. The result of the operation is added to the action results. ### Additional Notes - - The `index` values in the JSON input are zero-based character offsets. Providing - an index that exceeds the document's current length or falls within certain protected - structures may cause the API to return an error. - - - This action requires a service account with appropriate permissions (Drive/Docs - scopes) to modify the target document. + This action performs a direct mutation on an external Google Document. It does + not interact with any SOAR entities or internal case data. capabilities: can_create_case_comments: false can_create_insight: false @@ -59,12 +81,20 @@ Create Content: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - This action modifies the content of an existing Google Document by inserting - text at specified indices using the Google Docs API batchUpdate method. + Modifies the content of an external Google Document by inserting text at specified + indices. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a batch update on a Google Document via the Google Docs + API, which is an external system mutation. It does not fetch data, nor does + it modify internal SOAR data, entities, or alert information. categories: enrichment: false + reasoning: >- + The action is a mutation action that modifies an external Google Document. It + does not fetch data for enrichment purposes, nor does it meet the criteria for + an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -80,54 +110,88 @@ Create Content: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code does not interact with `siemplify.target_entities` or any entity objects. + It relies solely on action parameters provided by the user. Therefore, it does + not process any entity types. Create Document: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action creates a document in Google Drive. It does not match any of the + provided security-specific categories such as 'Create Ticket', 'Send Email', + or 'Enrich IOC'. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - Creates a new Google Document and configures sharing permissions for specified - users. This action automates the document creation process within Google Workspace, - allowing for immediate collaboration by assigning roles such as Owner, Writer, - or Reader to a list of email addresses. + ### General Description + This action creates a new Google Document and configures sharing permissions for + specified users. It leverages the Google Drive and Google Docs APIs to generate + a document with a custom title and assign specific access roles (Owner, Writer, + or Reader) to a list of email addresses. - ### Flow Description: - 1. **Authentication**: Initializes the Google Docs and Drive API clients using - the provided service account credentials. + ### Flow Description - 2. **Document Creation**: Sends a request to the Google Docs API to create a blank - document with the user-defined title. + 1. **Extraction**: The action extracts the `Title`, `Role`, and `Emails` parameters + from the action configuration. - 3. **Permission Assignment**: Parses the semicolon-separated list of email addresses - and, for each email, calls the Google Drive API to grant the specified access - role (Owner, Writer, or Reader). + 2. **Initialization**: It initializes the `GoogleDocsManager` using the provided + credentials to authenticate with Google Drive and Docs services. - 4. **Metadata Retrieval**: Fetches the full metadata of the created file from - Google Drive to confirm successful creation and configuration. + 3. **Creation**: It creates a new document via the Google Docs API. - 5. **Output**: Returns the document metadata as a JSON result and provides the - Document ID as the action's output value. + 4. **Permission Assignment**: It iterates through the provided email addresses + and applies the specified permission role to the newly created document using + the Google Drive API. + 5. **Result**: It retrieves the metadata of the created file and returns it as + the action result. - ### Parameters Description: + + ### Parameters Description | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Title | String | Yes | The title of the document to be created. Default is 'New - Document'. | - - | Role | DDL | Yes | The access level granted to the specified emails. Options: - 'owner' (full control), 'writer' (can edit/comment), 'reader' (view only). | + | Title | string | Yes | The title of the document to be created. | - | Emails | String | Yes | A semicolon-separated list of email addresses (e.g., - 'user1@example.com;user2@example.com') that will receive the specified permissions. + | Role | ddl | Yes | The permission level to assign: "owner", "writer", or "reader". | + | Emails | string | Yes | A semicolon-separated list of email addresses to share + the document with. | - ### Additional Notes: - * This action requires a service account with the 'https://www.googleapis.com/auth/drive.file' - scope enabled. + ### Additional Notes + + There are no additional notes. capabilities: can_create_case_comments: false can_create_insight: false @@ -136,12 +200,20 @@ Create Document: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates a new document in Google Docs and modifies file permissions in Google - Drive to share the document with specified email addresses. - fetches_data: true + Creates a new document in Google Drive and assigns permissions to specified + users. + fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs an external mutation by creating a document in Google Drive + and setting permissions. It does not fetch contextual data for entities or alerts, + nor does it modify internal SOAR case data. categories: enrichment: false + reasoning: >- + The action is a creation/mutation task (creating a document) and does not meet + the criteria for an enrichment action, which requires fetching data without + mutating external systems. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -157,50 +229,68 @@ Create Document: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with `siemplify.target_entities`. It operates based + on input parameters provided by the user. Ping: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action is a connectivity test ('Ping') and does not perform any of the defined + functional outcomes (e.g., enriching IOCs, creating tickets, blocking hosts). + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description + Tests connectivity to Google Docs and Google Drive by performing a test API request. + This action verifies that the provided credentials are valid and that the integration + can successfully communicate with the Google services. - The **Ping** action is a diagnostic tool used to verify the connectivity between - Google SecOps and the Google Docs/Drive API. Its primary purpose is to validate - that the provided service account credentials are correct and that the integration - can successfully communicate with Google's services. + ### Parameters - ### Parameters Description - - | Parameter Name | Type | Mandatory | Description | + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Credentials Json | String | Yes | This is an integration-level configuration - parameter. It requires the full JSON content of a Google Service Account key to - authenticate requests. | - - - ### Additional Notes - - - This action does not require or process any entities from the Google SecOps - environment. - - - It is a read-only operation used strictly for testing the API handshake. + | Credentials Json | String | Yes | The JSON content containing the service account + credentials required to authenticate with Google Docs and Drive. | ### Flow Description - 1. **Credential Retrieval**: The action extracts the `Credentials Json` from the - integration's global configuration. + 1. The action retrieves the `Credentials Json` parameter from the integration + configuration. - 2. **Service Initialization**: It initializes the `GoogleDocsManager`, which parses - the JSON credentials and builds the authorized Google Drive and Google Docs service - clients. + 2. It initializes the `GoogleDocsManager` using the provided credentials. - 3. **API Verification**: The action executes a `test_connectivity` call, which - performs a `list` operation on the Google Drive API to verify that the service - account has active access. + 3. It executes a `test_connectivity` method, which performs a `files().list` request + to the Google Drive API to verify access. - 4. **Status Reporting**: If the API call succeeds, the action returns a success - message indicating a functional connection. + 4. If the request succeeds, the action completes successfully. capabilities: can_create_case_comments: false can_create_insight: false @@ -209,10 +299,16 @@ Ping: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null - fetches_data: false + fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a read-only API call (`files().list`) to verify connectivity. + It does not modify any external or internal data. categories: enrichment: false + reasoning: >- + The action is named 'Ping' and is a connectivity test. Per the instructions, + 'Actions named Ping must not be categorized as enrichment actions.' entity_usage: entity_types: [] filters_by_additional_properties: false @@ -228,45 +324,82 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with `target_entities`. It is a global connectivity + test. Remove Content: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action modifies a Google Doc by deleting content. It does not match any + of the predefined categories (Enrichment, Ticket management, Identity management, + Host containment, Email management, etc.). + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - Removes specific content from a Google Document using its unique ID and a JSON-formatted - list of index ranges. This action is primarily used for automated document editing, - such as removing sensitive information or cleaning up generated reports. + This action removes specific content ranges from a Google Doc. It utilizes the + Google Docs API to perform a batch update, deleting text or elements defined by + start and end indices provided in the input configuration. - ### Parameters Description + ### Flow Description - | Parameter | Type | Mandatory | Description | + 1. The action extracts the `Document Id` and `Json` parameters from the configuration. - | :--- | :--- | :--- | :--- | + 2. It parses the `Json` parameter to retrieve a list of items, where each item + contains `start_index` and `end_index` values. - | **Document Id** | String | Yes | The unique identifier of the Google Document. - This can be found in the document's URL (e.g., `https://docs.google.com/document/d/{DocumentId}/`). - | + 3. It constructs a list of `deleteContentRange` requests based on the parsed indices. - | **Json** | Code (JSON) | Yes | A JSON object containing an array of items. Each - item must include `start_index` and `end_index` to define the range of characters - to be deleted. | + 4. The action initializes the `GoogleDocsManager` and executes the batch update + request against the specified Google Doc. + 5. Finally, it returns the result of the operation. - ### Flow Description - 1. **Initialization**: Retrieves the Google Docs service credentials from the - integration configuration. + ### Parameters + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | - 2. **Input Parsing**: Extracts the `Document Id` and the `Json` payload containing - the deletion ranges. + | Document Id | string | Yes | The unique identifier of the Google Doc, found + in the document URL. | - 3. **Request Construction**: Iterates through the provided JSON items to build - a list of `deleteContentRange` requests compatible with the Google Docs API. + | Json | code | Yes | A JSON object containing a list of items, where each item + specifies the `start_index` and `end_index` of the content to be removed. | - 4. **Execution**: Sends a `batchUpdate` request to the Google Docs API for the - specified document. - 5. **Completion**: Returns the API response and logs the success of the operation. + ### Additional Notes + + This action performs a destructive mutation on an external Google Doc. Ensure + the provided indices are correct to avoid unintended data loss. capabilities: can_create_case_comments: false can_create_insight: false @@ -275,12 +408,20 @@ Remove Content: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Deletes content ranges within a Google Document via the Google Docs API batchUpdate - method. + Modifies a Google Doc by deleting specified content ranges via the Google Docs + API. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a batch update on an external Google Doc to delete content. + It does not fetch data, nor does it interact with internal SOAR entities or + case data. It is a pure external mutation action. categories: enrichment: false + reasoning: >- + The action performs a mutation on an external system (Google Docs) and does + not retrieve information or perform any of the allowed internal mutations (comments, + insights, entity updates). Therefore, it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -296,14 +437,49 @@ Remove Content: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not use or iterate over `target_entities`. It operates on a + specific `Document Id` provided as a parameter. Replace Content: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action modifies the content of a Google Doc. None of the provided product + categories (which are focused on security operations like IOCs, tickets, identities, + or alerts) cover document content modification. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - Replaces specific text strings within a Google Document using the Google Docs - API. This action allows for bulk find-and-replace operations based on a provided - JSON configuration, making it ideal for automating document updates, template - filling, or report generation. + This action modifies the content of a Google Doc by replacing specific text strings + based on a provided JSON configuration. It leverages the Google Docs API to perform + batch updates on a target document, allowing for automated document editing within + a SOAR workflow. ### Parameters Description @@ -312,31 +488,30 @@ Replace Content: | :--- | :--- | :--- | :--- | - | Document Id | string | Yes | The unique identifier of the Google Document. This - can be found in the document's URL (e.g., https://docs.google.com/document/d/**{DocumentId}**/). - | + | Document Id | string | Yes | The unique identifier of the Google Doc to be modified. + This can be found in the document's URL. | - | Json | code | Yes | A JSON-formatted string containing the replacement rules. - It must include an `items` array where each object specifies `text_to_search`, - `text_to_replace`, and `match_case` (a string value of "true" or "false"). | + | Json | code | Yes | A JSON object containing a list of replacement items. Each + item must include `text_to_search` (the string to find), `text_to_replace` (the + new string), and `match_case` (a boolean string indicating if the search should + be case-sensitive). | ### Flow Description - 1. **Initialization**: The action retrieves the Google service account credentials - from the integration configuration and extracts the Document ID and replacement - JSON from the action parameters. + 1. **Parameter Extraction**: The action extracts the `Document Id` and the `Json` + configuration string from the action parameters. + + 2. **JSON Parsing**: The `Json` string is parsed into a list of replacement items. - 2. **Request Preparation**: It parses the input JSON string and iterates through - the items to construct a list of `replaceAllText` requests. Each request defines - the search string, the replacement string, and whether the search should be case-sensitive. + 3. **Request Construction**: For each item, a `replaceAllText` request is constructed, + incorporating the search text, replacement text, and case-sensitivity settings. - 3. **API Execution**: The action initializes the `GoogleDocsManager` and executes - a `batchUpdate` call to the Google Docs API with the constructed requests for - the specified Document ID. + 4. **Execution**: The action initializes the `GoogleDocsManager` and executes + a batch update request against the specified Google Doc. - 4. **Completion**: The API response is captured and added to the action's JSON - results, and the action concludes with a success message. + 5. **Result**: The result of the batch update is added to the action output, and + the action concludes with a success message. capabilities: can_create_case_comments: false can_create_insight: false @@ -345,12 +520,19 @@ Replace Content: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Modifies the content of a Google Document by performing a batch update to replace - specified text strings. + Modifies the content of a Google Doc by replacing specific text strings. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a batch update on an external Google Doc, which constitutes + an external system mutation. It does not fetch data from external sources, nor + does it modify internal SOAR entities, alerts, or case data. categories: enrichment: false + reasoning: >- + The action is a mutation action that modifies external data (Google Docs). It + does not fetch data for enrichment purposes, nor does it meet the criteria for + an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -366,3 +548,6 @@ Replace Content: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action operates on a specific Google Doc ID provided as a parameter and + does not interact with or iterate over `target_entities`. diff --git a/content/response_integrations/third_party/community/google_docs/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/google_docs/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..6f3937dd9 --- /dev/null +++ b/content/response_integrations/third_party/community/google_docs/resources/ai/integration_ai_description.yaml @@ -0,0 +1,21 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: false + reasoning: >- + The 'google_docs' integration provides functionality to create, update, remove, + and replace content within Google Documents. These actions are general-purpose + document management tasks and do not align with any of the defined security-focused + product categories. The integration does not perform SIEM log analysis, EDR host + containment, threat intelligence enrichment, network security blocking, email + management, identity management, cloud resource monitoring, ITSM ticketing, vulnerability + assessment, asset inventory management, or collaboration/notification tasks. Therefore, + all product category flags are set to false. + siem: false + threat_intelligence: false + vulnerability_management: false diff --git a/content/response_integrations/third_party/community/google_drive/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/google_drive/resources/ai/actions_ai_description.yaml index 1d770e3b6..6a7a123f3 100644 --- a/content/response_integrations/third_party/community/google_drive/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/google_drive/resources/ai/actions_ai_description.yaml @@ -1,46 +1,82 @@ Add Permission: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action modifies permissions on a file in Google Drive. It does not match + any of the predefined categories (e.g., IOC enrichment, ticket management, identity + management, or host containment). + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description + Adds permissions for a specific file stored in Google Drive. This action allows + users to grant access to a file by specifying the file ID, the desired role (owner, + writer, or reader), and a list of email addresses. - Adds permissions for a specific file stored in Google Drive to one or more users. - This action allows administrators to programmatically manage access control by - assigning roles such as Owner, Writer, or Reader to specific email addresses. + ### Flow Description - ### Parameters Description + 1. The action extracts the required parameters: `File Id`, `Role`, `Emails`, and + `Should send notification`. - | Parameter | Type | Mandatory | Description | + 2. It initializes the `GoogleDriveManager` using the provided credentials. - | :--- | :--- | :--- | :--- | + 3. The `Emails` parameter is parsed into a list by splitting the semicolon-separated + string. - | **File Id** | String | Yes | The unique ID of the file in Google Drive. This - can be found in the file's URL. | + 4. The action iterates through each email address and calls the Google Drive API + to insert the specified permission for the given file. - | **Role** | DDL | Yes | The level of access to grant. Options include: `owner` - (full control), `writer` (can edit and comment), and `reader` (view only). | + 5. Upon completion, the action returns a success message indicating the permissions + were granted. - | **Emails** | String | Yes | Semicolon-separated list of email addresses to which - permissions will be granted (e.g., `user1@example.com;user2@example.com`). | - | **Should send notification** | Boolean | No | If set to true, Google Drive will - send an email notification to the users about the granted permission. | + ### Parameters Description + | Parameter | Type | Mandatory | Description | - ### Flow Description + | :--- | :--- | :--- | :--- | - 1. **Initialization**: The action extracts the Google Drive service account credentials - from the integration configuration and the specific file ID, role, and email list - from the action parameters. + | File Id | string | Yes | The unique identifier of the file in Google Drive. + | - 2. **Parsing**: The semicolon-separated string of email addresses is split into - a list of individual emails. + | Role | ddl | Yes | The permission level to grant: "owner", "writer", or "reader". + | - 3. **API Interaction**: For each email address in the list, the action calls the - Google Drive API's permissions endpoint to create a new permission entry with - the specified role and notification settings. + | Emails | string | Yes | Semicolon-separated list of email addresses to grant + access to. | - 4. **Completion**: The action returns a success message confirming that the permissions - were granted for the specified file. + | Should send notification | boolean | No | Whether to send an email notification + to the user. Defaults to "true". | + + + ### Additional Notes + + This action performs a mutation on the external Google Drive system by modifying + file permissions. capabilities: can_create_case_comments: false can_create_insight: false @@ -49,12 +85,18 @@ Add Permission: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Adds new permission entries to Google Drive files, which modifies the access - control list (ACL) of the resource in the external Google Drive system. + Modifies file permissions in Google Drive by adding users with specified roles. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a POST request to the Google Drive API to insert a permission + for a specific file. It does not fetch data for enrichment, nor does it modify + internal SOAR data or entities. categories: enrichment: false + reasoning: >- + The action is a mutation action (modifying external file permissions) and does + not fetch data for enrichment purposes, therefore it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -70,14 +112,48 @@ Add Permission: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not use `target_entities`. It operates on a file ID provided + as a parameter. Delete File: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action deletes a file from Google Drive. This does not match any of the + provided categories, which are focused on IOCs, assets, tickets, emails, or + host containment. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - The **Delete File** action permanently removes a specific file from Google Drive - using its unique File ID. This action is typically used in response to security - incidents where a malicious or sensitive file needs to be purged from the cloud - environment to prevent further access or distribution. + Deletes a specific file from Google Drive using the provided File ID. This action + interacts with the Google Drive API to permanently remove the file, skipping the + trash. ### Parameters Description @@ -86,34 +162,29 @@ Delete File: | :--- | :--- | :--- | :--- | - | **File Id** | String | Yes | The unique identifier of the file to be deleted. - This ID is found in the file's URL (e.g., `https://drive.google.com/drive/u/0/folders/{file-id}`). + | File Id | string | Yes | The unique identifier of the file to be deleted, which + can be found in the file URL (e.g., https://drive.google.com/drive/u/0/folders/{file-id}). | - ### Additional Notes + ### Flow Description - * **Permanent Deletion**: This action performs a permanent deletion, meaning - the file skips the Google Drive trash/bin and cannot be easily recovered. + 1. Extract the `Credentials Json` from the integration configuration. - * **No Entity Context**: This action does not automatically process entities - from the alert; it requires the specific File ID to be provided manually or via - a previous playbook step. + 2. Extract the `File Id` from the action parameters. + 3. Initialize the `GoogleDriveManager` with the provided credentials. - ### Flow Description + 4. Call the `delete_file` method, which invokes the Google Drive API to permanently + delete the specified file. - 1. **Credential Setup**: The action extracts the service account credentials - from the integration configuration to authenticate with the Google Drive API. + 5. Return a success message indicating the file has been deleted. - 2. **Input Validation**: It retrieves the mandatory `File Id` parameter provided - in the action configuration. - 3. **API Execution**: The action utilizes the `GoogleDriveManager` to call the - Google Drive API's delete method for the specified file identifier. + ### Additional Notes - 4. **Finalization**: Upon successful execution, the action returns a confirmation - message stating that the file was successfully deleted. + This action performs a destructive operation on an external system. Ensure the + `File Id` is correct before executing, as the deletion is permanent. capabilities: can_create_case_comments: false can_create_insight: false @@ -122,12 +193,17 @@ Delete File: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Permanently deletes a file from the external Google Drive storage, bypassing - the trash folder. + Permanently deletes a file from Google Drive. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a destructive API call to Google Drive to delete a file. + It does not fetch data, nor does it modify internal SOAR data. categories: enrichment: false + reasoning: >- + The action is a destructive operation (deletion) on an external system. It does + not fetch data or perform enrichment, so it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -143,28 +219,53 @@ Delete File: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over `target_entities` or use entity-specific identifiers + from the SOAR case. It accepts a `File Id` parameter directly from the user/configuration. Download File To Base64: - ai_description: "### General Description\nThe **Download File To Base64** action\ - \ retrieves a file from Google Drive using its unique File ID and converts the\ - \ file's content into a Base64-encoded string. This is particularly useful for\ - \ automated workflows that need to process file contents (e.g., for malware analysis,\ - \ attachment forwarding, or document parsing) without requiring local file system\ - \ storage. It supports both standard binary files and Google Workspace documents\ - \ (Docs, Sheets, Slides) by automatically converting them to standard formats\ - \ (DOCX, XLSX, PPTX) during the download process.\n\n### Parameters Description\n\ - | Parameter | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n\ - | **File Id** | String | Yes | The unique identifier of the file in Google Drive.\ - \ This ID can be found in the file's sharing URL (e.g., `https://drive.google.com/file/d/{file-id}/view`).\ - \ |\n\n### Flow Description\n1. **Initialization**: The action initializes the\ - \ Google Drive manager using the provided service account credentials.\n2. **Metadata\ - \ Retrieval**: It fetches the metadata for the specified `File Id` to determine\ - \ the file name and MIME type.\n3. **Download Logic**: \n * If the file\ - \ is a Google Workspace document (Doc, Sheet, or Slide), the action uses the `export`\ - \ method to convert it into a Microsoft Office format (DOCX, XLSX, or PPTX).\n\ - \ * If the file is a standard binary file, it uses the direct `get_media`\ - \ download method.\n4. **Encoding**: The downloaded binary stream is converted\ - \ into a Base64 string.\n5. **Output**: The action returns a JSON object containing\ - \ the file name, MIME type, size (for binary files), and the Base64-encoded content." + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: true + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action downloads a file from Google Drive and returns its content in Base64 + format. This matches the 'Download File' category. It does not perform any other + actions like enrichment, blocking, or ticket creation. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: >- + Downloads a file from Google Drive and converts it to a Base64 string for further + analysis or processing within the SOAR platform. The action flow is as follows: + 1. Extract the Google Drive credentials from the integration configuration. 2. + Extract the File Id parameter provided by the user. 3. Initialize the GoogleDriveManager + using the provided credentials. 4. Fetch the file metadata and binary content + from Google Drive using the File Id. 5. Convert the binary file content into a + Base64 encoded string. 6. Return the file name, type, and Base64 content as a + JSON result to the SOAR platform. Parameters: | Parameter | Type | Mandatory | + Description | | :--- | :--- | :--- | :--- | | File Id | string | Yes | The unique + identifier of the file in Google Drive, typically found in the file URL. | capabilities: can_create_case_comments: false can_create_insight: false @@ -175,8 +276,15 @@ Download File To Base64: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action retrieves file content from Google Drive and returns it as a Base64 + string. It does not modify external data or internal SOAR data. It fetches data + (the file content) but does not perform any mutations. categories: enrichment: false + reasoning: >- + The action downloads a file. According to the provided instructions, actions + that download files must not be categorized as enrichment actions. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -192,59 +300,88 @@ Download File To Base64: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over target_entities or use entity-specific identifiers. + It relies on a user-provided File Id parameter. Download File To Path: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: true + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action's primary purpose is to retrieve a file from a remote source (Google + Drive) and save it locally. This directly matches the 'Download File' category. + It does not perform any other operations such as enrichment, containment, or + ticket management. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - Downloads a file stored in Google Drive to a specific local path on the system - where the action is executed. This action is designed to retrieve files for local - processing, analysis, or storage within a workflow. It supports both standard - binary files and Google Workspace documents (Docs, Sheets, Slides) by automatically - converting them to standard formats (docx, xlsx, pptx) during the download process. - + This action downloads a specific file from Google Drive to a designated local + folder path. It utilizes the Google Drive API to retrieve file metadata and content, + handling various file types (including Google Docs, Sheets, and Slides by exporting + them to standard formats) and saving them to the local filesystem. - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - | :--- | :--- | :--- | :--- | + ### Flow Description - | File Id | String | Yes | The unique identifier of the file in Google Drive. - This can be extracted from the file's sharing URL. | + 1. **Initialization**: The action initializes the `GoogleDriveManager` using the + provided credentials. - | Folder Path | String | Yes | The local directory path on the runner where the - file should be saved. | + 2. **Parameter Extraction**: It extracts the `File Id` (the unique identifier + of the file in Google Drive) and the `Folder Path` (the local destination directory) + from the action parameters. + 3. **File Retrieval**: The action fetches the file metadata and binary content + from Google Drive. If the file is a Google Workspace document (Doc, Sheet, Presentation), + it exports it to a compatible format (docx, xlsx, pptx). - ### Additional Notes + 4. **File Saving**: The file is written to the specified local `Folder Path`. - - **Parameter Discrepancy**: While the configuration metadata indicates that 'Folder - Path' is optional with a default value of `/temp`, the Python implementation explicitly - marks it as mandatory during extraction. Users should ensure this value is provided. + 5. **Result**: The action returns a JSON result containing the file name, type, + and the full path where the file was saved. - - **File Conversion**: Google-native files are exported to OpenXML formats (e.g., - Google Docs to .docx) to ensure they can be opened locally. + ### Parameters Description - ### Flow Description + | Parameter | Type | Mandatory | Description | - 1. **Initialization**: Authenticates with the Google Drive API using the provided - service account credentials. + | :--- | :--- | :--- | :--- | - 2. **Metadata Fetching**: Retrieves the file's metadata from Google Drive to identify - its name and MIME type. + | File Id | string | Yes | The unique identifier of the file in Google Drive, + typically found in the file URL. | - 3. **Type Determination**: Checks if the file is a Google Workspace document. - If so, it selects the appropriate export format (docx, pptx, or xlsx). + | Folder Path | string | Yes | The local directory path where the file should + be saved. | - 4. **Data Retrieval**: Downloads the file content. It uses `export_media` for - Google Workspace files and `get_media` for standard binary files. - 5. **File Writing**: Saves the binary stream to the specified local `Folder Path` - using the original file name (and appropriate extension if converted). + ### Additional Notes - 6. **Result Reporting**: Returns a JSON object containing the file name, type, - and the final local path where the file was saved. + This action performs a read-only operation on the external Google Drive system + (downloading) and does not modify or delete files in the source system. capabilities: can_create_case_comments: false can_create_insight: false @@ -255,8 +392,16 @@ Download File To Path: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action retrieves file content from an external system (Google Drive) and + saves it locally. It does not modify the external system state (no POST/PUT/DELETE + on Drive files), nor does it modify internal SOAR case data, entities, or insights. categories: enrichment: false + reasoning: >- + While the action fetches data (the file content), the instructions explicitly + state that actions that download files must not be categorized as enrichment + actions. Therefore, it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -272,49 +417,81 @@ Download File To Path: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over or process `siemplify.target_entities`. It + relies entirely on the `File Id` provided as an input parameter to identify + the target file. Get File Metadata: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves file metadata from Google Drive. It does not perform enrichment + on entities, update alerts, or interact with tickets. It is a standalone utility + action for file information retrieval. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - Retrieves comprehensive metadata for a specific file stored in Google Drive. This - action allows users to fetch detailed information about a file, including its - name, MIME type, size, creation/modification times, and ownership details, using - the unique Google Drive File ID. + Retrieves detailed metadata for a specified file from Google Drive. This action + is a utility tool that allows analysts to fetch file information, such as name, + type, and size, directly from the Google Drive API using a file identifier. - ### Parameters + ### Parameters Description | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | File Id | String | Yes | The unique identifier of the file, which can be found - in the file's URL (e.g., `https://drive.google.com/file/d/{file-id}/view`). | + | File Id | string | Yes | The unique identifier of the file in Google Drive. + This can be found in the file URL (e.g., https://drive.google.com/drive/u/0/folders/{file-id}). + | ### Additional Notes - This action does not process or filter Google SecOps entities. It operates strictly - on the provided `File Id` parameter. It is a read-only operation and does not - modify any data in Google Drive. + This action does not operate on entities and is intended for standalone file information + retrieval. It requires valid Google Drive credentials configured in the integration + settings. ### Flow Description - 1. **Credential Retrieval**: Extracts the Google service account credentials from - the integration configuration. + 1. The action extracts the `Credentials Json` from the integration configuration. - 2. **Parameter Extraction**: Retrieves the mandatory `File Id` provided by the - user. + 2. The action extracts the `File Id` from the action parameters. - 3. **API Connection**: Initializes the Google Drive API client using the provided - credentials. + 3. The `GoogleDriveManager` is initialized using the provided credentials. - 4. **Metadata Retrieval**: Executes a GET request to the Google Drive API to fetch - all available metadata fields for the specified file. + 4. The action calls the Google Drive API `files().get` method to retrieve the + metadata for the specified file. - 5. **Output Generation**: Adds the retrieved metadata to the action's JSON results - and completes the action with a success message. + 5. The retrieved metadata is added to the action results as a JSON object. capabilities: can_create_case_comments: false can_create_insight: false @@ -325,8 +502,16 @@ Get File Metadata: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the Google Drive API to fetch file metadata. + It does not mutate external systems, nor does it modify internal SOAR data (entities, + insights, or case comments). categories: - enrichment: true + enrichment: false + reasoning: >- + The action does not operate on entities or alerts, and it does not fetch supplemental + context for them. It is a utility action for retrieving file metadata, so it + is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -342,50 +527,56 @@ Get File Metadata: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over `siemplify.target_entities` or use entity-specific + identifiers. It accepts a raw `File Id` string as a parameter, therefore it + does not operate on entities. Permission List: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves file permissions from Google Drive. It does not match any + of the predefined categories (Enrich IOC, Enrich Asset, etc.). + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description - - The **Permission List** action retrieves a comprehensive list of permissions associated - with a specific file stored in Google Drive. This is useful for auditing access, - identifying over-privileged users, or verifying sharing settings during a security - investigation. - - - ### Parameters - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | File Id | String | Yes | The unique identifier of the file. This can be found - in the file's URL (e.g., `https://drive.google.com/file/d/{file-id}/view`). | - - - ### Flow Description - - 1. **Configuration Extraction**: The action retrieves the service account credentials - from the integration configuration. - - 2. **Input Validation**: It extracts the mandatory `File Id` provided by the user - as an action parameter. - - 3. **API Interaction**: The action connects to the Google Drive API using the - `GoogleDriveManager` and calls the permissions list endpoint for the specified - file. - - 4. **Data Processing**: It counts the number of permission entries returned by - the API. - - 5. **Result Delivery**: The full list of permissions is attached as a JSON result - (`JsonResult`), and the action completes with a summary message indicating the - total count of permissions found. - - - ### Additional Notes - - This action does not interact with Google SecOps entities automatically; it requires - the manual input of a File ID. There are no parameters that depend on each other. + **General Description**: Retrieves the list of users and their permissions for + a specific file in Google Drive. This action allows analysts to audit access controls + for files stored in the organization's Google Drive environment. **Parameters + Description**: File Id (string, mandatory): The ID of the file to retrieve permissions + for. This ID is found in the file URL (e.g., https://drive.google.com/drive/u/0/folders/{file-id}). + **Additional Notes**: This action does not modify any data. It is a read-only + operation that returns the permission list as a JSON result. **Flow Description**: + 1. Extract the Credentials Json from the integration configuration. 2. Extract + the File Id from the action parameters. 3. Initialize the GoogleDriveManager using + the provided credentials. 4. Call the list_permissions method to fetch the permission + data from the Google Drive API. 5. Add the retrieved permission list to the action + result. 6. End the action with a summary message indicating the number of permissions + found. capabilities: can_create_case_comments: false can_create_insight: false @@ -396,8 +587,14 @@ Permission List: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action retrieves permission data from Google Drive via the API. It does + not modify external systems or internal SOAR data (entities, insights, comments). categories: enrichment: false + reasoning: >- + The action fetches data (permissions) but does not operate on entities or alerts. + It is a utility action, not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -413,36 +610,52 @@ Permission List: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not use siemplify.target_entities. It takes a File Id as a direct + parameter. Ping: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action is a connectivity check (Ping) and does not perform any of the defined + product category operations (e.g., enrichment, containment, ticketing). + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description - - The **Ping** action is a diagnostic utility designed to verify the connectivity - between Google SecOps and the Google Drive service. Its primary purpose is to - ensure that the integration's configuration, specifically the service account - credentials, is valid and that the Google Drive API is reachable. - - - ### Parameters - - This action does not require any input parameters. It utilizes the **Credentials - Json** provided in the integration's global configuration to authenticate. - - - ### Flow Description - - 1. **Authentication**: The action extracts the service account credentials from - the integration settings and initializes the Google Drive API client using the - `drive:v3` discovery service. - - 2. **API Verification**: It executes a test call to the Google Drive API by attempting - to list files with the `mimeType='image/jpeg'` filter. This specific call is used - as a lightweight check to confirm read permissions and network connectivity. - - 3. **Execution Completion**: If the API call succeeds, the action returns a success - message ('Connected successfully') and sets the execution state to completed. - If the credentials are invalid or the service is unreachable, the action will - fail with an error. + Checks connectivity to Google Drive. This action verifies that the provided service + account credentials are valid and that the integration can successfully communicate + with the Google Drive API. Flow: 1. Extracts the 'Credentials Json' parameter + from the configuration. 2. Initializes the Google Drive manager using the provided + credentials. 3. Performs a test API call (listing files) to verify connectivity. + 4. Returns a success message upon successful connection. Parameters: | Parameter + | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | | Credentials + Json | String | Yes | The JSON content containing service account credentials + for Google Drive authentication. | Additional Notes: This action is a connectivity + check (Ping) and does not perform any data enrichment or mutation. capabilities: can_create_case_comments: false can_create_insight: false @@ -453,8 +666,15 @@ Ping: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a connectivity check by calling the Google Drive API to + list files. It does not modify external systems, update internal entities, or + create insights. It is a read-only operation used to verify configuration. categories: enrichment: false + reasoning: >- + The action is a 'Ping' action. According to the instructions, 'Actions named + Ping must not be categorized as enrichment actions'. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -470,57 +690,80 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with any entities; it is a global connectivity + check. Remove Permission: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action removes a permission from a file in Google Drive. This does not align + with any of the provided categories (e.g., Enrich IOC, Contain Host, Update + Identity, etc.). + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description + Removes a specific permission from a file in Google Drive. This action allows + administrators to revoke access rights for users or groups on a given file. - The **Remove Permission** action is designed to revoke a specific user or group's - access to a file stored in Google Drive. By providing the unique identifiers for - both the file and the permission, security teams can programmatically restrict - access as part of an incident response or data loss prevention (DLP) workflow. - - - ### Parameters Description - | Parameter Name | Type | Mandatory | Description | + ### Flow Description - | :--- | :--- | :--- | :--- | + 1. Extracts the `Credentials Json` from the integration configuration to authenticate + with the Google Drive API. - | **File Id** | String | Yes | The unique identifier of the Google Drive file. - This can be found in the file's URL (e.g., `https://drive.google.com/drive/u/0/folders/{file-id}`). - | + 2. Extracts the `File Id` and `Permission Id` from the action parameters. - | **Permission Id** | String | Yes | The unique identifier for the specific permission - to be removed. This ID is typically retrieved using a 'List Permissions' action. - | + 3. Initializes the `GoogleDriveManager` using the provided credentials. + 4. Executes the `remove_permission` method, which calls the Google Drive API to + delete the specified permission for the given file. - ### Additional Notes + 5. Returns a success message confirming the removal of the permission. - - This action requires valid Google Drive API credentials with sufficient scopes - (`drive` or `drive.file`) to modify permissions. - - Removing a permission is a permanent action on the external system and cannot - be undone through this specific action (a new permission would need to be created). + ### Parameters Description + | Parameter | Type | Mandatory | Description | - ### Flow Description + | :--- | :--- | :--- | :--- | - 1. **Configuration Extraction:** The action retrieves the Google Drive service - account credentials from the integration settings. + | File Id | string | Yes | The file ID, which can be found in the file URL (e.g., + `https://drive.google.com/drive/u/0/folders/{file-id}`). | - 2. **Parameter Retrieval:** It extracts the `File Id` and `Permission Id` provided - by the user or playbook. + | Permission Id | string | Yes | The ID of the permission to be removed. This + can be retrieved using the "List Permissions" action. | - 3. **Manager Initialization:** The `GoogleDriveManager` is initialized using the - credentials to establish a connection with the Google Drive API. - 4. **Execution:** The action calls the `remove_permission` method, which sends - a DELETE request to the Google Drive permissions endpoint for the specified file - and permission ID. + ### Additional Notes - 5. **Finalization:** Upon successful deletion, the action returns a success message - and terminates. + - This action performs a destructive mutation on the external Google Drive system. + Ensure the `Permission Id` is correct before executing, as this action cannot + be undone automatically. capabilities: can_create_case_comments: false can_create_insight: false @@ -529,12 +772,20 @@ Remove Permission: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - This action deletes a permission record associated with a file in Google Drive, - effectively changing the access control list (ACL) of the external resource. + Removes a specific permission from a file in Google Drive via the Google Drive + API. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a delete operation on the Google Drive API to remove a permission + from a file. This is an external mutation. It does not fetch data, update entities, + or create insights. categories: enrichment: false + reasoning: >- + The action performs a destructive mutation (deletion) on an external system + (Google Drive) and does not retrieve data for enrichment purposes. Therefore, + it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -550,14 +801,49 @@ Remove Permission: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with `siemplify.target_entities`. It uses direct + input parameters (`File Id` and `Permission Id`) to identify the target resource. Upload File From Base64: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action uploads a file to Google Drive and sets permissions. This does not + align with any of the provided product categories, which are focused on security + operations (enrichment, containment, ticketing, etc.). + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - This action uploads a file to Google Drive using a Base64 encoded string. It allows - users to specify a file name, provide the file content in Base64 format, and optionally - share the uploaded file with specific email addresses by granting them 'writer' - permissions. + Uploads a file from a Base64 encoded string to Google Drive and optionally shares + it with specified email addresses. This action automates the process of creating + files in Google Drive from Base64 data, which is useful for storing evidence or + reports generated during an investigation. ### Parameters Description @@ -566,46 +852,37 @@ Upload File From Base64: | :--- | :--- | :--- | :--- | - | File Name | String | Yes | The name of the file to be created in Google Drive - (e.g., 'report.pdf'). | - - | Share with emails | String | Yes | A semicolon-separated list of email addresses - (e.g., 'user1@example.com;user2@example.com') to grant 'writer' access to the - file. | - - | Base64 String | String | Yes | The content of the file encoded as a Base64 string. + | File Name | string | Yes | The name of the file to be created in Google Drive. | + | Share with emails | string | Yes | Semicolon-separated list of email addresses + to share the file with. | - ### Flow Description + | Base64 String | string | Yes | The Base64 encoded content of the file. | - 1. **Configuration Extraction**: The action retrieves the Google Drive service - account credentials from the integration settings. - 2. **Parameter Retrieval**: It extracts the file name, Base64 content, and the - list of emails to share with from the action inputs. + ### Additional Notes - 3. **Data Decoding**: The Base64 string is decoded into a binary stream for processing. + The action requires valid Google Drive API credentials configured in the integration + settings. While the 'Share with emails' parameter is marked as mandatory in the + configuration, the action will still proceed if it is empty, though no permissions + will be added. - 4. **File Upload**: The action interacts with the Google Drive API to create a - new file with the provided name and content. The MIME type is automatically determined - based on the file extension. - 5. **Permission Management**: If email addresses are provided, the action iterates - through each email and grants 'writer' permissions to the newly created file ID. + ### Flow Description - 6. **Result Reporting**: The action returns the metadata of the created file (including - the unique Google Drive File ID) and completes the execution. + 1. Extract configuration and action parameters (Base64 string, file name, and + optional email list). + 2. Initialize the Google Drive manager using provided credentials. - ### Additional Notes + 3. Upload the file to Google Drive using the provided Base64 content and file + name. - - The action uses the 'writer' role when sharing files, allowing recipients to - edit the document. + 4. If email addresses are provided, iterate through them and grant 'writer' permissions + to the uploaded file. - - If the 'Share with emails' parameter is empty or contains invalid emails, the - file upload will still proceed, but the sharing step may be skipped or fail for - specific entries. + 5. Return the file upload result. capabilities: can_create_case_comments: false can_create_insight: false @@ -614,12 +891,20 @@ Upload File From Base64: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - This action creates a new file in the user's Google Drive and modifies file - permissions to grant access to specified email addresses. + Creates a new file in Google Drive and updates its sharing permissions. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a mutation on an external system (Google Drive) by uploading + a file and setting permissions. It does not fetch data for enrichment purposes, + nor does it modify internal SecOps data. categories: enrichment: false + reasoning: >- + The action performs a mutation on an external system (Google Drive) by uploading + a file and setting permissions. It does not fetch data for enrichment purposes, + nor does it modify internal SecOps data. Therefore, it is not an enrichment + action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -635,54 +920,63 @@ Upload File From Base64: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with `siemplify.target_entities` or any entity-specific + identifiers. It processes input parameters directly from the action configuration + to perform a file upload to Google Drive. Upload File From Path: - ai_description: >- - ### General Description - - The **Upload File From Path** action enables the automated uploading of files - from a local system path to a Google Drive account. This action is particularly - useful for archiving reports, logs, or evidence collected during an investigation. - Beyond simple uploading, it allows for immediate collaboration by sharing the - uploaded file with specified email addresses. - - - ### Parameters - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | **File Path** | String | Yes | The absolute local path of the file to be uploaded - (e.g., `/tmp/evidence.zip`). | - - | **Share with emails** | String | Yes | A semicolon-separated list of email addresses - to grant 'writer' permissions to the uploaded file (e.g., `analyst@company.com;manager@company.com`). - | - - - ### Additional Notes - - - The action requires a valid Google Service Account JSON configuration to interact - with the Google Drive API. - - - Although the parameter 'Share with emails' is marked as mandatory in the configuration, - the script logic handles the sharing process iteratively for each email provided. - - - ### Flow Description - - 1. **Initialization**: The action extracts the Google Drive credentials and the - user-provided file path and email list. - - 2. **File Upload**: The `GoogleDriveManager` reads the file from the local path - and performs a multipart upload to Google Drive using the file's original name. - - 3. **Permission Assignment**: If email addresses are provided, the action iterates - through the list and calls the Google Drive Permissions API to grant 'writer' - access to each recipient. - - 4. **Result Reporting**: The action returns the Google Drive File ID and the complete - JSON metadata of the created file object. + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action uploads a file to Google Drive and modifies permissions. It does + not match any of the predefined categories such as 'Enrich IOC', 'Contain Host', + or 'Submit File' (which is for sandbox analysis). Therefore, no categories are + selected. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: "Uploads a file from a specific local path to Google Drive and shares\ + \ it with specified users. \n\n### General Description\nThis action automates\ + \ the process of uploading a file from a local file system to a Google Drive account.\ + \ It also allows the user to share the uploaded file with one or more email addresses\ + \ by granting them 'writer' permissions. \n\n### Parameters Description\n| Parameter\ + \ | Type | Mandatory | Description |\n| --- | --- | --- | --- |\n| File Path |\ + \ string | Yes | The local path of the file to upload to Google Drive. |\n| Share\ + \ with emails | string | Yes | Semicolon-separated list of email addresses to\ + \ share the file with. |\n\n### Additional Notes\n- Both 'File Path' and 'Share\ + \ with emails' are mandatory parameters. Ensure the file path is accessible by\ + \ the SOAR agent and the email addresses are valid.\n\n### Flow Description\n\ + 1. Extract the 'Credentials Json' configuration parameter to authenticate with\ + \ the Google Drive API.\n2. Extract the 'File Path' and 'Share with emails' action\ + \ parameters.\n3. Initialize the 'GoogleDriveManager' using the provided credentials.\n\ + 4. Upload the file from the specified 'File Path' to Google Drive.\n5. If 'Share\ + \ with emails' is provided, iterate through the list of emails and grant 'writer'\ + \ permissions to the uploaded file using the file ID returned from the upload\ + \ operation.\n6. Return the file ID and metadata as a JSON result and end the\ + \ action." capabilities: can_create_case_comments: false can_create_insight: false @@ -691,12 +985,20 @@ Upload File From Path: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - This action creates a new file resource in Google Drive and modifies the file's - permissions by adding new 'writer' roles for the specified email addresses. + Uploads a file to Google Drive and modifies file permissions to share it with + specified users. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a file upload to an external system (Google Drive) and modifies + file permissions (a mutation). It does not fetch data for enrichment, nor does + it modify internal SOAR data or entities. categories: enrichment: false + reasoning: >- + The action performs a mutation (uploading a file) on an external system (Google + Drive) and does not retrieve data for enrichment purposes. Therefore, it is + not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -712,3 +1014,6 @@ Upload File From Path: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with 'siemplify.target_entities' or any entity + objects. It performs a file upload operation based on provided parameters. diff --git a/content/response_integrations/third_party/community/google_drive/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/google_drive/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..744549a6c --- /dev/null +++ b/content/response_integrations/third_party/community/google_drive/resources/ai/integration_ai_description.yaml @@ -0,0 +1,22 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: false + reasoning: >- + The Google Drive integration provides utility actions for managing files, such + as adding permissions, deleting files, downloading content, and retrieving metadata. + It does not perform SIEM, EDR, or Network Security functions. It is not a Threat + Intelligence source for indicator reputation. It does not manage user identity + lifecycles (IAM) or email security workflows. It does not interact with cloud + infrastructure (GCP/AWS/Azure) for configuration or vulnerability management. + It does not perform ITSM or Asset Inventory functions, nor does it facilitate + collaboration via messaging platforms. Therefore, it does not fit into any of + the provided security product categories. + siem: false + threat_intelligence: false + vulnerability_management: false diff --git a/content/response_integrations/third_party/community/google_safe_browsing/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/google_safe_browsing/resources/ai/actions_ai_description.yaml index c6f8d8d62..5b64489ee 100644 --- a/content/response_integrations/third_party/community/google_safe_browsing/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/google_safe_browsing/resources/ai/actions_ai_description.yaml @@ -1,45 +1,47 @@ Lookup: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves reputation and threat intelligence for a URL (indicator). + This matches the 'Enrich IOC' category. It does not perform any other actions + like ticketing, blocking, or identity management. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description - - The **Lookup** action checks a specific URL against the Google Safe Browsing database - to determine if it is safe for browsing or potentially malicious (e.g., hosting - malware or phishing). It provides a direct way to verify the reputation of a URL - without necessarily linking it to a specific entity in the current case. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | **Url** | String | Yes | The specific URL to be checked in Google Safe Browsing. - Defaults to a Google malware testing URL if not provided. | - - - ### Flow Description - - 1. **Configuration Retrieval**: The action retrieves the API Key from the integration - configuration and the target URL from the action parameters. - - 2. **API Interaction**: It initializes the SafeBrowsing manager and performs a - lookup for the provided URL. - - 3. **Data Processing**: The raw JSON response from the API is added to the action - results for downstream use. - - 4. **Status Evaluation**: The action parses the response to determine if the URL - is flagged as malicious. - - 5. **Completion**: The action ends with a status message and a boolean result - indicating the maliciousness of the URL. - - - ### Additional Notes - - This action does not automatically process entities from the case; it relies strictly - on the URL provided in the input parameter. + This action checks if a specific URL is safe for browsing by querying the Google + Safe Browsing API. It retrieves the malicious status of the URL and provides the + result for further analysis. ### Parameters | Parameter | Type | Mandatory | Description + | | --- | --- | --- | --- | | Url | string | Yes | The URL you would like to check + in Google Safe Browsing. | ### Flow 1. Extract API key from configuration and + URL from action parameters. 2. Initialize the SafeBrowsing manager. 3. Query the + Google Safe Browsing API for the provided URL. 4. Add the raw JSON result to the + action output. 5. Terminate the action with a status message indicating if the + URL was found malicious. ### Additional Notes This action does not operate on + entities and does not modify any internal or external data. capabilities: can_create_case_comments: false can_create_insight: false @@ -50,8 +52,17 @@ Lookup: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a lookup against the Google Safe Browsing API to determine + if a URL is malicious. It fetches data (fetches_data=true) but does not mutate + external systems (can_mutate_external_data=false) or internal SOAR data (can_mutate_internal_data=false). categories: enrichment: false + reasoning: >- + The action fetches data from an external source (Google Safe Browsing) but does + not operate on SOAR entities or update internal case data. Therefore, it does + not meet the criteria for an Enrichment Action as defined, which requires gathering + context about alerts or entities. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -67,40 +78,51 @@ Lookup: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over target_entities or use entity-specific identifiers. + It extracts a URL from the action parameters and performs a lookup. Therefore, + it does not run on entities. Ping: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action is a connectivity test ('Ping') and does not perform any of the defined + functional outcomes (e.g., enrichment, containment, ticket management). Therefore, + it does not match any of the defined product categories. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description - - Tests the connectivity between Google SecOps and the Google Safe Browsing service. - This action is primarily used to verify that the provided API Key is valid and - that the environment can reach the Google Safe Browsing API endpoints. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | None | N/A | N/A | This action has no input parameters. | - - - ### Flow Description - - 1. **Configuration Extraction**: Retrieves the 'Api Key' from the integration's - global configuration. - - 2. **Connectivity Test**: Initializes the Safe Browsing client and performs a - lookup for a hardcoded test URL (`http://malware.testing.google.test/testing/malware/`). - - 3. **Result Reporting**: If the API call is successful, the action concludes with - a success message. - - - ### Additional Notes - - This action does not process any entities from the case; it uses a static test - URL to validate the connection. + General Description: This action tests connectivity to the Google Safe Browsing + service. It verifies that the integration is correctly configured and can communicate + with the external API by performing a test URL lookup. Parameters: Api Key (Mandatory, + String): The API key used to authenticate with the Google Safe Browsing service. + Flow: 1. Extract the Api Key from the integration configuration. 2. Initialize + the SafeBrowsing client using the provided key. 3. Execute a test URL lookup against + a known test URL. 4. Return a success message if the connection is established. capabilities: can_create_case_comments: false can_create_insight: false @@ -109,10 +131,17 @@ Ping: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null - fetches_data: true + fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a connectivity test (Ping) to verify the integration configuration. + It does not fetch contextual data on alerts or entities, nor does it mutate + any external or internal data. categories: enrichment: false + reasoning: >- + The action is a 'Ping' action, which is explicitly excluded from being an enrichment + action according to the provided rules. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -128,3 +157,6 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with any entities. It performs a connectivity test + using a hardcoded URL. diff --git a/content/response_integrations/third_party/community/google_safe_browsing/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/google_safe_browsing/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..f4fffe115 --- /dev/null +++ b/content/response_integrations/third_party/community/google_safe_browsing/resources/ai/integration_ai_description.yaml @@ -0,0 +1,22 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: false + reasoning: >- + The integration provides a 'Lookup' action that queries the Google Safe Browsing + API to determine the reputation of a URL. This aligns directly with the 'Threat + Intelligence' category, which is used for enriching external indicators (like + URLs) to determine their reputation and confirm if an alert is a True Positive. + It does not perform SIEM log searching, EDR host containment, network gateway + blocking (it only checks reputation, it does not manage firewall/WAF rules), email + management, identity management, cloud resource management, ITSM ticketing, vulnerability + scanning, asset inventory management, or collaboration/notification tasks. Therefore, + only 'threat_intelligence' is true. + siem: false + threat_intelligence: true + vulnerability_management: false diff --git a/content/response_integrations/third_party/community/google_sheets/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/google_sheets/resources/ai/actions_ai_description.yaml index 0d3ab72ae..36f289ae3 100644 --- a/content/response_integrations/third_party/community/google_sheets/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/google_sheets/resources/ai/actions_ai_description.yaml @@ -1,51 +1,68 @@ Add Permission: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action modifies external permissions on a Google Sheet. It does not match + any of the predefined security-specific categories (e.g., IOC enrichment, containment, + ticketing, email management). + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description - - This action adds permissions to a specific Google Sheet for one or more users. - It allows administrators to programmatically manage access levels (Owner, Writer, - Reader) for spreadsheets stored in Google Drive. - - - ### Parameters Description - - | Parameter Name | Type | Mandatory | Description | + Adds permissions to a Google Sheet for specified users. This action allows administrators + to grant 'Owner', 'Writer', or 'Reader' access to a target spreadsheet by providing + the Sheet ID and a list of email addresses. - | :--- | :--- | :--- | :--- | - - | Sheet Id | string | Yes | The unique identifier of the spreadsheet, found in - the URL (e.g., `https://docs.google.com/spreadsheets/d/{SheetId}/edit`). | - | Role | ddl | Yes | The permission level to grant. Options include: **Owner** - (full control), **Writer** (can edit/comment), and **Reader** (view only). | + ### Flow Description - | Emails | string | Yes | A semicolon-separated list of email addresses (e.g., - `user1@gmail.com;user2@gmail.com`) to which the permissions will be applied. | + 1. Extract the `Sheet Id`, `Role`, and `Emails` from the action parameters. + 2. Initialize the Google Sheets client using the configured credentials. - ### Flow Description + 3. Execute the `insert_permission` method to update the spreadsheet's access control + list. - 1. **Configuration Extraction**: The action retrieves the Google service account - credentials from the integration configuration. + 4. Return the execution status (success or failure). - 2. **Parameter Parsing**: It extracts the target Sheet ID, the desired role, and - the list of email addresses from the action input. - 3. **Client Initialization**: A Google Sheets client is initialized using the - provided service account JSON. + ### Parameters Description - 4. **Permission Insertion**: The action iterates through the provided emails and - calls the Google Drive API to insert the specified permission role for each user - on the target spreadsheet. + | Parameter | Type | Mandatory | Description | - 5. **Result Reporting**: The action concludes by returning a success message if - the permissions were granted or an error message if the operation failed. + | :--- | :--- | :--- | :--- | + | Sheet Id | string | Yes | The unique identifier of the Google Sheet, found in + the URL. | - ### Additional Notes + | Role | ddl | Yes | The permission level to grant (Owner, Writer, or Reader). + | - This action does not process entities from the case; it relies entirely on the - manually provided parameters. + | Emails | string | Yes | A semicolon-separated list of email addresses to receive + the specified permission. | capabilities: can_create_case_comments: false can_create_insight: false @@ -54,12 +71,18 @@ Add Permission: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Modifies the Access Control List (ACL) of a Google Spreadsheet by adding new - user permissions. + Updates the sharing permissions of a Google Sheet by adding users with the specified + role. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action makes a call to the Google Sheets API to modify permissions (can_mutate_external_data=true). + It does not fetch context data or update internal entities. categories: enrichment: false + reasoning: >- + The action modifies external data (Google Sheets permissions) rather than retrieving + data, so it cannot be an Enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -75,61 +98,86 @@ Add Permission: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code does not reference `siemplify.target_entities` or any entity-related + logic. It operates solely on provided configuration parameters. Add Row: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action adds a row to a Google Sheet. This does not match any of the provided + security-specific categories (e.g., IOC enrichment, ticket creation, host containment). + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - Adds a new row of data to a specified Google Sheets spreadsheet. This action is - useful for logging information, exporting alert data, or maintaining external - tracking sheets directly from a playbook. + This action adds a new row to a specified Google Sheet. It allows users to append + data to a worksheet by providing the Sheet ID, optional Worksheet Name, optional + Row Index, and the values to be inserted. ### Parameters Description - | Parameter Name | Type | Mandatory | Description | + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | **Sheet Id** | String | Yes | The unique identifier of the spreadsheet, found - in the URL: `https://docs.google.com/spreadsheets/d/{Sheet-Id}/edit`. | + | Sheet Id | string | Yes | The ID of the Google Sheet, which can be found in + the sheet URL. | - | **Worksheet Name** | String | No | The name of the specific tab (worksheet) - within the spreadsheet. Defaults to the first sheet (Sheet1) if not provided. - Note: This is case-sensitive. | + | Worksheet Name | string | No | The name of the tab within the sheet. If not + provided, it defaults to "Sheet1". | - | **Row Index** | String | No | The one-based index where the row should be inserted. - If omitted, the behavior depends on the underlying API (typically appends or inserts - at the top). | + | Row Index | string | No | The row number to insert at (one-based). If not provided, + the row is appended to the end. | - | **Values** | String | Yes | A comma-separated list of values to be placed into - the cells of the new row (e.g., "val1,val2,val3"). | + | Values | string | Yes | Comma-separated values to add as a new row. | ### Additional Notes - - The action requires a service account with appropriate permissions (configured - in the integration settings) to access the target spreadsheet. + - The action uses the Google Sheets API to perform the insertion. - - The `Values` parameter is parsed by splitting the string at every comma. + - The `Values` parameter must be a comma-separated string. ### Flow Description - 1. **Initialization**: Extracts the service account credentials from the integration - configuration and the spreadsheet details from the action parameters. + 1. Extract parameters: Sheet Id, Worksheet Name, Row Index, and Values. - 2. **Data Parsing**: Converts the comma-separated `Values` string into a list - of individual cell values. + 2. Authenticate with Google Sheets using the configured credentials. - 3. **Connection**: Authenticates with Google APIs and opens the spreadsheet using - the provided `Sheet Id`. + 3. Open the target spreadsheet using the provided Sheet Id. - 4. **Worksheet Selection**: Targets the specific worksheet by name; if no name - is provided, it defaults to the first worksheet in the file. + 4. Select the specified worksheet (or default to "Sheet1"). - 5. **Row Insertion**: Executes the `insert_row` command on the Google Sheets API, - placing the parsed values at the specified `Row Index` (or the default position - if the index is not provided). + 5. Insert the provided comma-separated values as a new row at the specified index + (or default position). capabilities: can_create_case_comments: false can_create_insight: false @@ -138,11 +186,18 @@ Add Row: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Adds a new row of data to a specified Google Sheet worksheet. + Adds a new row to the specified Google Sheet. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a write operation to an external Google Sheet. It does not + fetch data for enrichment, nor does it modify internal SOAR entities or alerts. categories: enrichment: false + reasoning: >- + The action is a utility for modifying external data (Google Sheets). It does + not meet the criteria for an enrichment action (which must fetch data and not + mutate external systems). entity_usage: entity_types: [] filters_by_additional_properties: false @@ -158,37 +213,67 @@ Add Row: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code does not reference `siemplify.target_entities` or perform any operations + on entities. It operates on external Google Sheets data directly. Add or Update Rows: - ai_description: "### General Description\nThe **Add or Update Rows** action allows\ - \ users to manage records in a Google Sheet dynamically. It provides a mechanism\ - \ to synchronize data by searching for an existing entry based on a specific column\ - \ value. If the entry exists, the action updates the row; otherwise, it appends\ - \ a new row. This is particularly useful for maintaining logs, asset lists, or\ - \ tracking statuses within a spreadsheet.\n\n### Parameters Description\n| Parameter\ - \ | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| **Column\ - \ Number** | String | Yes | The column index (e.g., \"1\") where the action will\ - \ look for the search value. |\n| **Start Column** | String | Yes | The starting\ - \ column identifier (e.g., \"A\") for the update/append operation. |\n| **End\ - \ Column** | String | Yes | The ending column identifier (e.g., \"C\") for the\ - \ update/append operation. |\n| **Field Name** | String | Yes | The key within\ - \ the provided JSON objects used to find the search value. |\n| **Json** | Code\ - \ | Yes | A JSON array of objects. Each object represents a row to be processed.\ - \ |\n| **Sheet Id** | String | Yes | The unique ID of the spreadsheet (found in\ - \ the URL). |\n| **Worksheet Name** | String | No | The name of the specific sheet\ - \ tab. Defaults to the first sheet if not provided. |\n\n### Flow Description\n\ - 1. **Initialization**: The action extracts credentials and parameters, then connects\ - \ to the Google Sheets API via the `GoogleSheetFactory`.\n2. **Worksheet Selection**:\ - \ It opens the spreadsheet by ID and selects the specified worksheet (or the first\ - \ one by default).\n3. **Data Processing**: It iterates through each object in\ - \ the provided JSON array.\n4. **Search**: For each object, it retrieves the value\ - \ associated with the `Field Name` and searches for it in the specified `Column\ - \ Number` using the `find` method.\n5. **Update/Append**: \n * If the value\ - \ is found, it calculates the target range and updates the existing row with the\ - \ new values.\n * If the value is not found, it appends the values as a new\ - \ row at the bottom of the sheet.\n6. **Completion**: The action returns the count\ - \ of processed rows and the specific ranges updated.\n\n### Additional Notes\n\ - * The `Json` parameter must be a valid JSON array of objects.\n* Ensure the service\ - \ account has the necessary permissions (Editor access) to the spreadsheet." + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + This action is a generic utility for managing data in Google Sheets. It does + not match any of the specific security-focused categories such as IOC enrichment, + ticket management, or host containment. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: "### General Description\nThis action adds or updates rows in a\ + \ Google Sheet based on a provided JSON payload. It is designed to synchronize\ + \ data into a spreadsheet by searching for a specific value in a designated column.\ + \ If the value is found, the action updates the corresponding row; if not, it\ + \ appends a new row to the sheet.\n\n### Flow Description\n1. **Configuration\ + \ Extraction**: The action retrieves the Google Sheet ID, column configuration,\ + \ and the JSON data payload from the action parameters.\n2. **Authentication**:\ + \ It establishes a connection to the Google Sheets API using the provided credentials.\n\ + 3. **Data Processing**: The action iterates through each item in the provided\ + \ JSON list.\n4. **Search**: For each item, it searches the specified column in\ + \ the worksheet for the value associated with the provided Field Name.\n5. **Mutation**:\ + \ \n - If the value is found, the action updates the existing row with the new\ + \ values.\n - If the value is not found, the action appends a new row to the\ + \ worksheet.\n6. **Result Reporting**: The action returns the updated range and\ + \ a summary message indicating the number of rows processed.\n\n### Parameters\ + \ Description\n| Parameter | Type | Mandatory | Description |\n| :--- | :--- |\ + \ :--- | :--- |\n| Column Number | string | Yes | The column number to search\ + \ for the value of the given Field Name. |\n| Start Column | string | Yes | The\ + \ starting column for the update or add operation. |\n| End Column | string |\ + \ Yes | The ending column for the update or add operation. |\n| Field Name | string\ + \ | Yes | The field name in the JSON by which to search for its value in the specified\ + \ column. |\n| Json | code | Yes | The JSON values to add or update. Each item\ + \ represents a row. |\n| Sheet Id | string | Yes | The ID of the Google Sheet\ + \ (found in the URL). |\n| Worksheet Name | string | No | The name of the specific\ + \ worksheet tab. Defaults to 'Sheet1' if not provided. |" capabilities: can_create_case_comments: false can_create_insight: false @@ -197,12 +282,20 @@ Add or Update Rows: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates existing rows or appends new rows in the specified Google Sheet based - on the provided JSON data. + The action updates existing rows or appends new rows to the specified Google + Sheet. fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a search operation (fetches data) on the Google Sheet to + determine if a row exists. It then performs a write operation (mutates external + data) by either updating an existing row or appending a new one. It does not + modify internal SOAR case data, entities, or alert data. categories: enrichment: false + reasoning: >- + The action is not an enrichment action because it mutates external data (Google + Sheets). Enrichment actions must be read-only regarding external systems. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -218,54 +311,82 @@ Add or Update Rows: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with SOAR entities. It processes a JSON payload + provided as a parameter to update a Google Sheet. Create Sheet: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action creates a Google Sheet and shares it. It does not match any of the + defined categories such as 'Create Ticket', 'Enrich IOC', or 'Contain Host'. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description + Creates a new Google Sheet and optionally shares it with specified users. This + action automates the creation of spreadsheets within a Google Drive environment + and manages access permissions. - The **Create Sheet** action enables the automated creation of a new Google Spreadsheet - within a Google Drive account. This action is primarily used to generate external - reports, logs, or collaborative documents during the lifecycle of an investigation. - It also supports sharing the newly created spreadsheet with specific users by - granting them 'writer' permissions. + ### Flow Description - ### Parameters Description + 1. **Parameter Extraction**: The action retrieves the `Sheet Name` and the optional + `Share with emails` list from the action parameters, and the `Credentials Json` + from the integration configuration. - | Parameter | Type | Mandatory | Description | + 2. **Client Initialization**: A Google Sheets client is initialized using the + provided service account credentials. - | :--- | :--- | :--- | :--- | + 3. **Sheet Creation**: A new spreadsheet is created with the specified name. - | **Sheet Name** | String | Yes | The name assigned to the new Google Spreadsheet - file. | + 4. **Permission Management**: If email addresses are provided, the action iterates + through the list and grants 'writer' access to each user for the newly created + spreadsheet. - | **Share with emails** | String | No | A semicolon-separated list of email addresses - (e.g., 'user1@gmail.com;user2@gmail.com') to grant 'writer' access to the spreadsheet. - | + 5. **Completion**: The action returns the status of the operation and the ID of + the created sheet. - ### Flow Description + ### Parameters - 1. **Authentication**: The action authenticates with the Google Sheets and Google - Drive APIs using the provided service account credentials. + | Parameter | Type | Mandatory | Description | - 2. **Resource Creation**: It creates a new Google Spreadsheet file with the name - provided in the 'Sheet Name' parameter. + | :--- | :--- | :--- | :--- | - 3. **Access Control**: If email addresses are provided in the 'Share with emails' - parameter, the action iterates through the list and updates the spreadsheet's - permissions to grant 'writer' access to each user. + | Sheet Name | string | Yes | The name of the new spreadsheet to be created. | - 4. **Output**: The action returns the unique Spreadsheet ID as the result value - upon successful creation. + | Share with emails | string | No | A semicolon-separated list of email addresses + to share the spreadsheet with. | ### Additional Notes - - This action creates a new Spreadsheet file, not just a tab within an existing - file. - - - If the 'Share with emails' parameter is left empty, the spreadsheet remains - private to the service account owner. + - The action requires valid Google service account credentials configured in the + integration settings to authenticate with the Google Sheets API. capabilities: can_create_case_comments: false can_create_insight: false @@ -274,12 +395,20 @@ Create Sheet: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates a new Google Spreadsheet file in Google Drive and modifies its permissions - to share it with specified email addresses. + Creates a new Google Sheet and updates its sharing permissions via the Google + Sheets API. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a write operation on an external system (Google Sheets) + by creating a new spreadsheet and updating its sharing permissions. It does + not fetch data from external systems, nor does it modify any internal SOAR case + data, entities, or alert information. categories: enrichment: false + reasoning: >- + The action does not fetch data from external sources, which is a requirement + for enrichment actions. It performs a mutation on an external system. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -295,58 +424,77 @@ Create Sheet: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with or process any SOAR entities. It operates + independently of the case entities. Delete Rows: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action deletes rows in a Google Sheet. This does not align with any of the + provided security-specific categories (e.g., IOC enrichment, ticket management, + identity management, or host containment). + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description + Deletes a specified range of rows from a Google Sheet. This action interacts with + the Google Sheets API to remove rows based on user-provided row indices. - The **Delete Rows** action allows users to remove a specific range of rows from - a Google Sheets worksheet. This is useful for cleaning up logs, removing processed - data, or managing spreadsheet-based databases directly from Google SecOps. + ### Flow - ### Parameters Description - - | Parameter Name | Description | Type | Mandatory | Notes | - - | :--- | :--- | :--- | :--- | :--- | + 1. Extracts the `Sheet Id`, `Worksheet Name`, `From Row`, and `To Row` parameters. - | **Sheet Id** | The unique identifier of the spreadsheet, found in the URL: `https://docs.google.com/spreadsheets/d/{SheetId}/edit`. - | String | Yes | Required to locate the file. | + 2. Authenticates with the Google Sheets API using the configured credentials. - | **Worksheet Name** | The name of the specific tab (e.g., "Sheet1"). | String - | No | If not provided, the action defaults to the first worksheet in the file. - | - - | **From Row** | The starting row number for the deletion range. | String | Yes - | Must be a valid integer. | + 3. Opens the target spreadsheet using the provided `Sheet Id`. - | **To Row** | The ending row number for the deletion range. | String | Yes | - Must be a valid integer. | + 4. Identifies the target worksheet (or defaults to the first sheet if no name + is provided). + 5. Executes the deletion of the specified row range. - ### Additional Notes - - - This action does not process or require any entities from the case. - - - The row indices are 1-based (the first row is 1). + ### Parameters - ### Flow Description + | Parameter | Type | Mandatory | Description | - 1. **Authentication**: The action retrieves service account credentials from the - integration configuration. + | :--- | :--- | :--- | :--- | - 2. **Spreadsheet Access**: It connects to the Google Sheets API and opens the - spreadsheet identified by the `Sheet Id`. + | Sheet Id | string | Yes | The ID of the Google Sheet, found in the sheet URL. + | - 3. **Worksheet Selection**: It selects the worksheet specified by the `Worksheet - Name` or defaults to the first sheet if the parameter is empty. + | Worksheet Name | string | No | The name of the worksheet tab. Defaults to "Sheet1" + if not provided. | - 4. **Row Deletion**: It executes a command to delete all rows within the range - defined by `From Row` and `To Row`. + | From Row | string | Yes | The row number from which to start deleting. | - 5. **Completion**: Returns a success message if the rows were deleted or an error - message if the operation failed. + | To Row | string | Yes | The row number that defines the end of the range to + be deleted. | capabilities: can_create_case_comments: false can_create_insight: false @@ -355,12 +503,20 @@ Delete Rows: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Deletes a range of rows from a specified Google Sheet worksheet, permanently - altering the external document. + Deletes rows from a specified Google Sheet worksheet. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a destructive operation (`worksheet.delete_rows`) on an + external system (Google Sheets). It does not retrieve data, nor does it modify + internal SOAR entities or alerts. categories: enrichment: false + reasoning: >- + The action is a utility for modifying external data (Google Sheets). It does + not fetch data for enrichment, nor does it perform any of the allowed internal + mutations (like adding comments or insights). Therefore, it is not an enrichment + action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -376,47 +532,52 @@ Delete Rows: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with `siemplify.target_entities`. It operates on + external Google Sheet resources identified by parameters. Delete Sheet: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action deletes a Google Sheet from Google Drive. This operation does not + match any of the predefined categories such as enrichment, ticket management, + identity management, or host containment. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description - - Deletes a specific Google Spreadsheet from Google Drive using its unique Spreadsheet - ID. This action is intended for automated cleanup of spreadsheets generated during - investigation or for data management tasks. - - - ### Parameters Description - - | Name | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Sheet Id | String | Yes | The unique identifier of the spreadsheet, found in - the URL: `https://docs.google.com/spreadsheets/d/{Sheet_Id}/edit`. | - - - ### Flow Description - - 1. **Setup**: The action retrieves the necessary Google service account credentials - from the integration configuration. - - 2. **Input**: It captures the `Sheet Id` from the action input parameters. - - 3. **Authentication**: Initializes a connection to the Google Sheets API using - the provided service account credentials. - - 4. **Deletion**: Executes the deletion request for the specified spreadsheet ID - via the Google Sheets client. - - 5. **Completion**: Provides a status message indicating whether the deletion was - successful or if an error occurred. - - - ### Additional Notes - - Ensure the service account has the appropriate 'Drive' and 'Spreadsheets' API - scopes enabled and has permission to delete the target file. This action permanently - removes the spreadsheet. + This action deletes a specified Google Sheet from Google Drive. It requires the + Sheet ID to identify the target file. Parameters: | Parameter | Type | Mandatory + | Description | | --- | --- | --- | --- | | Sheet Id | string | Yes | The unique + identifier of the Google Sheet, found in the sheet URL. | Flow description: 1. + Extract the Credentials Json from the integration configuration. 2. Extract the + Sheet Id from the action parameters. 3. Initialize the GoogleSheetFactory with + the provided credentials. 4. Create a gspread client. 5. Call the del_spreadsheet + method with the provided Sheet Id to delete the file. 6. Return the execution + status (completed or failed). capabilities: can_create_case_comments: false can_create_insight: false @@ -425,11 +586,20 @@ Delete Sheet: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Permanently deletes a Google Spreadsheet from the user's Google Drive account. + Deletes a Google Sheet from the user's Google Drive. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a destructive operation (deletion) on an external system + (Google Sheets/Drive). It does not fetch data, update internal SOAR entities, + or create insights. categories: enrichment: false + reasoning: >- + The action is a destructive mutation (deletion) of an external resource. It + does not fetch data for enrichment, nor does it perform any of the allowed internal + mutations (comments, insights, entity updates). Therefore, it is not an enrichment + action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -445,57 +615,86 @@ Delete Sheet: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action operates on a specific Sheet Id provided as a parameter. It does + not interact with siemplify.target_entities. Get All: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves data from a Google Sheet. It does not match any of the + predefined categories (Enrich IOC, Enrich Asset, Search Events, etc.) as it + is a general-purpose data retrieval tool for spreadsheets, not a security-specific + enrichment or containment action. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - Retrieves all rows from a specified Google Sheet worksheet and returns them as - a JSON array of objects. This action is designed to ingest tabular data from Google - Sheets into a Google SecOps playbook for further processing, such as lookups or - data manipulation. It uses service account credentials to authenticate and access - the spreadsheet. + This action retrieves all records from a specified Google Sheet. It allows users + to fetch data from a spreadsheet by providing the Sheet ID and an optional Worksheet + Name. - ### Parameters + ### Parameters Description | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Sheet Id | String | Yes | The unique identifier of the spreadsheet, found in - the URL: `https://docs.google.com/spreadsheets/d/{Sheet-Id}/edit`. | + | Sheet Id | string | Yes | The unique identifier for the Google Sheet, found + in the sheet URL. | - | Worksheet Name | String | No | The name of the specific tab to retrieve data - from. If not provided, the action defaults to the first worksheet (Sheet1). Note: - This is case-sensitive. | + | Worksheet Name | string | No | The name of the specific tab/worksheet within + the sheet. Defaults to "Sheet1" if not provided. | - ### Flow Description + ### Additional Notes + + - The action requires a valid `Credentials Json` configuration parameter to authenticate + with the Google Sheets API. - 1. **Authentication**: The action initializes a connection to Google Sheets using - the provided Service Account credentials from the integration configuration. + - The `Worksheet Name` parameter is case-sensitive. - 2. **Spreadsheet Access**: It opens the spreadsheet identified by the `Sheet Id` - parameter. - 3. **Worksheet Selection**: It selects the worksheet based on the `Worksheet Name` - parameter. If the parameter is empty, it defaults to the first sheet in the workbook. + ### Flow Description - 4. **Data Retrieval**: It fetches all records from the worksheet using the `get_all_records()` - method, which converts rows into a list of dictionaries where the keys are the - column headers. + 1. Extracts the `Credentials Json` configuration and the `Sheet Id` and `Worksheet + Name` action parameters. - 5. **Output**: The retrieved data is attached to the action result as a JSON object - for use in subsequent playbook steps. + 2. Authenticates with the Google Sheets API using the provided credentials. + 3. Opens the specified spreadsheet using the `Sheet Id`. - ### Additional Notes + 4. Accesses the specified worksheet (or the default "Sheet1" if no name is provided). - - The Service Account must have at least "Viewer" permissions on the target spreadsheet - to successfully retrieve data. + 5. Retrieves all records from the worksheet. - - The action assumes the first row of the worksheet contains headers used as keys - in the resulting JSON. + 6. Returns the retrieved data as a JSON result in the action output. capabilities: can_create_case_comments: false can_create_insight: false @@ -506,8 +705,15 @@ Get All: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action connects to Google Sheets, reads data, and returns it as a JSON result. + It does not modify external systems or internal SOAR data. categories: enrichment: false + reasoning: >- + The action retrieves data from an external source (Google Sheets) but does not + enrich specific entities or alerts. It is a general data retrieval utility, + not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -523,57 +729,75 @@ Get All: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with `target_entities`. It operates independently + of the case entities. Get Range: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves data from a Google Sheet. It does not match any of the + security-specific categories such as IOC enrichment, asset enrichment, ticketing, + containment, or alert management. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description + Retrieves data from a specified range in a Google Sheet. This action allows users + to query spreadsheet content by providing the Spreadsheet ID, an optional Worksheet + Name, and the target range in A1 notation. - Retrieves the values for a specified range within a Google Spreadsheet. This action - is designed to pull data from a spreadsheet into the Google SecOps platform, enabling - playbooks to use external spreadsheet data for lookups, configuration, or reporting. - - ### Parameters Description + ### Parameters | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Sheet Id | string | Yes | The unique identifier of the spreadsheet, which can - be found in the spreadsheet URL: `https://docs.google.com/spreadsheets/d/{SheetId}/edit`. - | - - | Worksheet Name | string | No | The name of the specific worksheet (tab) to query. - If not provided, the action defaults to the first worksheet (Sheet1). Note: this - is case-sensitive. | - - | Range | string | Yes | The range of cells to retrieve using A1 notation (e.g., - 'A1:B10' or 'Sheet1!A:C'). | - - - ### Additional Notes + | Sheet Id | string | Yes | The unique identifier of the Google Sheet, found in + the spreadsheet URL. | - - The action requires valid service account credentials (Credentials Json) to - be configured in the integration settings. + | Worksheet Name | string | No | The name of the specific tab/worksheet. Defaults + to 'Sheet1' if not provided. | - - The 'Range' parameter must follow the standard Google Sheets A1 notation. + | Range | string | Yes | The range of cells to extract (e.g., 'A1:B1'). | ### Flow Description - 1. **Authentication**: Initializes the Google Sheets client using the provided - service account credentials. + 1. The action extracts the required parameters: `Sheet Id`, `Worksheet Name`, + and `Range`. - 2. **Spreadsheet Access**: Opens the target spreadsheet using the provided 'Sheet - Id'. + 2. It initializes a connection to the Google Sheets API using the provided credentials. - 3. **Worksheet Selection**: Selects the specified 'Worksheet Name' or defaults - to the first sheet in the spreadsheet. + 3. It selects the specified worksheet (or defaults to the first sheet). - 4. **Data Retrieval**: Executes a batch get request to fetch the values for the - specified 'Range'. + 4. It performs a batch get operation to retrieve the values from the defined range. - 5. **Output**: Returns the retrieved cell values as a JSON object and completes - the action with a success message. + 5. The retrieved data is added to the action's result output. capabilities: can_create_case_comments: false can_create_insight: false @@ -584,8 +808,17 @@ Get Range: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a read-only (GET) operation to retrieve data from an external + Google Sheet. It does not modify any external systems, nor does it update any + internal Google SecOps data (such as entities, insights, or case comments). categories: enrichment: false + reasoning: >- + While the action fetches data, it is a general-purpose utility for retrieving + spreadsheet content and does not gather supplemental context about specific + alerts or entities within the SOAR platform. Therefore, it does not meet the + criteria for an Enrichment Action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -601,59 +834,83 @@ Get Range: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with the `target_entities` list. It operates on + arbitrary data retrieved from a Google Sheet and does not perform any filtering + or processing on SecOps entities. Get Row: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves data from a Google Sheet. It does not match any of the + predefined categories like IOC enrichment, asset enrichment, or alert management. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description - - Retrieves the values of a single row from a Google Sheets spreadsheet. This action - is designed to fetch data from a specific row based on its index, allowing playbooks - to ingest external tabular data for decision-making or logging purposes. - + Retrieves the values of a single row from a specified Google Sheet. This action + allows users to fetch data from a spreadsheet for further processing or analysis + within the SOAR platform. - ### Parameters - | Parameter | Type | Mandatory | Description | + ### Flow Description - | :--- | :--- | :--- | :--- | + 1. **Authentication**: The action authenticates with the Google Sheets API using + the provided credentials. - | Sheet Id | String | Yes | The unique identifier of the spreadsheet, which can - be found in the spreadsheet's URL (the string between '/d/' and '/edit'). | + 2. **Connection**: It connects to the target spreadsheet using the provided `Sheet + Id`. - | Worksheet Name | String | No | The name of the specific worksheet (tab) to query. - If not provided, the action defaults to the first worksheet in the spreadsheet. - | + 3. **Worksheet Selection**: It selects the specified worksheet by name, or defaults + to the first worksheet if no name is provided. - | Row Number | String | Yes | The one-based index of the row to retrieve (e.g., - '1' for the header row or first row of data). | + 4. **Data Retrieval**: It fetches the values from the specified `Row Number`. + 5. **Output**: The retrieved row data is returned as a JSON result. - ### Additional Notes - - The action requires valid Google Service Account credentials configured in the - integration settings. - - - The service account must have at least 'Viewer' permissions on the target spreadsheet. + ### Parameters - - The `Row Number` parameter is one-based, following standard spreadsheet indexing. + | Parameter | Type | Mandatory | Description | + | :--- | :--- | :--- | :--- | - ### Flow Description + | Sheet Id | string | Yes | The unique identifier for the Google Sheet, found + in the sheet URL. | - 1. **Authentication**: The action authenticates with the Google Sheets API using - the service account credentials provided in the integration configuration. + | Worksheet Name | string | No | The name of the specific worksheet to query. + If not provided, the first worksheet is used. | - 2. **Spreadsheet Connection**: It opens the spreadsheet identified by the `Sheet - Id`. + | Row Number | string | Yes | The row number (one-based) to retrieve. | - 3. **Worksheet Selection**: It identifies the target worksheet. If a `Worksheet - Name` is specified, it selects that sheet; otherwise, it defaults to the first - sheet (`sheet1`). - 4. **Data Extraction**: It retrieves all cell values for the row specified by - the `Row Number`. + ### Additional Notes - 5. **Result Output**: The extracted row values are returned as a JSON array in - the action's result object. + This action is a read-only operation and does not modify the spreadsheet or any + internal SOAR data. capabilities: can_create_case_comments: false can_create_insight: false @@ -664,8 +921,15 @@ Get Row: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a read-only operation to fetch data from an external Google + Sheet. It does not modify external systems, nor does it update internal SOAR + entities or alerts. categories: enrichment: false + reasoning: >- + While the action fetches data, it does not perform enrichment on specific alerts + or entities within the SOAR platform. It is a generic data retrieval utility. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -681,55 +945,84 @@ Get Row: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with SOAR entities. It operates on generic spreadsheet + data. Import CSV: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action imports data into a Google Sheet. This is a general data management + task and does not align with any of the provided security-specific categories + such as IOC enrichment, ticketing, containment, or alert management. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description + Imports CSV data into a Google Sheet. This action facilitates data synchronization + by reading a local CSV file and uploading its contents to a specified Google Sheet, + overwriting the existing data in the first worksheet. - Imports the content of a CSV file into a specific Google Spreadsheet. This action - is designed to populate a spreadsheet with external data. **Warning:** This operation - is destructive; it replaces all content in the first worksheet of the target spreadsheet - and removes all other existing worksheets. - - - ### Parameters Description - | Parameter Name | Type | Mandatory | Description | + ### Flow Description - | :--- | :--- | :--- | :--- | + 1. **Configuration Extraction**: The action retrieves the Google Sheets credentials + from the integration configuration. - | Sheet Id | string | Yes | The unique identifier of the Google Spreadsheet, which - can be extracted from the spreadsheet's URL (e.g., the string between '/d/' and - '/edit'). | + 2. **Parameter Extraction**: It extracts the `Sheet Id` and `CSV Path` from the + action parameters. - | CSV Path | string | Yes | The absolute or relative path on the local file system - where the CSV file to be imported is located. | + 3. **Authentication**: It authenticates with the Google Sheets API using the provided + credentials. + 4. **Data Import**: It reads the content of the specified CSV file and imports + it into the target Google Sheet, replacing the existing content of the first worksheet. - ### Additional Notes + 5. **Completion**: The action concludes by reporting the status and the ID of + the updated sheet. - - The integration must be configured with valid Google Service Account credentials - that have 'Editor' access to the target spreadsheet. - - Because this action deletes other worksheets, it should be used with caution - on spreadsheets containing multiple tabs of data. + ### Parameters + | Parameter | Type | Mandatory | Description | - ### Flow Description + | :--- | :--- | :--- | :--- | - 1. **Authentication:** The action initializes a connection to the Google Sheets - API using the provided Service Account credentials. + | Sheet Id | string | Yes | The unique identifier of the Google Sheet, found in + the sheet URL. | - 2. **File Retrieval:** It reads the raw text content from the CSV file specified - in the `CSV Path` parameter. + | CSV Path | string | Yes | The local file path to the CSV file that needs to + be imported. | - 3. **Spreadsheet Access:** It verifies access to the spreadsheet using the `Sheet - Id`. - 4. **Data Import:** It calls the Google Sheets API to import the CSV data. This - process overwrites the first sheet and deletes all other worksheets in the file. + ### Additional Notes - 5. **Completion:** The action returns the Spreadsheet ID and a success message - upon completion. + This action performs a destructive write operation on the target Google Sheet + (it replaces the content of the first worksheet). Ensure the `Sheet Id` and `CSV + Path` are correct before execution. capabilities: can_create_case_comments: false can_create_insight: false @@ -738,12 +1031,20 @@ Import CSV: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - This action overwrites the content of the first worksheet in a Google Spreadsheet - and deletes all other worksheets within that spreadsheet file. + The action imports CSV data into a Google Sheet, which overwrites the existing + content of the first worksheet. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a write operation to an external system (Google Sheets) + by importing CSV data. It does not fetch data for enrichment, nor does it modify + internal SecOps case data, entities, or alerts. categories: enrichment: false + reasoning: >- + The action is a data management utility that modifies external data. It does + not fetch data for enrichment purposes, nor does it meet the criteria for an + enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -759,48 +1060,78 @@ Import CSV: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with or process SecOps entities. It operates on + file paths and sheet identifiers. Ping: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action is a connectivity test ('Ping') and does not perform any of the defined + functional outcomes like enriching IOCs, creating tickets, or updating alerts. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - Tests connectivity with Google Sheets by verifying the validity of the provided - service account credentials. The action attempts to create a temporary spreadsheet - and then immediately deletes it to ensure that the integration has both read and - write permissions to the Google Drive and Google Sheets APIs. + Tests connectivity with Google Sheets by performing a create and delete operation. + This action verifies that the provided credentials have the necessary permissions + and that the Google Sheets API is reachable. - ### Parameters Description + ### Flow Description - | Parameter Name | Type | Mandatory | Description | + 1. Extract the `Credentials Json` parameter from the integration configuration. - | :--- | :--- | :--- | :--- | + 2. Initialize the Google Sheets client using the provided service account credentials. - | Credentials Json | String | Yes | The JSON content of the Google Service Account - key file used for authentication. This is typically retrieved from the integration's - configuration settings. | + 3. Create a temporary spreadsheet with a unique identifier. + 4. Delete the created temporary spreadsheet to ensure no residual data is left + behind. - ### Flow Description + 5. Return the connectivity status (success or failure) to the SOAR platform. - 1. **Authentication**: Initializes a Google Sheets client using the provided Service - Account JSON credentials. - 2. **Creation Test**: Generates a unique spreadsheet name using a UUID and attempts - to create a new spreadsheet in the associated Google account. + ### Parameters Description + + | Parameter | Type | Mandatory | Description | - 3. **Cleanup**: Immediately deletes the newly created spreadsheet using its unique - identifier to leave the environment clean. + | :--- | :--- | :--- | :--- | - 4. **Status Reporting**: If both the creation and deletion succeed, the action - returns a success message. If any step fails (e.g., invalid credentials or insufficient - permissions), it catches the exception and reports the failure. + | Credentials Json | String | Yes | The JSON service account credentials used + to authenticate with the Google Sheets API. | ### Additional Notes - This action is a standard 'Ping' utility used to validate the setup of the Google - Sheets integration. It requires the service account to have scopes for both `https://www.googleapis.com/auth/spreadsheets` - and `https://www.googleapis.com/auth/drive`. + This action is a connectivity test ("Ping") and does not perform any functional + data processing or enrichment. It is intended solely for verifying integration + health. capabilities: can_create_case_comments: false can_create_insight: false @@ -809,13 +1140,19 @@ Ping: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - The action creates a temporary spreadsheet and then deletes it to verify that - the credentials have the necessary permissions to perform write and delete operations - in Google Sheets and Google Drive. + Creates and immediately deletes a temporary spreadsheet to verify API connectivity. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a write operation (create) and a delete operation on the + external Google Sheets system to verify connectivity. It does not fetch data + for enrichment, nor does it modify internal SOAR data. categories: enrichment: false + reasoning: >- + The action is named 'Ping' and is explicitly designed to test connectivity. + According to the guidelines, 'Ping' actions must not be categorized as enrichment + actions. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -831,66 +1168,79 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with any entities; it only performs a connectivity + test against the Google Sheets API. Search Row: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action performs a search operation on a Google Sheet. It does not match + any of the predefined product categories, which are focused on security-specific + tasks like IOC enrichment, containment, or ticketing. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description + The 'Search Row' action allows users to search for a specific value within a designated + column of a Google Sheet. This action is useful for retrieving contextual information + stored in external spreadsheets. - The **Search Row** action identifies and retrieves a specific row from a Google - Spreadsheet based on a provided search value. It is designed to act as a lookup - utility, allowing playbooks to fetch contextual data stored in spreadsheets, such - as asset owners, contact lists, or whitelist entries. The action returns the row - index and the full content of the row as a JSON array. + ### Flow: - ### Parameters Description + 1. The action extracts the required parameters: `Sheet Id`, `Column Number`, and + `Search value`, along with the optional `Worksheet Name`. - | Parameter | Type | Mandatory | Description | + 2. It initializes a connection to the Google Sheet using the provided credentials. - | :--- | :--- | :--- | :--- | + 3. It locates the specified worksheet (or defaults to 'Sheet1'). - | **Sheet Id** | String | Yes | The unique identifier of the spreadsheet, which - can be extracted from the URL: `https://docs.google.com/spreadsheets/d/{SheetId}/edit`. - | + 4. It searches the specified column for the provided value. - | **Worksheet Name** | String | No | The name of the specific tab (worksheet) - to search within. If not provided, the action defaults to the first worksheet - (Sheet1). | + 5. If the value is found, it retrieves the entire row's data and returns it as + a JSON result. - | **Column Number** | String | Yes | The column index where the search is intended - to be performed. **Note:** The current implementation searches the entire worksheet - for the value, but uses this parameter for reporting in the output message. | + 6. If the value is not found, the action fails and returns an error message. - | **Search value** | String | Yes | The string or value to search for within the - spreadsheet. | + ### Parameters: - ### Flow Description - - 1. **Authentication**: The action initializes a connection to the Google Sheets - API using service account credentials provided in the integration configuration. - - 2. **Spreadsheet Access**: It opens the target spreadsheet using the provided - `Sheet Id`. - - 3. **Worksheet Selection**: It selects the specified worksheet by name or defaults - to the first available sheet. - - 4. **Search Execution**: The action performs a search across the worksheet to - find the first cell containing the `Search value`. - - 5. **Data Extraction**: Upon finding a match, it retrieves the row index and all - values contained within that specific row. + | Parameter | Type | Mandatory | Description | - 6. **Result Processing**: The row data is added to the action's JSON results, - and the row number is returned as the primary result value. + | :--- | :--- | :--- | :--- | + | Sheet Id | string | Yes | The ID of the Google Sheet (found in the URL). | - ### Additional Notes + | Worksheet Name | string | No | The name of the worksheet tab (defaults to 'Sheet1'). + | - * The search is case-sensitive and will return the first match found in the sheet. + | Column Number | string | Yes | The column number to search in. | - * If the value is not found, the action will return a failure status with a 'CellNotFound' - message. + | Search value | string | Yes | The value to search for. | capabilities: can_create_case_comments: false can_create_insight: false @@ -901,8 +1251,16 @@ Search Row: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action reads data from a Google Sheet (fetches_data=true). It does not perform + any write operations on the external Google Sheet (can_mutate_external_data=false). + It does not modify any internal SOAR data, entities, or insights (can_mutate_internal_data=false). categories: enrichment: false + reasoning: >- + The action is a utility for searching external data (Google Sheets). It does + not perform enrichment on entities or alerts, nor does it meet the criteria + for an enrichment action as it does not operate on entities. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -918,68 +1276,87 @@ Search Row: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with any entities. It operates on a Google Sheet + based on provided parameters. Search Rows: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action searches for data in an external Google Sheet. It does not match + any of the specific categories like 'Enrich IOC' or 'Enrich Asset' because it + doesn't operate on entities. It is a general utility action for searching Google + Sheets. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - The **Search Rows** action allows users to search for specific values within a - designated column of a Google Sheets spreadsheet. It identifies all rows where - the search value exists in the specified column and returns the row numbers as - a list. This is useful for lookups, data validation, or retrieving record identifiers - from a centralized spreadsheet. + Searches for rows in a Google Sheet containing a specific value in a designated + column. This action retrieves data from a Google Sheet, returning the row numbers + and values where the search value is found. It does not modify the sheet or interact + with SOAR entities. ### Parameters Description - | Parameter Name | Type | Mandatory | Description | + | Parameter | Type | Mandatory | Description | - | :--- | :--- | :--- | :--- | + | --- | --- | --- | --- | - | **Sheet Id** | string | Yes | The unique identifier of the spreadsheet, found - in the URL: `https://docs.google.com/spreadsheets/d/{SheetId}/edit`. | + | Sheet Id | string | Yes | The ID of the Google Sheet. | - | **Worksheet Name** | string | No | The name of the specific tab/worksheet to - search. If not provided, the action defaults to the first worksheet (Sheet1). - | + | Worksheet Name | string | No | The name of the worksheet tab. | - | **Column Number** | string | Yes | The numerical index of the column to search - within (e.g., "1" for Column A). | + | Column Number | string | Yes | The column index to search. | - | **Search value** | string | Yes | The specific string or value to search for - within the specified column. | + | Search value | string | Yes | The value to search for. | ### Additional Notes - - The search is performed using the `findall` method, which identifies all occurrences - of the value in the sheet, but the action specifically filters these results to - only include matches found in the user-defined **Column Number**. - - - The action returns the total count of matching rows as the main result value - and a list of row numbers in the JSON result. + If the Worksheet Name is not provided, the action defaults to the first worksheet + in the spreadsheet. ### Flow Description - 1. **Initialization**: The action extracts the Google Sheets credentials from - the integration configuration and the search parameters (Sheet ID, Worksheet Name, - Column Number, and Search Value) from the action input. - - 2. **Connection**: It establishes a connection to the Google Sheets API using - a service account. + 1. Extract configuration (credentials) and action parameters (Sheet Id, Worksheet + Name, Column Number, Search value). - 3. **Worksheet Selection**: It opens the spreadsheet by ID and selects the specified - worksheet (or the first one by default). + 2. Authenticate with Google Sheets API using the provided credentials. - 4. **Search Execution**: It searches the entire worksheet for the provided value. + 3. Open the specified spreadsheet and worksheet. - 5. **Filtering**: It iterates through the search results and keeps only those - where the cell's column index matches the provided **Column Number**. + 4. Search the specified column for the provided search value. - 6. **Data Retrieval**: It collects the row numbers of the matching cells. + 5. Retrieve and return the row numbers and row values where the match was found. - 7. **Completion**: The action outputs the list of row numbers and the total count - of rows found. + 6. Terminate the action with a status message. capabilities: can_create_case_comments: false can_create_insight: false @@ -990,8 +1367,16 @@ Search Rows: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action reads data from a Google Sheet using the `gspread` library. It does + not modify the sheet (read-only) and does not interact with SOAR entities or + cases. categories: enrichment: false + reasoning: >- + The action does not operate on entities or alerts, so it does not qualify as + an enrichment action or any other category. It is a general utility action for + searching Google Sheets. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1007,57 +1392,54 @@ Search Rows: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not use `target_entities`. It operates independently of the + SOAR entity model. Update Cell: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action updates a cell in a Google Sheet. This does not match any of the + predefined categories like ticket management, alert management, or IOC management. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description - - Updates a specific cell in a Google Sheets spreadsheet with a provided value. - This action is useful for logging, tracking status, or updating external records - directly from a playbook. - - - ### Parameters Description - - | Parameter Name | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Sheet Id | string | Yes | The unique identifier of the spreadsheet, found in - the URL: `https://docs.google.com/spreadsheets/d/{SheetId}/edit`. | - - | Worksheet Name | string | No | The name of the specific tab (worksheet) to update. - If not provided, the action defaults to the first sheet (Sheet1). Note: This is - case-sensitive. | - - | Cell | string | Yes | The A1 notation of the cell to update (e.g., 'A1', 'B12'). - | - - | Value | string | Yes | The data/value to be written into the specified cell. - | - - - ### Additional Notes - - This action requires a service account with appropriate permissions to access - and edit the target spreadsheet. If the 'Worksheet Name' is not found, the action - will fail. - - - ### Flow Description - - 1. **Authentication**: The action initializes a connection to Google Sheets using - the provided service account credentials. - - 2. **Spreadsheet Access**: It opens the spreadsheet identified by the 'Sheet Id'. - - 3. **Worksheet Selection**: It selects the worksheet specified by 'Worksheet Name' - or defaults to the first worksheet if the parameter is empty. - - 4. **Cell Update**: It executes an update command to write the 'Value' into the - designated 'Cell'. - - 5. **Completion**: Returns a success message if the update is successful or an - error message if the operation fails. + ### General Description: This action updates a specific cell in a Google Sheet. + It allows users to programmatically modify spreadsheet data by specifying the + Sheet ID, Worksheet Name, Cell coordinate, and the new Value. ### Parameters: + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | | + Sheet Id | string | Yes | The unique identifier of the Google Sheet (found in + the URL). | | Worksheet Name | string | No | The name of the specific tab/worksheet. + Defaults to 'Sheet1'. | | Cell | string | Yes | The cell coordinate to update + (e.g., A12). | | Value | string | Yes | The value to write into the specified + cell. | ### Flow: 1. Authenticate with Google Sheets using the provided credentials. + 2. Open the target spreadsheet using the provided Sheet Id. 3. Select the appropriate + worksheet (using Worksheet Name if provided, otherwise defaulting to Sheet1). + 4. Update the specified Cell with the provided Value. ### Additional Notes: None. capabilities: can_create_case_comments: false can_create_insight: false @@ -1066,12 +1448,17 @@ Update Cell: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates the content of a specific cell within a Google Sheets spreadsheet, modifying - the external document's state. + Updates a specific cell in a Google Sheet with a provided value. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a write operation on an external Google Sheet. It does not + fetch data, nor does it modify internal SecOps data or entities. categories: enrichment: false + reasoning: >- + The action is a mutation action (updating a spreadsheet) and does not fetch + data for enrichment purposes. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1087,60 +1474,82 @@ Update Cell: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with SecOps entities. It operates on external Google + Sheets. Update Row: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action updates a Google Sheet. It does not match any of the predefined security-related + categories such as IOC enrichment, ticket management, or host containment. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - Updates a specific row in a Google Sheet with a provided set of values. This action - is useful for logging data, updating status trackers, or maintaining external - records directly from a SOAR playbook. + Updates a specific row in a Google Sheet with provided values. This action allows + for automated data entry or modification within a Google Sheets document. ### Parameters Description - | Parameter Name | Type | Mandatory | Description | + | Parameter | Type | Mandatory | Description | - | :--- | :--- | :--- | :--- | + | --- | --- | --- | --- | - | Sheet Id | String | Yes | The unique identifier of the spreadsheet, found in - the URL: `https://docs.google.com/spreadsheets/d/{Sheet-Id}/edit`. | + | Sheet Id | string | Yes | The unique identifier of the Google Sheet, found in + the sheet URL. | - | Worksheet Name | String | No | The name of the specific tab (worksheet) to update. - If not provided, the action defaults to the first worksheet (Sheet1). | + | Worksheet Name | string | No | The name of the specific tab/worksheet. Defaults + to "Sheet1" if not provided. | - | Row Number | String | Yes | The numerical index of the row to be updated (e.g., - "1", "5"). | + | Row Number | string | Yes | The row index to update. | - | Values | String | Yes | A comma-separated list of values to be written into - the row (e.g., "val1,val2,val3"). Each value will be placed in a sequential column - starting from Column A. | + | Values | string | Yes | Comma-separated values to populate the row. | ### Additional Notes - * This action does not process or require any SOAR entities. - - * The `Values` parameter is parsed by splitting the string at each comma. Ensure - your data does not contain unexpected commas unless they are intended as column - delimiters. + The action requires valid Google Sheets credentials configured in the integration + settings. The `Values` parameter should be a comma-separated string (e.g., "val_1,val_2,val_3"). ### Flow Description - 1. **Authentication**: The action initializes a connection to Google Sheets using - the provided Service Account credentials. + 1. Extract parameters (Sheet ID, Worksheet Name, Row Number, Values). - 2. **Spreadsheet Access**: It opens the spreadsheet identified by the `Sheet Id`. + 2. Authenticate and connect to the Google Sheet using the provided credentials. - 3. **Worksheet Selection**: It selects the worksheet specified by `Worksheet Name` - or defaults to the first available sheet. + 3. Select the target worksheet (or default to 'Sheet1'). - 4. **Data Parsing**: The `Values` string is split into a list of individual cell - values. + 4. Parse the comma-separated values. - 5. **Row Update**: The action iterates through the list of values, updating each - cell in the specified `Row Number` sequentially, starting from the first column - (Column 1). + 5. Update each cell in the specified row with the corresponding value. capabilities: can_create_case_comments: false can_create_insight: false @@ -1149,11 +1558,19 @@ Update Row: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates cell values within a specified row of a Google Sheet. + Updates specific cells in a Google Sheet with provided values. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a write operation (mutation) on an external system (Google + Sheets) by updating specific cells. It does not fetch data from the sheet, nor + does it modify any internal SOAR data, entities, or alerts. categories: enrichment: false + reasoning: >- + The action performs a write operation (mutation) on an external system (Google + Sheets) and does not retrieve data for enrichment purposes, therefore it is + not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1169,56 +1586,92 @@ Update Row: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with SOAR entities; it operates on external Google + Sheets data based on provided parameters. Update Rows: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action updates rows in a Google Sheet. This does not align with any of the + provided security-specific categories (e.g., IOC enrichment, ticket management, + identity management, or containment). + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - Updates specific rows in a Google Spreadsheet with provided values. This action - allows for bulk updates of multiple rows by specifying row indices and a sequence - of values to be inserted starting from the first column of each specified row. + Updates specific rows and columns in a Google Sheet. This action allows users + to programmatically modify spreadsheet data by specifying the target sheet, worksheet, + row numbers, and the values to be inserted. - ### Parameters Description + ### Flow Description - | Parameter | Type | Mandatory | Description | + 1. **Parameter Extraction**: The action extracts the `Row Number`, `Values`, `Sheet + Id`, and optional `Worksheet Name` from the action configuration. - | :--- | :--- | :--- | :--- | + 2. **Client Initialization**: It initializes a Google Sheets client using the + provided credentials. - | **Row Number** | String | Yes | Comma-separated list of row numbers to update - (e.g., '1,2,5'). | + 3. **Spreadsheet Access**: It opens the target spreadsheet using the provided + `Sheet Id`. - | **Values** | Content | Yes | Comma-separated list of values to be written into - the cells (e.g., 'ValueA,ValueB'). | + 4. **Worksheet Selection**: It selects the specified worksheet by name, or defaults + to 'Sheet1' if no name is provided. - | **Sheet Id** | String | Yes | The unique ID of the spreadsheet found in the - URL. | + 5. **Data Update**: It iterates through the provided row numbers and values, updating + the corresponding cells in the Google Sheet. - | **Worksheet Name** | String | No | The name of the worksheet tab. Defaults to - the first sheet (Sheet1) if not provided. | + ### Parameters Description - ### Flow Description + | Parameter | Type | Mandatory | Description | - 1. **Authentication**: Connects to the Google Sheets service using the provided - service account credentials. + | :--- | :--- | :--- | :--- | - 2. **Spreadsheet Access**: Opens the spreadsheet identified by the `Sheet Id`. + | Row Number | string | Yes | Comma-separated list of row numbers to update (e.g., + "1,2"). | - 3. **Worksheet Selection**: Targets the specified `Worksheet Name` or defaults - to the first available sheet. + | Values | content | Yes | Comma-separated list of values to update (e.g., "value1,value2"). + | - 4. **Data Processing**: Parses the input row numbers and values from comma-separated - strings. + | Sheet Id | string | Yes | The unique identifier of the Google Sheet, found in + the sheet URL. | - 5. **Cell Update**: Iterates through each specified row and updates columns sequentially - starting from column 1 with the provided values. + | Worksheet Name | string | No | The name of the specific tab/worksheet. Defaults + to "Sheet1" if not provided. | ### Additional Notes - - The action overwrites existing data in the specified cells. - - - Column indexing starts at 1 for each row updated. + The action performs a direct write operation to the specified Google Sheet. Ensure + the service account associated with the credentials has the necessary permissions + to edit the target spreadsheet. capabilities: can_create_case_comments: false can_create_insight: false @@ -1227,12 +1680,19 @@ Update Rows: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates cell values in a Google Spreadsheet by overwriting them with provided - input. + Updates cells in a Google Sheet with provided values. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a write operation (update_cell) on an external Google Sheet. + It does not fetch data, nor does it interact with internal SOAR entities or + case data. categories: enrichment: false + reasoning: >- + The action is a utility for updating external spreadsheets. It does not fetch + data for enrichment, nor does it modify internal SOAR data. Therefore, it is + not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1248,3 +1708,6 @@ Update Rows: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with SOAR entities. It operates on parameters provided + directly to the action. diff --git a/content/response_integrations/third_party/community/google_sheets/resources/ai/connectors_ai_description.yaml b/content/response_integrations/third_party/community/google_sheets/resources/ai/connectors_ai_description.yaml new file mode 100644 index 000000000..d058245cb --- /dev/null +++ b/content/response_integrations/third_party/community/google_sheets/resources/ai/connectors_ai_description.yaml @@ -0,0 +1,61 @@ +Sheet Connector: + ai_description: >- + ### General Description + + This connector integrates with Google Sheets to ingest data as alerts into Google + SecOps (SOAR). It allows users to treat rows in a spreadsheet as security events + or alerts, enabling automation workflows based on spreadsheet-based data sources. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Alert Name Column Index | Integer | Yes | The column index to use for the alert + name. | + + | Credentials Json | String | Yes | The JSON string containing Google Service + Account credentials. | + + | DeviceProductField | String | Yes | The field name used to determine the device + product. | + + | EventClassId | String | Yes | The field name used to determine the event name + (sub-type). | + + | Filter Alert Column Index | Integer | No | The column index to use for filtering + rows. | + + | Filter Alert Column Value | String | No | The value to filter by in the specified + column. | + + | Product | String | Yes | The product name associated with the alerts. | + + | PythonProcessTimeout | String | Yes | The timeout limit (in seconds) for the + python process. | + + | Sheet Id | String | Yes | The unique identifier of the Google Sheet. | + + | Worksheet Name | String | Yes | The name of the specific worksheet to pull data + from. | + + + ### Flow Description + + 1. Authenticates with Google Sheets using the provided service account JSON credentials. + + 2. Opens the specified Google Sheet by ID and selects the target worksheet. + + 3. Retrieves all rows from the worksheet. + + 4. Iterates through the rows, applying optional filtering based on a specific + column index and value if configured. + + 5. Maps each row to an AlertInfo object, using the configured column index to + determine the alert name. + + 6. Constructs events from the row data, mapping headers to event fields. + + 7. Returns the generated alerts to the SOAR platform for processing. diff --git a/content/response_integrations/third_party/community/google_sheets/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/google_sheets/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..d1038fcfc --- /dev/null +++ b/content/response_integrations/third_party/community/google_sheets/resources/ai/integration_ai_description.yaml @@ -0,0 +1,22 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: false + reasoning: >- + The google_sheets integration includes a connector that ingests data from Google + Sheets into the SOAR platform as alerts. This capability aligns with the SIEM + category, which is used for ingesting and processing logs and events to identify + suspicious activity. The various actions provided (e.g., Add Row, Search Row, + Update Cell) are general-purpose data management utilities for Google Sheets and + do not perform security-specific tasks such as EDR, Threat Intelligence, IAM, + or ITSM. Therefore, the integration is classified under SIEM due to its data ingestion + capabilities, while all other categories are marked as false as the integration + does not provide specialized security functionality in those domains. + siem: true + threat_intelligence: false + vulnerability_management: false diff --git a/content/response_integrations/third_party/community/goqr/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/goqr/resources/ai/actions_ai_description.yaml index a75a38db9..13cdcaeaf 100644 --- a/content/response_integrations/third_party/community/goqr/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/goqr/resources/ai/actions_ai_description.yaml @@ -1,69 +1,87 @@ Generate QR Code: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action generates a QR code image and attaches it to the case. It does not + match any of the predefined categories (Enrich IOC, Contain Host, etc.). It + is a utility action. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - The **Generate QR Code** action creates a QR code image from a provided string - of data, such as a URL, text, or identifier. This utility action is designed to - facilitate the visual representation of data within a case, allowing analysts - to generate codes for physical tracking, mobile access, or documentation purposes. - It interacts with the GOQR API to render the image based on customizable parameters - like size, color, and error correction levels. + Generates a QR code image from a provided string of data. This action interacts + with an external QR code generation service to create an image based on user-defined + parameters such as size, format, and error correction level. The resulting image + is saved as a temporary file and attached to the current case. ### Parameters Description - | Parameter | Type | Mandatory | Default | Description | + | Parameter | Type | Mandatory | Description | - | :--- | :--- | :--- | :--- | :--- | + | :--- | :--- | :--- | :--- | - | **Content** | String | Yes | N/A | The data, URL, or text string to encode into - the QR code. | + | Content | string | Yes | The data, URL, or text string to encode into the QR + code. | - | **Size** | String | No | 200x200 | The dimensions of the generated image in - pixels (e.g., 300x300). Maximum value is 1000x1000. | + | Size | string | No | The dimensions of the generated image in pixels in the + format {width}x{height}. The maximum value is 1000x1000. Default: 200x200. | - | **Image Format** | DDL | No | png | The file format for the output image. Options: - png, jpg, gif, svg. | + | Image Format | ddl | No | The file format for the output image (png, jpg, gif, + svg). Default: png. | - | **Error Correction** | DDL | No | Low | The level of data redundancy (Low, Medium, - Quartile, High). Higher levels increase damage resistance but result in a more - complex image. | + | Error Correction | ddl | No | The level of data redundancy applied to the QR + code. Higher levels increase damage resistance, but result in a more complex image. + Default: Low. | - | **Margin** | String | No | 1 | The width of the blank border (quiet zone) around - the QR code in pixels. | + | Margin | string | No | The width of the blank border (quiet zone) around the + QR code, measured in pixels. Default: 1. | - | **Foreground Color** | String | No | 0-0-0 | The color of the QR code modules - in R-G-B format (e.g., 255-0-0 for red). | + | Foreground Color | string | No | The color of the QR code modules in R-G-B format. + Default: 0-0-0 (black). | - | **Background Color** | String | No | 255-255-255 | The color of the image background - in R-G-B format. | - - - ### Additional Notes - - * This action **does not run on entities**. It is a standalone utility that processes - the provided 'Content' parameter. - - * The generated image is automatically attached to the case wall for immediate - viewing. + | Background Color | string | No | The color of the image background in R-G-B + format. Default: 255-255-255 (white). | ### Flow Description - 1. **Parameter Extraction:** The action retrieves the content to be encoded and - optional styling parameters (size, format, colors) from the user input. + 1. Extract configuration parameters (Content, Size, Image Format, Error Correction, + Margin, Foreground Color, Background Color). - 2. **API Interaction:** It sends a request to the GOQR service to generate the - QR code image bytes based on the specified configuration. + 2. Invoke the external QR code generation API with the provided parameters. - 3. **File Management:** The received image bytes are saved as a temporary file - with a sanitized name derived from the content. + 3. Save the returned image bytes to a temporary file. - 4. **Internal Mutation:** The action attaches the generated image file to the - Google SecOps case wall. + 4. Attach the generated file to the case wall. - 5. **Result Finalization:** It returns a JSON object containing the base64-encoded - image blob and the metadata used for generation, marking the action as successful. + 5. Return a JSON result containing the base64-encoded image and configuration + details. capabilities: can_create_case_comments: false can_create_insight: false @@ -73,10 +91,17 @@ Generate QR Code: can_update_entities: false external_data_mutation_explanation: null fetches_data: true - internal_data_mutation_explanation: >- - Adds the generated QR code image as an attachment to the case wall. + internal_data_mutation_explanation: Adds an attachment to the case wall. + reasoning: >- + The action calls an external API to generate a QR code image (fetches_data=true). + It does not mutate external systems (can_mutate_external_data=false). It adds + an attachment to the case wall, which is an internal mutation (can_mutate_internal_data=true). categories: enrichment: false + reasoning: >- + The action generates a QR code image and attaches it to the case. It does not + gather supplemental context about alerts or entities, so it is not an enrichment + action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -92,40 +117,51 @@ Generate QR Code: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not operate on entities. It generates a QR code from a provided + string and attaches it to the case. Ping: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action is a connectivity test (Ping) and does not perform any of the defined + functional operations like enriching IOCs, updating tickets, or containing hosts. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description - - The **Ping** action is a diagnostic utility designed to verify the connectivity - between Google SecOps and the QR Server API. Its primary purpose is to ensure - that the integration's configuration (such as the API Root and SSL settings) is - correct and that the external service is reachable. - - - ### Parameters Description - - There are no parameters for this action. - - - ### Additional Notes - - This action is a standard connectivity test and does not process any entities - or alert data. It is typically used during the initial setup of the GOQR integration - or for troubleshooting network issues. - - - ### Flow Description - - 1. **Client Initialization**: The action initializes the GOQR API client using - the global integration configuration parameters, specifically the API Root and - Verify SSL settings. - - 2. **Connectivity Check**: It executes a request to the QR Server's ping endpoint - (defined as a small QR code generation request) to validate the communication - path. - - 3. **Status Reporting**: The action returns a success message if the API responds - correctly, or an error message if the connection fails. + Tests connectivity to the QR Server API. This action verifies that the integration + is correctly configured and the server is reachable. ### Flow 1. The action initializes + the API client using the configured API Root and Verify SSL settings. 2. It sends + a request to the QR Server API using the ping endpoint. 3. The action returns + a success message if the connection is established, or an error message if the + connection fails. ### Parameters | Parameter | Type | Mandatory | Description + | | :--- | :--- | :--- | :--- | | API Root | String | Yes | The base URL of the + QR Server API. | | Verify SSL | Boolean | Yes | Whether to verify SSL certificates + when connecting to the API. | ### Additional Notes There are no additional notes. capabilities: can_create_case_comments: false can_create_insight: false @@ -136,8 +172,16 @@ Ping: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a connectivity check (ping) to the external QR Server API. + It does not fetch contextual data for entities, nor does it mutate any external + or internal data. It is a diagnostic action. categories: enrichment: false + reasoning: >- + The action is a 'Ping' action. According to the instructions, 'Actions named + Ping must not be categorized as enrichment actions.' Therefore, it is not an + enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -153,49 +197,77 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with any entities. It is a global connectivity + test. Scan QR Code: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action decodes a QR code from an image. It does not match any of the defined + categories such as enrichment, containment, or ticket management. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - The **Scan QR Code** action extracts and reads data from a QR code image provided - as a Base64-encoded string. It utilizes the GOQR API to decode the image and retrieve - the embedded information, making it useful for analyzing suspicious QR codes found - in digital artifacts. + Use the Scan QR Code action to extract and read data from a QR code image provided + in Base64 format. This action interacts with an external QR code scanning API + to decode the image content and return the results. ### Parameters Description - | Parameter | Description | Type | Mandatory | Default | + | Parameter | Type | Mandatory | Description | - | :--- | :--- | :--- | :--- | :--- | + | --- | --- | --- | --- | - | **QR Image Base64 Blob** | The Base64-encoded string representing the QR code - image file. | String | Yes | N/A | + | QR Image Base64 Blob | string | Yes | The Base64-encoded string representing + the QR code image file. | ### Flow Description - 1. **Parameter Extraction**: The action retrieves the Base64-encoded image string - from the input parameters. + 1. Accepts a Base64-encoded string representing a QR code image. - 2. **Decoding**: The Base64 string is decoded into raw image bytes. + 2. Decodes the Base64 string into binary image data. - 3. **API Interaction**: The image bytes are sent to the GOQR API's read endpoint - (`v1/read-qr-code/`). + 3. Sends the image data to the configured QR code scanning API. - 4. **Result Parsing**: The action parses the API response into structured data - models, extracting the decoded text from the QR code symbols. + 4. Parses the API response to extract the decoded QR code data. - 5. **Output**: The decoded information is returned as a JSON result, and the action - status is set to success. + 5. Returns the decoded information as a JSON result. ### Additional Notes - - This action does not process entities from the SecOps environment; it operates - solely on the provided Base64 input. - - - Ensure the Base64 string is valid to avoid decoding errors. + The action requires a valid Base64-encoded string of a QR code image to function. + If the provided string is not a valid Base64-encoded image or does not contain + a QR code, the action will fail. capabilities: can_create_case_comments: false can_create_insight: false @@ -206,8 +278,16 @@ Scan QR Code: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a read-only operation by sending an image to an external + API to decode its contents. It does not modify any external systems or internal + SOAR data (entities, insights, or comments). categories: enrichment: false + reasoning: >- + The action is a utility for decoding QR codes. It does not perform enrichment + on entities or alerts, nor does it meet the criteria for an enrichment action + as it does not operate on SOAR entities. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -223,3 +303,6 @@ Scan QR Code: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not use `target_entities`. It processes a user-provided Base64 + string directly. diff --git a/content/response_integrations/third_party/community/goqr/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/goqr/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..a6f3dafc7 --- /dev/null +++ b/content/response_integrations/third_party/community/goqr/resources/ai/integration_ai_description.yaml @@ -0,0 +1,18 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: false + reasoning: >- + The goqr integration provides utility actions for generating and scanning QR codes. + These actions do not perform security-related tasks such as log analysis, endpoint + protection, network security, threat intelligence enrichment, identity management, + or incident response orchestration. Consequently, it does not align with any of + the defined product categories. + siem: false + threat_intelligence: false + vulnerability_management: false diff --git a/content/response_integrations/third_party/community/grey_noise/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/grey_noise/resources/ai/actions_ai_description.yaml deleted file mode 100644 index 0967ef424..000000000 --- a/content/response_integrations/third_party/community/grey_noise/resources/ai/actions_ai_description.yaml +++ /dev/null @@ -1 +0,0 @@ -{} diff --git a/content/response_integrations/third_party/community/hibob/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/hibob/resources/ai/actions_ai_description.yaml index e26ba2d4e..4131da6e2 100644 --- a/content/response_integrations/third_party/community/hibob/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/hibob/resources/ai/actions_ai_description.yaml @@ -1,54 +1,86 @@ Enrich Entities: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: true + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves contextual metadata (user details) for a user entity and + updates the entity within the platform. This matches the 'Enrich Asset' category. + It does not perform IOC enrichment, alert updates, or external system mutations. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - Enriches USER entities with detailed profile information from the Hibob HR platform. - This action retrieves employee data such as department, role, and contact details, - flattens the response, and maps it directly to the entity's additional properties - within Google SecOps to provide security analysts with organizational context. + This action enriches User entities within the Google SecOps platform by retrieving + detailed profile information from the Hibob HR system. It fetches user data based + on the entity identifier, flattens the nested JSON response, and updates the entity's + `additional_properties` with the retrieved information. This provides analysts + with immediate access to HR-related context (e.g., department, role, status) directly + within the entity profile. - ### Parameters Description - - | Parameter | Type | Mandatory | Description | + ### Flow Description - | :--- | :--- | :--- | :--- | + 1. **Initialization**: The action initializes the `HibobManager` using the API + root and token provided in the integration configuration. - | Get User Image | Boolean | No | A toggle to determine if user avatar/image data - should be processed during the enrichment flow. | + 2. **Iteration**: It iterates through all `target_entities` associated with the + alert. + 3. **Filtering**: It filters for entities of type `USER`. - ### Additional Notes + 4. **Data Retrieval**: For each valid user entity, it calls the Hibob API to fetch + user details using the entity identifier. - - The action specifically targets entities of type `USER`. + 5. **Data Processing**: If data is found, it flattens the nested dictionary structure + and adds a 'Hibob' prefix to all keys to ensure clarity. - - All retrieved data is prefixed with 'Hibob' when added to the entity's additional - properties to ensure clear data lineage and prevent field collisions. + 6. **Internal Update**: It updates the entity's `additional_properties` with the + flattened data, sets the `is_enriched` flag to `True`, and updates the entity + in the SecOps platform. - - The action uses the entity's identifier (typically an email or employee ID) - to query the Hibob API. + 7. **Result Reporting**: Finally, it adds the raw user data to the action result + JSON and returns a summary of enriched entities. - ### Flow Description + ### Parameters Description - 1. **Configuration Retrieval:** The action initializes by fetching the Hibob API - token from the integration settings. + | Parameter | Type | Mandatory | Description | - 2. **Entity Filtering:** It iterates through the list of target entities and filters - for those with the type `USER`. + | :--- | :--- | :--- | :--- | - 3. **External API Request:** For each valid user entity, it calls the Hibob `/v1/people/` - endpoint using the entity's identifier. + | Get User Image | Boolean | No | A flag indicating whether to attempt to retrieve + the user's profile image. Note: While extracted, this parameter is not utilized + in the core enrichment logic of the current script version. | - 4. **Data Transformation:** The resulting JSON profile is flattened into a single-level - dictionary using a recursive utility and prefixed with 'Hibob'. - 5. **Internal Enrichment:** The entity's `additional_properties` are updated with - the flattened data, and the `is_enriched` flag is set to `True`. + ### Additional Notes - 6. **Update and Finalize:** The action updates the modified entities in the Google - SecOps environment and returns a summary of the enriched users along with the - raw JSON data. + This action performs read-only operations on the external Hibob system (GET requests) + and only modifies internal entity data within the SecOps platform. capabilities: can_create_case_comments: false can_create_insight: false @@ -59,10 +91,18 @@ Enrich Entities: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates the 'additional_properties' attribute of USER entities with flattened - Hibob profile data and sets the 'is_enriched' flag to true. + Updates entity additional_properties and sets the is_enriched flag to true. + reasoning: >- + The action fetches user details from the Hibob API (fetches_data=true). It updates + the entity's `additional_properties` and `is_enriched` flag within the SOAR + platform (can_mutate_internal_data=true, can_update_entities=true). It does + not perform any write operations on the external Hibob system. categories: enrichment: true + reasoning: >- + The action fetches data from an external source (Hibob) and updates internal + entity properties without modifying external state. This meets the criteria + for an enrichment action. entity_usage: entity_types: - USERUNIQNAME @@ -79,60 +119,82 @@ Enrich Entities: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over `siemplify.target_entities` and explicitly filters for + `EntityTypes.USER` using an if-statement. Get User Image: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: true + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves contextual metadata (profile image) for a user from an + external HR system. This aligns with the 'Enrich Asset' category, as it provides + additional context about a user resource. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - - The **Get User Image** action retrieves the profile image (avatar) for a specific - employee from the Hibob HR platform. By providing an employee's email address, - the action identifies the user within Hibob and retrieves their profile picture, - providing it as both a Base64-encoded string and raw data in the action's JSON - results. + This action retrieves the profile image for a specific employee from the Hibob + HR platform. It fetches the image as both a URL and a base64-encoded string, allowing + analysts to view user avatars directly within the SOAR platform. - ### Parameters - + ### Flow Description - | Parameter | Type | Mandatory | Description | + 1. **Extract Parameters**: The action retrieves the `Employee's Email` provided + by the user. - | :--- | :--- | :--- | :--- | + 2. **Fetch User Details**: It queries the Hibob API to resolve the email address + to a unique employee identifier. - | Employee's Email | String | Yes | The email address of the employee whose profile - image is to be retrieved. | + 3. **Fetch Image**: Using the employee identifier, it requests the user's avatar + image from the Hibob API. + 4. **Process Data**: If the image is found, it converts the binary content into + a base64 string. - ### Flow Description + 5. **Return Results**: The action outputs the image URL and base64 string as a + JSON result for the analyst. - 1. **Extract Input:** The action retrieves the `Employee's Email` from the input - parameters. - - 2. **Lookup User:** It queries the Hibob API (`/v1/people/{email}`) to find the - employee and obtain their internal unique identifier (`id`). + ### Parameters Description - 3. **Fetch Image:** Using the internal identifier, it makes a request to the Hibob - avatar endpoint (`/v1/avatars/{id}`) to download the image content. + | Parameter | Type | Mandatory | Description | - 4. **Process Data:** The binary image content is encoded into a Base64 string - for easy use in subsequent playbook steps. + | :--- | :--- | :--- | :--- | - 5. **Finalize:** The action populates the JSON result with the Base64 string and - the image data, then completes with a success message. + | Employee's Email | string | Yes | The email address of the employee whose profile + image is to be retrieved. | ### Additional Notes - - * **Entity Support:** This action does not run on entities. It uses the email - address provided in the parameters. - - * **Parameter Typo:** Note that while the internal parameter description in the - metadata mentions 'uploading', the actual function of this action is to retrieve/download - the image. - - * **Data Handling:** The action returns the image in the `JsonResult` under the - keys `imageBase64` and `imageUrl`. + This action is read-only and does not modify any data within the SOAR platform + or the external Hibob system. capabilities: can_create_case_comments: false can_create_insight: false @@ -143,8 +205,17 @@ Get User Image: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs GET requests to the Hibob API to retrieve user details and + images. It does not perform any POST/PUT/DELETE operations on external systems + (can_mutate_external_data=false). It does not update entities, create insights, + or add comments to the case (can_mutate_internal_data=false). categories: - enrichment: true + enrichment: false + reasoning: >- + While the action fetches data (user image), it does not meet the criteria for + an Enrichment Action because it does not update entities, create insights, or + add case comments. It simply returns a JSON result. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -160,25 +231,71 @@ Get User Image: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over `siemplify.target_entities`. It relies solely + on the `Employee's Email` parameter provided by the user to perform its lookup. Ping: - ai_description: "### General Description\nThe **Ping** action is a diagnostic tool\ - \ used to verify the connectivity between Google SecOps and the Hibob platform.\ - \ It ensures that the provided API credentials (API Token) are valid and that\ - \ the Hibob API service is reachable.\n\n### Parameters Description\nThere are\ - \ no input parameters for this action. It relies solely on the integration's global\ - \ configuration (API Token).\n\n### Additional Notes\n- This action is typically\ - \ used during the initial setup of the integration or for troubleshooting connection\ - \ issues.\n- It performs a simple GET request to the Hibob `/api/user` endpoint\ - \ to validate authentication.\n\n### Flow Description\n1. **Configuration Retrieval**:\ - \ The action retrieves the API Token from the Hibob integration settings.\n2.\ - \ **Manager Initialization**: It initializes the `HibobManager` with the API root\ - \ URL and the retrieved token.\n3. **Connectivity Test**: It calls the `test_connectivity`\ - \ method, which sends a GET request to the Hibob API.\n4. **Response Validation**:\ - \ \n - If the response is successful (HTTP 200) and contains valid JSON, the\ - \ connection is considered successful.\n - If the response returns a 401 (Unauthorized)\ - \ or 404 (Not Found), an exception is raised with a specific error message.\n\ - 5. **Final Result**: The action ends by returning a boolean value (`True` for\ - \ success, `False` for failure) and a descriptive output message to the SOAR interface." + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action is a connectivity test (Ping) and does not perform any of the defined + functional operations like enriching IOCs, updating tickets, or containing hosts. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: >- + General description: + + This action tests the connectivity between the SOAR platform and the Hibob API. + It verifies that the provided API credentials are valid and that the service is + reachable. + + + Flow description: + + 1. The action retrieves the Hibob API configuration (API Token) from the integration + settings. + + 2. It initializes the Hibob manager with the API root and token. + + 3. It sends a GET request to the Hibob API (`/api/user`) to verify connectivity. + + 4. If the request is successful, it returns a success message; otherwise, it returns + a failure message. + + + Parameters description: + + There are no parameters for this action. + + + Additional notes: + + This action is strictly for connectivity testing and does not perform any data + retrieval or modification. capabilities: can_create_case_comments: false can_create_insight: false @@ -187,10 +304,17 @@ Ping: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null - fetches_data: true + fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to verify connectivity to the Hibob API. It + does not modify any external or internal data, nor does it update entities or + create insights. categories: enrichment: false + reasoning: >- + The action is named 'Ping'. According to the instructions, 'Actions named Ping + must not be categorized as enrichment actions.' entity_usage: entity_types: [] filters_by_additional_properties: false @@ -206,47 +330,73 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with any entities. Revoke Access: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: true + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action revokes access for a user in an external system (Hibob). This aligns + with the 'Disable Identity' category, which is defined as 'Revokes active sessions + and prevents a user or service account from authenticating to the network.' + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - Revokes an employee's access to the Hibob platform using their email address. - This action is primarily used during offboarding or security incidents to ensure - a user can no longer log into the Hibob system by transitioning their status to - 'uninvited'. + This action disables an employee's access in the Hibob platform by their email + address. It verifies the user's existence and current status before performing + the revocation. ### Parameters Description - | Parameter | Description | Type | Mandatory | + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Employee's Email | The email address of the employee whose access needs to be - revoked in Hibob. | String | Yes | + | Employee's Email | string | Yes | The email address of the employee whose access + needs to be revoked in Hibob. | ### Flow Description - 1. **Fetch Details**: The action first retrieves the employee's internal Hibob - ID and current status using the provided email address. + 1. Extracts the 'Employee's Email' from the action parameters. - 2. **Existence Check**: It verifies if the employee exists in the Hibob database. - If not, the action terminates with a failure message. + 2. Retrieves the employee's details from Hibob using the provided email to obtain + their unique identifier. - 3. **Status Validation**: It checks the employee's current 'state'. If the employee - is already in an 'uninvited' state, the action informs the user that access was - already revoked. + 3. Checks the current status of the employee. - 4. **Revocation**: If the employee is active, the action sends a POST request - to the Hibob API to revoke access (uninvite) for that specific employee ID. + 4. If the employee exists and is not already revoked, it sends a request to Hibob + to revoke their access. - - ### Additional Notes - - This action does not operate on Google SecOps entities (like ADDRESS or USER). - It relies entirely on the 'Employee's Email' input parameter provided by the user - or playbook. + 5. Returns the status of the operation (success/failure) and whether the user + existed or was already revoked via the action result. capabilities: can_create_case_comments: false can_create_insight: false @@ -255,13 +405,19 @@ Revoke Access: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - The action performs a POST request to the Hibob API endpoint '/v1/employees/{employee_identifier}/uninvite', - which changes the employee's status to 'uninvited' and revokes their access - to the platform. + Revokes access for a specific employee in the Hibob platform by uninviting them. fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action fetches user details from Hibob (GET request) and then performs a + revocation (POST request) on the Hibob platform. It does not modify internal + SOAR data (entities, insights, or case comments). categories: enrichment: false + reasoning: >- + The action performs a mutation on an external system (Hibob) to revoke access. + It is not an enrichment action because it modifies the state of an external + system. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -277,47 +433,78 @@ Revoke Access: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code does not iterate over `siemplify.target_entities`. It extracts the + email directly from the action parameters (`siemplify.extract_action_param("Employee's + Email")`). Therefore, it does not run on entities. Search User: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: true + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action searches for a user in Hibob and retrieves their details. This matches + the "Search Asset" outcome. It also retrieves contextual metadata (user details), + which matches the "Enrich Asset" outcome. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: true + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - Searches for a specific user's details in the Hibob HR platform using their email - address. This action is used to verify the existence of an employee and retrieve - their profile information from the Hibob system. + Searches for a specific user in the Hibob HR system using their email address. + This action retrieves user details from Hibob and adds them to the action result + JSON. - ### Parameters Description + ### Flow Description - | Parameter | Type | Mandatory | Description | + 1. Extracts the "Employee's Email" parameter. - | :--- | :--- | :--- | :--- | + 2. Initializes the Hibob manager with the provided API token. - | Employee's Email | String | Yes | The email address of the employee to search - for in Hibob. | + 3. Queries the Hibob API (`/v1/people/{employee_identifier}`) to retrieve user + details. + 4. If the user is found, the details are added to the action result JSON. - ### Flow Description + 5. The action concludes with a success or failure message. - 1. **Configuration**: Retrieves the API Token and Root URL from the integration - settings. - 2. **Input Extraction**: Extracts the target email address from the action parameters. + ### Parameters Description - 3. **API Request**: Calls the Hibob API GET `/v1/people/{email}` endpoint via - the HibobManager. + | Parameter | Type | Mandatory | Description | - 4. **Processing**: If the user is found, the profile data is captured and formatted - into a JSON result. + | :--- | :--- | :--- | :--- | - 5. **Output**: Returns a boolean success status and populates the JSON result - with the user's details for use in subsequent playbook steps. + | Employee's Email | string | Yes | The email address of the employee to search + for in Hibob. | ### Additional Notes - This action does not iterate over entities in the SecOps case; it performs a lookup - based strictly on the provided parameter. If the user is not found, the action - returns a failure status. + There are no additional notes. capabilities: can_create_case_comments: false can_create_insight: false @@ -328,8 +515,17 @@ Search User: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the Hibob API to retrieve user details. + It does not mutate external data (no POST/PUT/DELETE). It does not mutate internal + data (no `update_entities`, `add_entity_insight`, etc.). It does not update + entities, create insights, modify alert data, or create case comments. categories: enrichment: false + reasoning: >- + The action fetches data from an external system (Hibob) but does not operate + on entities or update internal SOAR data (like insights or entity fields). Therefore, + it does not meet the criteria for an Enrichment Action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -345,32 +541,80 @@ Search User: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over `siemplify.target_entities` or use entity-specific + identifiers to perform its task. It takes an input parameter "Employee's Email" + directly. Therefore, it does not run on entities. Send Invitation: - ai_description: "### General Description\nThis action sends an invitation to an\ - \ employee to join the Hibob system. It is used to invite new employees for their\ - \ first login or to re-invite existing users who have been previously disabled.\ - \ The action ensures the user exists and is not already invited before triggering\ - \ the invitation process using a specified onboarding wizard.\n\n### Parameters\ - \ Description\n| Parameter Name | Type | Mandatory | Description |\n| :--- | :---\ - \ | :--- | :--- |\n| Employee's Email | string | true | The email address of the\ - \ employee to whom the invitation will be sent. |\n| Welcome Wizard Name | string\ - \ | true | The specific name of the 'Welcome Wizard' configured in Hibob (Settings\ - \ -> Flows). This value is case-sensitive (e.g., 'Welcome!'). |\n\n### Flow Description\n\ - 1. **Configuration Retrieval:** The action initializes the Hibob manager using\ - \ the provided API token and root URL.\n2. **Employee Lookup:** It retrieves the\ - \ employee's details from Hibob using the provided email address.\n3. **Validation:**\ - \ \n - If the employee does not exist, the action stops and reports that the\ - \ user was not found.\n - If the employee exists but has already been invited\ - \ (state is 'invited'), the action stops to prevent duplicate invitations.\n4.\ - \ **Wizard Identification:** If the employee is eligible, the action fetches all\ - \ available onboarding wizards from Hibob and matches the provided 'Welcome Wizard\ - \ Name' to find the corresponding ID.\n5. **Send Invitation:** The action performs\ - \ a POST request to the Hibob API to send the invitation to the employee using\ - \ the identified wizard ID.\n6. **Result Reporting:** The action returns a JSON\ - \ result indicating whether the employee exists and if the invitation was successfully\ - \ sent.\n\n### Additional Notes\n- This action does not process entities from\ - \ the Google SecOps environment; it relies entirely on the provided action parameters.\n\ - - The 'Welcome Wizard Name' must exactly match the name defined in the Hibob UI." + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: true + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action sends an invitation to an employee in Hibob, which modifies the user's + access state (enabling them to log in). This aligns with 'Enable Identity'. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: >- + ### General Description + + This action sends an invitation to an employee in the Hibob system, allowing them + to log in for the first time or re-inviting them if they were previously disabled. + This action interacts with the Hibob API to verify user existence and status before + triggering the invitation process. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Employee's Email | string | Yes | The email address of the employee to invite. + | + + | Welcome Wizard Name | string | Yes | The name of the wizard to use for the invitation + (case-sensitive). | + + + ### Flow Description + + 1. Extracts the `Employee's Email` and `Welcome Wizard Name` from the action parameters. + + 2. Retrieves the employee's details from Hibob using the provided email. + + 3. Verifies if the employee exists and checks their current invitation status. + + 4. If the employee is not already invited, it retrieves the list of available + welcome wizards. + + 5. Matches the provided `Welcome Wizard Name` to a wizard ID. + + 6. Sends an invitation to the employee using the identified wizard ID. + + 7. Returns the result of the operation as a JSON object. capabilities: can_create_case_comments: false can_create_insight: false @@ -379,13 +623,19 @@ Send Invitation: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - The action performs a POST request to the Hibob API to create an invitation - for an employee, which changes the user's state in the external system and triggers - an automated email. + Sends an invitation to an employee in the Hibob system, which changes the employee's + invitation state. fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action makes a POST request to invite an employee (can_mutate_external_data=true). + It fetches user details and wizard information (fetches_data=true). It does + not update internal entities or modify case data. categories: enrichment: false + reasoning: >- + The action mutates external data (sends an invitation), which violates the requirement + for an enrichment action to be read-only regarding external systems. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -401,50 +651,83 @@ Send Invitation: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not use `target_entities`. It extracts parameters directly from + the action configuration using `siemplify.extract_action_param`. Therefore, + it does not run on entities. Upload User Image: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action updates a user's profile image in an external HR system (Hibob). + This aligns with the 'Update Identity' category, which involves modifying account + metadata. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: true + update_ticket: false ai_description: >- ### General Description - This action uploads a profile image (avatar) to a specific employee's profile - in the Hibob platform using a provided image URL. It first resolves the employee's - unique identifier based on their email address and then performs an update to - their avatar record. - + This action uploads a user image (avatar) to the Hibob HR platform for a specific + employee. It retrieves the employee's unique identifier using their email address + and then updates their profile image using the provided image URL. - ### Parameters Description - | Parameter Name | Description | Type | Mandatory | Notes | + ### Flow Description - | :--- | :--- | :--- | :--- | :--- | + 1. The action extracts the 'Employee's Email' and 'Url Image' parameters provided + by the user. - | Employee's Email | The email address of the employee whose image you want to - upload. | string | True | Used to fetch the internal Hibob ID. | + 2. It queries the Hibob API to retrieve the employee's details, specifically their + unique identifier, using the provided email address. - | Url Image | The public URL of the image to be set as the employee's avatar. - | string | True | Must be a valid, accessible URL. | + 3. If the employee is found, the action performs a PUT request to the Hibob API + to update the user's avatar with the specified image URL. + 4. The action returns a success or failure message based on the outcome of the + API request. - ### Additional Notes - - This action does not operate on Google SecOps entities (e.g., IP, Hostname). - It relies entirely on the provided email and URL parameters. + ### Parameters Description - - If the user is not found in Hibob, the action will fail with a descriptive message. + | Parameter | Type | Mandatory | Description | + | :--- | :--- | :--- | :--- | - ### Flow Description + | Employee's Email | string | Yes | The email address of the employee whose image + is to be updated. | - 1. **Fetch Employee ID**: The action calls the Hibob API to retrieve details for - the provided email address to obtain the internal `employee_identifier`. + | Url Image | string | Yes | The URL of the image to be uploaded as the user's + avatar. | - 2. **Validate User**: If the user does not exist, the action terminates with a - failure message. - 3. **Upload Image**: If the user is found, the action sends a `PUT` request to - the Hibob avatars endpoint with the provided image URL. + ### Additional Notes - 4. **Finalize**: The action returns a success message if the image is uploaded - or a failure message if the API returns an error (e.g., 404). + This action interacts directly with the Hibob API to modify user data. It does + not perform any operations on SOAR entities or internal case data. capabilities: can_create_case_comments: false can_create_insight: false @@ -453,12 +736,19 @@ Upload User Image: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates the employee's profile picture (avatar) in the Hibob system by sending - a PUT request to the avatars endpoint. + Updates the user's avatar/image in the Hibob HR platform. fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action fetches user details (GET) to retrieve an ID, then performs a PUT + request to update the user's avatar in the external Hibob system. It does not + modify internal SOAR data or entities. categories: enrichment: false + reasoning: >- + The action mutates external data (uploads an image), which violates the 'External + State Preservation' rule for enrichment actions. Therefore, it is not an enrichment + action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -474,3 +764,7 @@ Upload User Image: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over or process `siemplify.target_entities`. It + relies entirely on user-provided parameters (email) to identify the user in + the external system. diff --git a/content/response_integrations/third_party/community/hibob/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/hibob/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..38e85d461 --- /dev/null +++ b/content/response_integrations/third_party/community/hibob/resources/ai/integration_ai_description.yaml @@ -0,0 +1,23 @@ +product_categories: + asset_inventory: true + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: true + itsm: false + network_security: false + reasoning: >- + The Hibob integration is an HR management platform that provides context and lifecycle + management for user identities. It qualifies for 'IAM & Identity Management' because + it includes actions like 'Revoke Access' and 'Send Invitation', which allow the + agent to manage user account states (suspending or enabling access). It also qualifies + for 'Asset Inventory' because it provides 'Enrich Entities' and 'Search User' + actions, which retrieve detailed HR metadata (department, role, status) for user + entities, helping analysts understand the context of internal assets. It does + not qualify for other categories like SIEM, EDR, Network Security, or Threat Intelligence + as it does not interact with logs, host processes, network traffic, or external + threat indicators. + siem: false + threat_intelligence: false + vulnerability_management: false diff --git a/content/response_integrations/third_party/community/imgbb/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/imgbb/resources/ai/actions_ai_description.yaml index 63405cf71..6f6960b12 100644 --- a/content/response_integrations/third_party/community/imgbb/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/imgbb/resources/ai/actions_ai_description.yaml @@ -1,39 +1,46 @@ Ping: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action performs a connectivity test by uploading an image to Imgbb. It does + not match any of the defined product categories (e.g., it is not a sandbox submission, + it is not an IOC enrichment, it is not a ticket creation). + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description - - The **Ping** action is a diagnostic utility used to verify the connectivity between - Google SecOps and the Imgbb API. Its primary purpose is to ensure that the integration - is correctly configured and that the system can successfully authenticate and - communicate with the external service. - - - ### Parameters Description - - This action does not require any input parameters. It utilizes the global integration - configuration, specifically the **API Key**, to perform the connectivity test. - - - ### Additional Notes - - Unlike a standard network ping, this action performs a functional test by attempting - to upload a small, hardcoded sample image to the Imgbb service. This confirms - that the API key has the necessary permissions to perform uploads. - - - ### Flow Description - - 1. **Configuration Retrieval**: The script retrieves the `API Key` from the Imgbb - integration configuration. - - 2. **Endpoint Construction**: It targets the Imgbb upload API endpoint (`https://api.imgbb.com/1/upload`). - - 3. **Sample Upload**: The action sends a POST request containing a hardcoded base64-encoded - sample image. - - 4. **Response Validation**: The script evaluates the HTTP response. If the request - is successful (status code 200), it reports a successful connection. If the request - fails, an exception is raised, indicating a configuration or connectivity issue. + Tests connectivity to the Imgbb service by performing a test image upload. This + action verifies that the integration is configured correctly and can communicate + with the external API. ### Flow Description 1. Initialize the SiemplifyAction. + 2. Retrieve the 'API Key' from the Imgbb integration configuration. 3. Construct + the API upload URL using the provided API key. 4. Send a POST request to the Imgbb + API with a hardcoded test image. 5. Terminate the action with a success message + if the request is successful. ### Parameters | Parameter | Type | Mandatory | + Description | | --- | --- | --- | --- | | API Key | String | Yes | The API key + used to authenticate requests to the Imgbb service. | capabilities: can_create_case_comments: false can_create_insight: false @@ -42,12 +49,19 @@ Ping: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - The action performs a POST request to the Imgbb upload endpoint, which results - in a sample image being uploaded to the external service to verify connectivity. + Uploads a test image to the Imgbb service to verify connectivity. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a POST request to an external service (Imgbb) to upload + an image, which constitutes an external mutation. It does not fetch data, update + internal entities, or modify case data. categories: enrichment: false + reasoning: >- + The action is named 'Ping', which is explicitly excluded from being an enrichment + action. Furthermore, it performs an external mutation (upload) rather than fetching + data, failing the enrichment criteria. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -63,52 +77,81 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with any entities. It performs a global connectivity + test. Upload Image From Base64: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action uploads an image to an external service. It does not match any of + the predefined categories like enrichment, ticket management, or containment. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - Uploads a base64-encoded image to the Imgbb hosting service and retrieves a public - URL for the image. This action is primarily used as a utility to host images (such - as screenshots or evidence) externally and provide a direct link within the SOAR - case. + This action uploads a base64-encoded image to the Imgbb service. It is designed + to take an image string, send it to the Imgbb API, and retrieve the resulting + image URL for use within the SOAR platform. - ### Parameters Description + ### Flow Description - | Parameter | Description | Type | Mandatory | + 1. The action extracts the `Image in base64` parameter provided by the user. - | :--- | :--- | :--- | :--- | + 2. It constructs a POST request to the Imgbb API (`https://api.imgbb.com/1/upload`) + with the base64 image data. - | Image in base64 | The base64 string representation of the image to be uploaded - to Imgbb. | String | Yes | + 3. The API response is parsed to retrieve the uploaded image URL. + 4. If the upload is successful, the action adds the image URL as a link to the + action result and returns a success message. - ### Flow Description + 5. If the upload fails, the action returns an error message and sets the result + to failure. - 1. **Configuration Retrieval**: Fetches the API Key and SSL verification settings - from the Imgbb integration configuration. - 2. **Parameter Extraction**: Retrieves the mandatory base64 image string from - the action parameters. + ### Parameters Description - 3. **API Interaction**: Sends a POST request to the Imgbb API (`https://api.imgbb.com/1/upload`) - containing the image data. The request includes a default expiration of 600 seconds - (10 minutes) for the uploaded image. + | Parameter | Type | Mandatory | Description | - 4. **Response Processing**: Parses the JSON response from Imgbb to extract the - generated image URL. + | :--- | :--- | :--- | :--- | - 5. **Output Generation**: Adds the resulting image URL as a clickable link to - the action result and includes the full response data in the JSON result block. + | Image in base64 | string | Yes | The base64-encoded string of the image to be + uploaded to Imgbb. | ### Additional Notes - * The uploaded image is set to expire automatically after 10 minutes as per the - API endpoint configuration in the script. + - This action requires an API key to be configured in the Imgbb integration settings. - * This action does not process or iterate over SecOps entities; it operates solely - on the provided base64 string parameter. + - The action does not interact with any specific entities; it operates on the + provided base64 string. capabilities: can_create_case_comments: false can_create_insight: false @@ -116,13 +159,19 @@ Upload Image From Base64: can_mutate_external_data: true can_mutate_internal_data: false can_update_entities: false - external_data_mutation_explanation: >- - Uploads a base64 encoded image to the Imgbb service, creating a new hosted image - resource on their servers. + external_data_mutation_explanation: Uploads an image to the Imgbb service. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a POST request to an external service (Imgbb) to upload + an image, which constitutes external data mutation. It does not fetch contextual + data about entities or alerts, nor does it modify internal SOAR data (entities, + insights, etc.). categories: enrichment: false + reasoning: >- + The action is an upload utility, not an enrichment action. It does not fetch + data about entities or alerts. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -138,53 +187,80 @@ Upload Image From Base64: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with `target_entities`. It processes a provided + base64 string parameter. Upload Image From File Path: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action uploads an image to an external hosting service (Imgbb). It does + not match any of the provided security-specific categories such as enrichment, + containment, ticketing, or alert management. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - The **Upload Image From File Path** action enables the uploading of a local image - file to the Imgbb hosting service. Its primary purpose is to take a file stored - on the local system, upload it to a cloud-based hosting provider, and retrieve - a public URL for the image. This is particularly useful for sharing screenshots - or visual evidence captured during an investigation. + This action uploads an image file from a specified local file path to the Imgbb + image hosting service. It facilitates the sharing of images by hosting them externally + and returning a direct URL to the uploaded content. - ### Parameters Description + ### Flow Description - | Parameter | Type | Mandatory | Description | + 1. The action extracts the `Image File Path` parameter provided by the user. - | :--- | :--- | :--- | :--- | + 2. It reads the image file from the local file system and encodes the binary content + into a base64 string. - | Image File Path | String | Yes | The full system path to the image file that - needs to be uploaded to Imgbb. | + 3. A POST request is sent to the Imgbb API (`https://api.imgbb.com/1/upload`) + containing the base64-encoded image data. + 4. The action parses the API response to extract the hosted image URL. - ### Flow Description + 5. The image URL is added as a link to the action result, and the full JSON response + is attached to the action output. - 1. **Setup**: Retrieves the Imgbb API Key and SSL verification preferences from - the integration configuration. - 2. **File Encoding**: Reads the image file from the specified local path and converts - the binary data into a Base64-encoded string. + ### Parameters Description - 3. **External Upload**: Executes a POST request to the Imgbb API (`https://api.imgbb.com/1/upload`) - with the Base64 data. The upload is configured with a 600-second (10-minute) expiration. + | Parameter | Type | Mandatory | Description | - 4. **Data Extraction**: Parses the JSON response from Imgbb to extract the direct - URL of the uploaded image. + | :--- | :--- | :--- | :--- | - 5. **Result Reporting**: Adds the image URL as a clickable link in the Google - SecOps interface and provides the URL in the action's JSON result for use in subsequent - playbook steps. + | Image File Path | string | Yes | The local file system path to the image file + that should be uploaded to Imgbb. | ### Additional Notes - - The action requires the Google SecOps runner to have filesystem access to the - provided path. - - - The uploaded image is temporary and will expire after 10 minutes as per the - hardcoded API parameter. + This action does not interact with any SecOps entities. It is a utility action + designed for file hosting and retrieval. capabilities: can_create_case_comments: false can_create_insight: false @@ -193,12 +269,22 @@ Upload Image From File Path: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Uploads an image file to the Imgbb service, creating a new hosted image resource - on their platform. + The action uploads an image file to the Imgbb hosting service, creating a new + resource on their platform. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a POST request to an external service (Imgbb) to upload + an image, which constitutes a mutation of external data. It does not fetch contextual + data about alerts or entities, nor does it modify internal SecOps data, entities, + or case comments. categories: enrichment: false + reasoning: >- + The action is not an enrichment action because it does not fetch contextual + data about entities or alerts. Furthermore, it mutates external data by uploading + a file, which violates the requirement for enrichment actions to be read-only + regarding external systems. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -214,3 +300,6 @@ Upload Image From File Path: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with `siemplify.target_entities`. It operates solely + on a file path provided as an input parameter. diff --git a/content/response_integrations/third_party/community/imgbb/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/imgbb/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..22161dbcc --- /dev/null +++ b/content/response_integrations/third_party/community/imgbb/resources/ai/integration_ai_description.yaml @@ -0,0 +1,18 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: false + reasoning: >- + The Imgbb integration provides utility actions for uploading images to an external + hosting service. It does not perform any security-related functions such as threat + intelligence enrichment, log analysis, identity management, ticketing, or collaboration. + As it is a general-purpose utility integration, it does not align with any of + the specified security product categories. + siem: false + threat_intelligence: false + vulnerability_management: false diff --git a/content/response_integrations/third_party/community/ipqs_fraud_and_risk_scoring/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/ipqs_fraud_and_risk_scoring/resources/ai/actions_ai_description.yaml index 468654f0c..1a948bd6a 100644 --- a/content/response_integrations/third_party/community/ipqs_fraud_and_risk_scoring/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/ipqs_fraud_and_risk_scoring/resources/ai/actions_ai_description.yaml @@ -1,28 +1,84 @@ Enrich Domain: - ai_description: "### General Description\nEnriches Hostname entities using the IPQualityScore\ - \ (IPQS) service to detect malicious URLs, phishing links, and malware. This action\ - \ leverages machine learning models to provide real-time risk scoring, domain\ - \ age analysis, and reputation checks for domains and links.\n\n### Parameters\ - \ Description\n\n| Parameter | Type | Mandatory | Description |\n| :--- | :---\ - \ | :--- | :--- |\n| Strictness | DDL | Yes | Determines the intensity of the\ - \ scan. Options are '0', '1', or '2'. Higher strictness levels provide more thorough\ - \ checks but may increase the false-positive rate. |\n| Fast | Boolean | No |\ - \ When enabled (true), the API performs lighter analysis to provide faster response\ - \ times. Defaults to false. |\n\n### Flow Description\n1. **Parameter Extraction:**\ - \ Retrieves the API Key from the integration configuration and the 'Strictness'\ - \ and 'Fast' settings from the action parameters.\n2. **Entity Filtering:** Identifies\ - \ all Hostname entities within the current context.\n3. **External API Interaction:**\ - \ For each Hostname, the action sends a POST request to the IPQS URL API endpoint,\ - \ passing the strictness and speed preferences.\n4. **Risk Evaluation:** Analyzes\ - \ the API response to determine a risk verdict (e.g., CLEAN, SUSPICIOUS, HIGH\ - \ RISK, CRITICAL) based on malware/phishing flags and the numerical risk score.\n\ - 5. **Internal Data Enrichment:** \n * Updates the entity's additional properties\ - \ with detailed metadata (e.g., domain rank, DNS validity, domain age).\n *\ - \ Sets the entity's 'is_suspicious' attribute if the risk score exceeds defined\ - \ thresholds.\n * Creates a Case Insight summarizing the IPQS verdict.\n\ - \ * Adds a detailed data table to the entity in the SOAR interface.\n6. **Result\ - \ Reporting:** Returns a JSON object containing the full enrichment data for all\ - \ processed entities." + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves reputation and threat intelligence for domains/hostnames, + which aligns with 'Enrich IOC'. It does not perform containment, ticket management, + or other state-changing operations. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: >- + ### General Description + + This action enriches Hostname entities using the IPQualityScore (IPQS) API to + detect suspicious URLs, phishing, malware, and parked domains. It retrieves real-time + threat intelligence, including risk scores and domain reputation, to help analysts + assess the threat level of a domain. + + + ### Flow Description + + 1. **Parameter Extraction**: The action extracts the `Strictness` and `Fast` parameters + from the configuration. + + 2. **Entity Filtering**: The action iterates over the target entities, specifically + filtering for `HOSTNAME` entities. + + 3. **API Interaction**: For each valid entity, it performs a POST request to the + IPQS API to fetch reputation data. + + 4. **Data Processing**: The action parses the API response, calculates risk scores, + and determines if the entity is suspicious. + + 5. **Internal Update**: It updates the entity's `additional_properties` (e.g., + fraud score, domain age, risk category), sets the `is_enriched` flag, and updates + the `is_suspicious` status if the risk threshold is met. + + 6. **Reporting**: It creates a case insight with the risk verdict and adds a data + table to the action results. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Strictness | ddl | Yes | Determines the strictness of the URL scan (0, 1, 2). + Stricter checks may increase false positives. | + + | Fast | boolean | No | When enabled, the API provides quicker response times + using lighter checks and analysis. | + + + ### Additional Notes + + This action is strictly limited to `HOSTNAME` entities as defined in the script + logic. capabilities: can_create_case_comments: false can_create_insight: true @@ -33,10 +89,19 @@ Enrich Domain: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates entity attributes with IPQS reputation data, modifies the 'is_suspicious' - and 'is_enriched' flags, and creates case insights. + Updates entity properties (is_enriched, is_suspicious, additional_properties) + and creates case insights. + reasoning: >- + The action fetches threat intelligence data from the IPQS API (fetches_data=true). + It does not mutate external systems (can_mutate_external_data=false). It updates + internal entity properties (is_enriched, is_suspicious, additional_properties) + and creates case insights (can_mutate_internal_data=true). categories: enrichment: true + reasoning: >- + The action fetches data from an external source (IPQS) and updates internal + entities/insights without modifying external systems. This fits the definition + of an enrichment action. entity_usage: entity_types: - HOSTNAME @@ -53,77 +118,70 @@ Enrich Domain: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The script explicitly calls `ipqs_manager.enrich([EntityTypes.HOSTNAME])`, limiting + the action to HOSTNAME entities. It iterates over `target_entities` and filters + by `entity_type`. Enrich Email: - ai_description: >- - ### General Description - - The **Enrich Email** action provides real-time email address reputation scoring - and validation using the IPQualityScore (IPQS) API. It performs a variety of checks, - including syntax validation, DNS verification, and SMTP checks to determine if - an email inbox exists and is active. Additionally, it identifies if an email address - is associated with recent abuse, fraud, or disposable mail services, providing - a comprehensive risk assessment for security investigations. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | **Abuse Strictness** | DDL | Yes | Sets the strictness level (0, 1, or 2) for - machine learning pattern recognition of abusive email addresses. Higher levels - are more aggressive in flagging potential threats. | - - | **Fast** | Boolean | No | If enabled, the API skips the SMTP check with the - mail service provider, which significantly increases the speed of the action but - may reduce validation depth. | - - | **Timeout in seconds** | String | No | Specifies the maximum number of seconds - to wait for a reply from a mail service provider. The default value is 7 seconds. - | - - | **Suggest Domain** | Boolean | No | If enabled, the action checks if the email - domain has a typo and suggests a correction to a popular mail service (e.g., correcting - 'gmial.com' to 'gmail.com'). | - - - ### Flow Description - - 1. **Initialization**: The action extracts the API key from the integration configuration - and retrieves the user-defined parameters (Abuse Strictness, Fast mode, Timeout, - and Domain Suggestion). - - 2. **Entity Filtering**: The action iterates through the case entities, specifically - targeting `USER` entities that match a standard email address format via regular - expression. - - 3. **API Interaction**: For each valid email entity, a POST request is sent to - the IPQS Email Validation API with the configured parameters. - - 4. **Risk Scoring**: The action processes the API response to determine a risk - verdict (e.g., CLEAN, LOW RISK, HIGH RISK, DISPOSABLE, or INVALID) based on the - fraud score and validation flags. - - 5. **Internal Enrichment**: - * **Entity Attributes**: Updates the entity's additional properties with detailed - IPQS data (e.g., deliverability, domain age, leak status). - * **Suspicious Status**: Marks the entity as suspicious if the risk assessment - exceeds internal thresholds. - * **Insights**: Generates a Case Insight summarizing the IPQS verdict and - key risk indicators. - * **Data Tables**: Adds a detailed enrichment table to the entity for quick - reference in the SOAR UI. - 6. **Finalization**: Updates the entities within Google SecOps and returns a structured - JSON result of the enrichment data. - - - ### Additional Notes - - - This action is strictly for enrichment and does not modify any data in the IPQualityScore - platform. - - - The action specifically maps `USER` entities to email validation logic. + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves reputation, prevalence, and threat intelligence for an + email address (IOC). This matches the 'Enrich IOC' category. It does not perform + any other listed actions like blocking, ticketing, or alert modification. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: "### General Description\nThis action enriches email address entities\ + \ using the IPQualityScore (IPQS) API. It retrieves real-time reputation, validity,\ + \ and risk scoring data to help analysts determine if an email address is disposable,\ + \ malicious, or associated with fraudulent behavior. The action updates the entity\ + \ with detailed properties and generates a case insight for quick visibility.\n\ + \n### Flow Description\n1. **Configuration Extraction**: The action retrieves\ + \ the API key and user-defined parameters (Abuse Strictness, Fast, Timeout, Suggest\ + \ Domain).\n2. **Entity Filtering**: It iterates through the target entities,\ + \ specifically selecting `USER` entities that match a valid email address format\ + \ (using a regex check).\n3. **External API Interaction**: For each valid email,\ + \ it sends a POST request to the IPQS API to fetch reputation and risk data.\n\ + 4. **Data Processing**: The API response is parsed to extract metrics such as\ + \ fraud score, disposable status, and deliverability.\n5. **Internal Updates**:\ + \ \n - Updates the entity's `additional_properties` with the retrieved data.\n\ + \ - Sets the `is_enriched` flag on the entity.\n - Optionally updates the\ + \ `is_suspicious` flag based on the risk score.\n - Adds an entity table to\ + \ the SOAR platform with the detailed results.\n - Creates a case insight summarizing\ + \ the IPQS verdict.\n\n### Parameters Description\n| Parameter | Type | Mandatory\ + \ | Description |\n| :--- | :--- | :--- | :--- |\n| Abuse Strictness | ddl | Yes\ + \ | Sets the strictness level (0, 1, 2) for machine learning pattern recognition\ + \ of abusive email addresses. |\n| Fast | boolean | No | When enabled, skips the\ + \ SMTP check with the mail service provider to increase API speed. |\n| Timeout\ + \ in seconds | string | No | Maximum number of seconds to wait for a reply from\ + \ the mail service provider. |\n| Suggest Domain | boolean | No | If enabled,\ + \ forces analysis to check if the email domain has a typo and suggests a correction.\ + \ |\n\n### Additional Notes\n- The action specifically targets `USER` entities.\ + \ If an entity is not a `USER` or does not match the email regex, it will be skipped." capabilities: can_create_case_comments: false can_create_insight: true @@ -134,10 +192,20 @@ Enrich Email: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates entity attributes with IPQS reputation data, sets the entity's suspicious - flag based on risk scores, and creates case insights summarizing the findings. + Updates entity properties, adds entity tables, and creates case insights within + the SOAR platform. + reasoning: >- + The action fetches data from an external API (IPQS) to enrich entities. It does + not mutate external systems (no block/quarantine actions). It performs allowed + internal mutations by updating entity properties, adding entity tables, and + creating case insights. categories: enrichment: true + reasoning: >- + The action fetches data from an external source (IPQS) to enrich entities. It + does not mutate external systems. It performs allowed internal mutations (updating + entities, creating insights). It is not a Ping or download action. Therefore, + it is an enrichment action. entity_usage: entity_types: - USERUNIQNAME @@ -154,41 +222,76 @@ Enrich Email: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over `siemplify.target_entities` and filters by `entity.entity_type + == EntityTypes.USER`. It further validates the entity identifier using an email + regex. Enrich IP: - ai_description: "### General Description\nEnriches IP Address entities using the\ - \ IPQualityScore (IPQS) Fraud and Risk Scoring service. This action performs real-time\ - \ lookups to determine the risk level of an IP address, identifying if it is associated\ - \ with proxies, VPNs, TOR nodes, or malicious activity. It retrieves over 20 data\ - \ points, including geolocation, ISP, connection type, and a fraud score, to help\ - \ analysts classify the reputation and risk of network traffic.\n\n### Parameters\ - \ Description\n| Parameter | Type | Mandatory | Description |\n| :--- | :--- |\ - \ :--- | :--- |\n| Strictness | DDL | Yes | Sets the depth/strictness of the query\ - \ (0, 1, or 2). Higher values increase processing time and potential false-positive\ - \ rates. |\n| User Agent | String | No | Optional browser user agent string to\ - \ help identify bots or invalid browsers. |\n| User Language | String | No | Optional\ - \ language header to assist in fraud score evaluation. |\n| Fast | Boolean | No\ - \ | If enabled, bypasses certain forensic checks to speed up processing. |\n|\ - \ Mobile | Boolean | No | If enabled, treats the lookup as a mobile device. |\n\ - | Allow Public Access Points | Boolean | No | Bypasses checks for education, research,\ - \ and corporate connections. |\n| Lighter Penalties | Boolean | No | Skips certain\ - \ denylists to reduce false positives for sensitive audiences. |\n\n### Flow Description\n\ - 1. **Initialization**: Extracts the API Key from the integration configuration\ - \ and retrieves action parameters (Strictness, User Agent, etc.).\n2. **Entity\ - \ Filtering**: Identifies all IP Address entities within the current context.\n\ - 3. **API Interaction**: For each IP Address, sends a POST request to the IPQS\ - \ API with the specified parameters.\n4. **Data Processing**: Parses the API response\ - \ to extract fraud scores, geolocation data (Country, City, Zip), ISP information,\ - \ and proxy/VPN status.\n5. **Risk Assessment**: Calculates a risk verdict (CLEAN,\ - \ SUSPICIOUS, MEDIUM, HIGH, or CRITICAL) based on the returned fraud score.\n\ - 6. **Internal Updates**: \n * Updates the entity's additional properties with\ - \ the prefix 'IPQualityScore'.\n * Marks the entity as 'enriched'.\n * Sets\ - \ the 'is_suspicious' flag if the fraud score meets the threshold (>= 60).\n \ - \ * Adds a detailed data table to the entity.\n * Creates a Case Insight\ - \ containing the IPQS verdict.\n7. **Completion**: Returns a summary message of\ - \ processed, failed, or skipped entities.\n\n### Additional Notes\nThis action\ - \ is strictly for IP Address enrichment. While the underlying manager supports\ - \ other types, this specific action logic is hardcoded to process only ADDRESS\ - \ entities." + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: true + enrich_ioc: true + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves reputation, fraud scores, and risk intelligence for various + indicators (IP, URL, Hostname) and assets (User, Phone). This matches 'Enrich + IOC' and 'Enrich Asset'. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: "### General Description\nThis action enriches various entity types\ + \ (IP Address, Hostname, URL, User/Email, and Phone Number) using the IPQualityScore\ + \ (IPQS) Fraud and Risk Scoring service. It retrieves comprehensive threat intelligence,\ + \ including fraud scores, geolocation, ISP, connection type, and reputation data,\ + \ to help analysts assess the risk associated with an entity.\n\n### Flow Description\n\ + 1. **Parameter Extraction**: The action extracts configuration parameters (API\ + \ Key) and action-specific settings (Strictness, User Agent, User Language, Fast,\ + \ Mobile, Allow Public Access Points, Lighter Penalties).\n2. **Entity Iteration**:\ + \ It iterates through the `target_entities` provided in the case.\n3. **Type Identification**:\ + \ It identifies the entity type (IP, Hostname, URL, Email, or Phone) and prepares\ + \ the corresponding API request.\n4. **External Lookup**: It performs a POST request\ + \ to the IPQS API to fetch risk and reputation data.\n5. **Data Processing**:\ + \ Based on the response, it calculates a risk verdict (Clean, Low, Moderate, High,\ + \ Critical, Suspicious, Invalid).\n6. **Internal Update**: \n - Updates the\ + \ entity's `additional_properties` with the retrieved data.\n - Sets `is_enriched`\ + \ to true.\n - Updates `is_suspicious` if the risk score exceeds defined thresholds.\n\ + \ - Adds an entity table with detailed results.\n - Creates a case insight\ + \ with the risk verdict.\n - Adds the raw JSON result to the entity.\n\n###\ + \ Parameters Description\n| Parameter | Type | Mandatory | Description |\n| :---\ + \ | :--- | :--- | :--- |\n| Strictness | ddl | Yes | Determines the strictness\ + \ of the query (0-2). Higher values may provide higher false-positive rates. |\n\ + | User Agent | string | No | The user agent string (browser) to check if the user\ + \ is a bot or using an invalid browser. |\n| User Language | string | No | The\ + \ user's language header to evaluate risk. |\n| Fast | boolean | No | If enabled,\ + \ skips certain forensic checks to process faster. |\n| Mobile | boolean | No\ + \ | Specifies if the lookup should be treated as a mobile device. |\n| Allow Public\ + \ Access Points | boolean | No | Bypasses checks for IP addresses from education/research\ + \ institutions and corporate connections. |\n| Lighter Penalties | boolean | No\ + \ | Skips some denylists to reduce false-positives for sensitive audiences. |\n\ + \n### Additional Notes\n- The action supports multiple entity types: `ADDRESS`,\ + \ `HOSTNAME`, `URL`, `USER` (via email regex), and `PHONENUMBER`.\n- The action\ + \ does not mutate external systems; it is strictly for enrichment and internal\ + \ SOAR data updates." capabilities: can_create_case_comments: false can_create_insight: true @@ -199,13 +302,26 @@ Enrich IP: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - The action updates entity attributes with enrichment data, sets the suspicious - status based on fraud scores, and creates case insights. + Updates entity properties (is_enriched, is_suspicious, additional_properties), + adds entity tables, and creates case insights. + reasoning: >- + The action fetches threat intelligence data from an external API (IPQS). It + updates internal entity properties (is_enriched, is_suspicious, additional_properties), + adds entity tables, and creates case insights. It does not modify external systems + or alert data. categories: enrichment: true + reasoning: >- + The action fetches data from an external source (IPQS) and updates internal + SOAR entities and insights. It does not mutate external systems. This fits the + definition of an enrichment action. entity_usage: entity_types: - ADDRESS + - HOSTNAME + - PHONENUMBER + - USERUNIQNAME + - DestinationURL filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -219,32 +335,67 @@ Enrich IP: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action iterates over `siemplify.target_entities` and processes specific + types: `ADDRESS`, `HOSTNAME`, `URL`, `USER` (via email regex), and `PHONENUMBER`. + It does not filter by other attributes. Enrich Phone: - ai_description: "### General Description\nEnriches Phone Number entities using the\ - \ IPQualityScore (IPQS) API. This action validates phone numbers globally, retrieves\ - \ carrier and line type details (e.g., VOIP, prepaid, mobile), and performs risk\ - \ analysis to detect fraudulent, inactive, or disposable numbers. It helps security\ - \ analysts identify numbers associated with abusive behavior or virtual services.\n\ - \n### Parameters Description\n| Parameter | Type | Mandatory | Description |\n\ - | :--- | :--- | :--- | :--- |\n| **Strictness** | DDL | Yes | Determines the depth\ - \ of the reputation check. Higher values (0, 1, 2) increase strictness, which\ - \ may lead to higher detection rates but also potential false positives. |\n|\ - \ **Country(For multiple countries, provide comma-separated values)** | String\ - \ | No | An optional comma-separated list of ISO country codes suspected to be\ - \ associated with the phone number to improve validation accuracy. |\n\n### Flow\ - \ Description\n1. **Configuration Extraction:** Retrieves the API Key from the\ - \ integration configuration and the 'Strictness' and 'Country' parameters from\ - \ the action input.\n2. **Entity Filtering:** Identifies all `PHONENUMBER` entities\ - \ within the current context.\n3. **External API Query:** For each phone number,\ - \ it sends a POST request to the IPQS Phone Validation API including the strictness\ - \ level and optional country hints.\n4. **Risk Scoring:** Evaluates the API response\ - \ (fraud score, active status, and validity) to determine a risk verdict (e.g.,\ - \ CLEAN, SUSPICIOUS, HIGH RISK).\n5. **Internal Data Mutation:** \n * Updates\ - \ the entity's `additional_properties` with detailed enrichment data (carrier,\ - \ line type, region, etc.).\n * Marks the entity as `is_enriched`.\n * Sets\ - \ the `is_suspicious` flag if the risk score exceeds defined thresholds.\n6. **Reporting:**\ - \ Adds a detailed data table to the entity, creates a Case Insight with the IPQS\ - \ verdict, and attaches the raw JSON result to the action output." + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves reputation, risk scores, and carrier details for phone + numbers. This matches the 'Enrich IOC' category. It does not perform any other + listed actions. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: "### General Description\nThis action enriches Phone Number entities\ + \ using the IPQualityScore (IPQS) service. It retrieves comprehensive reputation\ + \ data, including carrier details, line type, and risk analysis, to help analysts\ + \ assess the legitimacy of a phone number. The action evaluates the risk score\ + \ and updates the entity's status within the SOAR platform, providing actionable\ + \ insights.\n\n### Flow Description\n1. **Parameter Extraction**: The action retrieves\ + \ the `Strictness` level and optional `Country` configuration from the action\ + \ settings.\n2. **Entity Filtering**: It iterates through the target entities,\ + \ specifically processing those of type `PHONENUMBER`.\n3. **External API Interaction**:\ + \ For each valid phone number, it sends a POST request to the IPQS API to fetch\ + \ reputation and verification data.\n4. **Data Processing**: The retrieved data\ + \ is parsed to extract key metrics such as fraud score, carrier, and line type.\n\ + 5. **Internal Updates**: \n * Updates the entity's `additional_properties`\ + \ with the retrieved data.\n * Sets the entity's `is_enriched` flag to true.\n\ + \ * Updates the entity's `is_suspicious` flag based on the calculated risk\ + \ score.\n * Creates a case insight and an entity table containing the detailed\ + \ report.\n\n### Parameters Description\n| Parameter | Type | Mandatory | Description\ + \ |\n| :--- | :--- | :--- | :--- |\n| Strictness | ddl | Yes | Defines the strictness\ + \ level of the reputation check (0, 1, or 2). Stricter checks may increase the\ + \ false-positive rate. |\n| Country | string | No | Optionally provide the default\ + \ country or countries (comma-separated) associated with the phone number. |\n\ + \n### Additional Notes\nThis action is strictly for enrichment purposes and does\ + \ not modify any external systems. It only updates internal SOAR entity data and\ + \ creates insights." capabilities: can_create_case_comments: false can_create_insight: true @@ -255,10 +406,18 @@ Enrich Phone: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates entity attributes with phone reputation data, sets the suspicious status - based on fraud scores, and creates case insights for analyst review. + Updates entity properties (is_enriched, is_suspicious, additional_properties) + and creates case insights and entity tables. + reasoning: >- + The action fetches data from an external API (IPQS) to enrich phone number entities. + It updates the entity's internal properties (is_enriched, is_suspicious, additional_properties) + and creates case insights and tables. It does not mutate external systems. categories: enrichment: true + reasoning: >- + The action fetches data from an external source (IPQS) to enrich entities. It + does not mutate external systems. It performs allowed internal mutations (updating + entities, creating insights). Therefore, it is an enrichment action. entity_usage: entity_types: - PHONENUMBER @@ -275,35 +434,63 @@ Enrich Phone: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action iterates over `siemplify.target_entities` and explicitly filters + for `PHONENUMBER` entities via the `enrich` method call, which checks `if entity.entity_type + in entity_types`. Enrich URL: - ai_description: "### General Description\nThis action enriches URL entities using\ - \ the IPQualityScore (IPQS) Fraud and Risk Scoring service. It performs real-time\ - \ scans of links and domains using machine learning models to detect phishing,\ - \ malware, viruses, and parked domains. The action provides detailed intelligence\ - \ including risk scores, domain age, and reputation checks to help analysts identify\ - \ malicious infrastructure.\n\n### Parameters Description\n| Parameter | Type\ - \ | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| Strictness | DDL\ - \ | Yes | Determines the intensity of the scan. Options are '0', '1', or '2'.\ - \ Higher strictness levels perform more aggressive checks but may result in a\ - \ higher false-positive rate. |\n| Fast | Boolean | No | When enabled, the API\ - \ uses lighter analysis to provide faster response times. Default is false. |\n\ - \n### Flow Description\n1. **Configuration Retrieval**: The action extracts the\ - \ API Key from the integration settings and the 'Strictness' and 'Fast' parameters\ - \ from the action input.\n2. **Entity Filtering**: It identifies all URL entities\ - \ within the current alert or case scope.\n3. **External API Interaction**: For\ - \ each URL, it sends a POST request to the IPQS URL API endpoint, passing the\ - \ URL identifier and the configured strictness/speed parameters.\n4. **Risk Analysis**:\ - \ The action parses the IPQS response, extracting data points such as `risk_score`,\ - \ `malware`, `phishing`, and `domain_age`.\n5. **Verdict Calculation**: It applies\ - \ a scoring logic to determine a risk verdict (e.g., CLEAN, LOW RISK, HIGH RISK,\ - \ CRITICAL) based on the returned risk score and threat flags.\n6. **Internal\ - \ Data Mutation**: \n * **Entity Enrichment**: Updates the entity's additional\ - \ properties with IPQS metadata (prefixed with 'IPQualityScore').\n * **Suspicious\ - \ Flag**: Marks the entity as suspicious if the risk analysis indicates a threat.\n\ - \ * **Insights**: Creates a detailed Case Insight containing the IPQS verdict\ - \ and analysis summary.\n * **Data Tables**: Adds a formatted data table\ - \ to the entity containing comprehensive URL intelligence.\n7. **Completion**:\ - \ Returns a summary message indicating which entities were successfully enriched." + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves reputation and threat intelligence for a URL, which matches + the 'Enrich IOC' category. It does not perform any other actions like blocking + or ticketing. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: "Enriches URL entities using the IPQS Fraud and Risk Scoring service.\ + \ This action retrieves real-time threat intelligence, including risk scores,\ + \ malware/phishing indicators, and domain reputation, to help analysts assess\ + \ the safety of a URL. \n\n### Flow Description\n1. **Parameter Extraction**:\ + \ The action retrieves the `Strictness` and `Fast` configuration parameters.\n\ + 2. **Entity Processing**: It iterates through the provided URL entities.\n3. **External\ + \ API Call**: For each URL, it queries the IPQS API to fetch reputation and risk\ + \ data.\n4. **Data Parsing & Scoring**: It parses the API response, calculates\ + \ a risk verdict (e.g., Clean, Suspicious, Critical), and formats the data into\ + \ a table.\n5. **Internal Update**: It updates the entity's additional properties\ + \ with the retrieved intelligence, marks the entity as enriched, and sets the\ + \ suspicious flag if the risk score exceeds thresholds.\n6. **Insight Creation**:\ + \ It creates a case insight with the risk verdict and adds the detailed data table\ + \ to the entity.\n\n### Parameters\n| Parameter | Type | Mandatory | Description\ + \ |\n| :--- | :--- | :--- | :--- |\n| Strictness | ddl | Yes | Defines the strictness\ + \ of the scan (0, 1, 2). Stricter checks may increase false-positive rates. |\n\ + | Fast | boolean | No | When enabled, the API provides quicker response times\ + \ using lighter checks and analysis. |\n\n### Additional Notes\nThis action is\ + \ strictly for enrichment and does not modify external systems. It only updates\ + \ internal entity properties and creates case insights within Google SecOps." capabilities: can_create_case_comments: false can_create_insight: true @@ -314,10 +501,18 @@ Enrich URL: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates entity additional properties with IPQS enrichment data, modifies the - 'is_suspicious' flag based on risk scores, and creates detailed case insights. + Updates entity properties (additional_properties, is_enriched, is_suspicious) + and creates case insights. + reasoning: >- + The action fetches threat intelligence from an external API (IPQS) for URL entities. + It does not mutate external systems. It updates internal SOAR entities with + new properties and creates insights, which are allowed internal mutations. categories: enrichment: true + reasoning: >- + The action fetches data (enrichment) and updates internal entities/insights + without modifying external systems. It meets the criteria for an enrichment + action. entity_usage: entity_types: - DestinationURL @@ -334,47 +529,71 @@ Enrich URL: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action iterates over `siemplify.target_entities` and filters specifically + for URL entities as defined in the `EnrichUrl.py` script call `ipqs_manager.enrich([EntityTypes.URL])`. Ping: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action is a connectivity test (Ping) and does not perform any of the defined + functional outcomes like enrichment, containment, or ticketing. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - Tests the connectivity to the IPQualityScore (IPQS) server to ensure the integration - is correctly configured and the API key is valid. This action performs a health - check by attempting a sample query against the IPQS API. + This action verifies connectivity to the IPQualityScore (IPQS) API. It is designed + to test whether the configured API credentials are valid and the service is reachable. ### Parameters Description - | Parameter Name | Type | Mandatory | Description | + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | API Key | String | Yes | The API key used for authentication with the IPQualityScore - service. This is retrieved from the integration's configuration settings. | + | API Key | String | Yes | The API key used to authenticate the connection request + to the IPQS service. | ### Flow Description - 1. **Configuration Extraction**: Retrieves the API Key from the integration's - global configuration. - - 2. **Test Preparation**: Sets up a dummy request using a standard support email - address to verify API responsiveness. + 1. The action extracts the API Key from the integration configuration. - 3. **API Interaction**: Sends a POST request to the IPQS email validation endpoint. + 2. It initializes the `IPQSManager` with the provided API Key and a hardcoded + test email address. - 4. **Response Validation**: Analyzes the JSON response from the server to check - the 'success' status. + 3. It sends a test request to the IPQS API to verify connectivity. - 5. **Result Reporting**: Returns a success message if the connection is established. - If the connection fails or the API key is invalid, it returns a failure status - along with the error message provided by the service. - - - ### Additional Notes + 4. It evaluates the response status. - This action does not process any entities and is strictly used for diagnostic - purposes to verify the integration's communication with the external service. + 5. The action concludes by returning a success or failure message based on the + connectivity result. capabilities: can_create_case_comments: false can_create_insight: false @@ -385,8 +604,17 @@ Ping: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a connectivity check (ping) to the IPQS API. It makes an + external API request to verify the connection, but it does not fetch contextual + data for entities, nor does it mutate any external or internal systems. categories: enrichment: false + reasoning: >- + The action is a connectivity test ('Ping'). Per the instructions, Ping actions + are not enrichment actions. It does not meet the criteria for enrichment as + it does not fetch data about entities, nor does it perform any allowed internal + mutations. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -402,3 +630,6 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over or process `target_entities`. It uses a hardcoded + email address for the connectivity test. diff --git a/content/response_integrations/third_party/community/ipqs_fraud_and_risk_scoring/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/ipqs_fraud_and_risk_scoring/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..37aa7e021 --- /dev/null +++ b/content/response_integrations/third_party/community/ipqs_fraud_and_risk_scoring/resources/ai/integration_ai_description.yaml @@ -0,0 +1,22 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: false + reasoning: >- + The integration 'ipqs_fraud_and_risk_scoring' is a dedicated threat intelligence + enrichment service. Its primary function is to provide reputation, risk scores, + and threat data for various indicators of compromise (IOCs) such as IP addresses, + domains, URLs, email addresses, and phone numbers. It does not perform log analysis + (SIEM), host containment (EDR), firewall/gateway management (Network Security), + identity management (IAM), or ticket management (ITSM). While it enriches email + and URL entities, it does not perform the specific 'Email Security' functions + of managing inboxes or searching for affected users. Therefore, it is classified + solely under Threat Intelligence. + siem: false + threat_intelligence: true + vulnerability_management: false diff --git a/content/response_integrations/third_party/community/lacework/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/lacework/resources/ai/actions_ai_description.yaml deleted file mode 100644 index 0967ef424..000000000 --- a/content/response_integrations/third_party/community/lacework/resources/ai/actions_ai_description.yaml +++ /dev/null @@ -1 +0,0 @@ -{} diff --git a/content/response_integrations/third_party/community/lacework/resources/ai/connectors_ai_description.yaml b/content/response_integrations/third_party/community/lacework/resources/ai/connectors_ai_description.yaml new file mode 100644 index 000000000..b93f29893 --- /dev/null +++ b/content/response_integrations/third_party/community/lacework/resources/ai/connectors_ai_description.yaml @@ -0,0 +1,54 @@ +Lacework Connector: + ai_description: >- + ### General Description + + The Lacework Connector is designed to ingest security events from the Lacework + platform into Google SecOps (SOAR). It periodically polls the Lacework Events + API to retrieve security alerts, filters them based on a configurable severity + threshold, and maps them into standardized alert objects for further investigation + and response within the SOAR platform. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | accountName | String | Yes | The Lacework account name/URL identifier. | + + | DeviceProductField | String | Yes | The field name used to determine the device + product. | + + | EventClassId | String | Yes | The field name used to determine the event name + (sub-type). | + + | keyId | String | Yes | The Lacework API Key ID. | + + | PythonProcessTimeout | String | Yes | The timeout limit (in seconds) for the + python process. | + + | secret | Password | Yes | The Lacework API Secret. | + + | severity_threshold | String | Yes | Lacework Event Severity Threshold (1-Critical + to 5-Info). | + + + ### Flow Description + + 1. The connector initializes by authenticating with the Lacework API using the + provided `keyId`, `secret`, and `accountName` to obtain a temporary access token. + + 2. It queries the Lacework Events API for events occurring within the last hour. + + 3. For each retrieved event, the connector checks the event's severity against + the configured `severity_threshold`. + + 4. If the event meets the threshold, the connector fetches detailed information + for that specific event ID. + + 5. The event data is mapped to a standardized SOAR `AlertInfo` format, including + severity mapping, start/end times, and event details. + + 6. Finally, the processed alerts are returned to the SOAR system for case creation + and ingestion. diff --git a/content/response_integrations/third_party/community/lacework/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/lacework/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..cf256fcd6 --- /dev/null +++ b/content/response_integrations/third_party/community/lacework/resources/ai/integration_ai_description.yaml @@ -0,0 +1,21 @@ +product_categories: + asset_inventory: false + cloud_security: true + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: false + reasoning: >- + The Lacework integration is specifically designed to monitor cloud environments, + focusing on the analysis of CloudTrail logs and the generation of security alerts + for cloud-native resources. This aligns directly with the 'Cloud Security' category, + which is defined for alerts involving cloud-native resources like GCP, AWS, and + Azure. The connector facilitates the ingestion of these cloud-specific security + events into the SOAR platform. It does not perform general SIEM log aggregation, + host-based EDR process analysis, network gateway blocking, or identity management, + and therefore does not fit those respective categories. + siem: false + threat_intelligence: false + vulnerability_management: false diff --git a/content/response_integrations/third_party/community/logzio/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/logzio/resources/ai/actions_ai_description.yaml index b2fd94bf7..714ce7a2a 100644 --- a/content/response_integrations/third_party/community/logzio/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/logzio/resources/ai/actions_ai_description.yaml @@ -1,53 +1,71 @@ Ping: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action is a connectivity test (Ping). It does not match any of the functional + categories like Enrich IOC, Contain Host, etc. It is a diagnostic action. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description + Validates connectivity to Logz.io by testing provided security and operations + tokens. This action ensures that the configured API tokens are valid and that + the integration can successfully communicate with the Logz.io API. - Validates connectivity to Logz.io by testing the provided Security and Operations - API tokens. This action ensures that the integration can successfully communicate - with the Logz.io API and that the credentials provided in the configuration are - valid. - - ### Parameters Description + ### Parameters | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | `logzio_security_token` | String | Yes | The API token for the Logz.io Security - account. | - - | `logzio_operations_token` | String | Yes | The API token for the Logz.io Operations - account. | + | logzio_security_token | String | Yes | The security token for Logz.io. | - | `logzio_region` | String | No | The Logz.io region (e.g., 'us', 'eu'). If left - empty or set to 'us', the default base URL is used. | + | logzio_operations_token | String | Yes | The operations token for Logz.io. | - | `logzio_custom_endpoint` | String | No | A custom URL for the Logz.io API. If - provided, it overrides the regional URL logic. | + | logzio_region | String | No | The region for the Logz.io account (defaults to + US). | + | logzio_custom_endpoint | String | No | A custom API endpoint URL if required. + | - ### Flow Description - 1. **Parameter Extraction**: Retrieves the security token, operations token, region, - and custom endpoint from the integration configuration. + ### Flow - 2. **Token Validation**: Checks that both tokens are non-empty strings. + 1. Extract configuration parameters (tokens, region, custom endpoint). - 3. **Endpoint Construction**: Determines the target API URL using the provided - region or custom endpoint, appending the `whoami` suffix. + 2. Validate that tokens are provided and are strings. - 4. **Connectivity Test**: Executes GET requests to the Logz.io `whoami` endpoint - for both the Operations and Security tokens. + 3. Construct the API endpoint URL based on the region or custom endpoint. - 5. **Result Verification**: Confirms that both API calls return a 200 OK status - code and logs the associated account names. + 4. Send a GET request to the Logz.io `whoami` endpoint using the provided tokens. + 5. Verify the response status code (200) and log the account name. - ### Additional Notes - - This action is primarily used for troubleshooting and initial setup verification. - It does not process any entities or modify any data. + 6. Return success or failure status. capabilities: can_create_case_comments: false can_create_insight: false @@ -58,8 +76,16 @@ Ping: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a connectivity test (Ping) by sending a GET request to an + external API. It does not modify any external state, nor does it modify internal + SOAR data (entities, insights, etc.). It is a read-only connectivity check. categories: enrichment: false + reasoning: >- + The action is a 'Ping' action. According to the instructions, 'Actions named + Ping must not be categorized as enrichment actions.' Even though it fetches + data (GET request), it is explicitly excluded from the enrichment category. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -75,29 +101,56 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code does not reference `siemplify.target_entities` or any entity objects. + It is a global connectivity test. json-adapter: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action is a data parsing utility that transforms raw JSON input into a specific + format. It does not perform any of the defined product category operations (e.g., + enrichment, containment, ticketing, etc.). + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - General Description: The Json Adapter action is a utility designed to transform - raw JSON log data, specifically formatted for Logz.io, into a standardized JSON - structure compatible with Google SecOps playbooks. It extracts specific fields - from a list of log results and maps them to a consistent entityType and entityIdentifier - format, facilitating easier downstream processing and entity mapping. Parameters - Description: 1. fields_to_search (String, Mandatory): A comma-separated list of - keys (e.g., src_ip, dest_ip, user_name) to search for within each log entry in - the provided JSON. 2. raw_json (String, Mandatory): The raw JSON data to be processed. - The expected structure is an object containing a results key, which holds an array - of log objects. Flow Description: 1. Parameter Extraction: The action retrieves - the list of target fields and the raw JSON input. 2. Parsing: It converts the - fields_to_search string into a list and parses the raw_json string into a Python - dictionary. 3. Data Iteration: The script iterates through each log entry found - in the results array of the input JSON. 4. Field Mapping: For each log entry, - it checks if any of the specified search fields exist. If a match is found, it - creates a mapping: entityType (the field name) and entityIdentifier (the field - value). 5. Result Aggregation: All identified mappings are collected into a final - results object. 6. Output: If at least one field was successfully mapped, the - action returns the structured JSON and completes successfully. Additional Notes: - This action is strictly a data transformation utility and does not interact with - external APIs or modify existing entities within the SOAR environment directly. + Parses raw JSON log data to extract specific fields and format them into a standardized + JSON structure suitable for playbook consumption. This utility is designed to + normalize data from Logz.io logs. Parameters: | Parameter | Type | Mandatory | + Description | | --- | --- | --- | --- | | fields_to_search | string | Yes | Comma + separated list of fields to search within the JSON. | | raw_json | string | Yes + | Raw data in JSON format that is to be searched. | Flow description: 1. Retrieve + fields_to_search and raw_json from action parameters. 2. Parse the raw_json string + into a JSON object. 3. Iterate through the results array within the parsed JSON. + 4. For each item, check if the specified fields exist. 5. If a field exists, create + a mapping where the field name is the entityType and the field value is the entityIdentifier. + 6. Collect these mappings into an output structure. 7. If any mappings are found, + add the resulting JSON to the action output using add_result_json. 8. Complete + the action with a success status if results were found, or failure otherwise. capabilities: can_create_case_comments: false can_create_insight: false @@ -108,8 +161,16 @@ json-adapter: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action processes input parameters to transform data. It does not perform + any external API calls (fetches_data=false), nor does it modify any internal + SOAR entities, insights, or case data. It simply outputs a JSON result. categories: enrichment: false + reasoning: >- + The action does not fetch data from external sources, nor does it modify the + state of the SOAR platform or external systems. It is a data parsing utility, + not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -125,62 +186,54 @@ json-adapter: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with siemplify.target_entities. It processes raw + input strings provided as parameters. logzio-get-logs-by-event-id: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves historical logs from Logz.io based on a provided event + ID. This matches the Search Events category. It does not perform enrichment, + update alerts, or modify external systems. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: true + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description - - This action fetches the logs that triggered a specific security event from Logz.io. - It retrieves the logs in JSON format and provides them as a paginated list. The - action is designed to help investigators see the raw data behind a security alert - by querying the Logz.io Security API using a unique event identifier. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | alert_event_id | string | Yes | The unique GUID of the security event in your - Logz.io security account. This ID is used to filter and retrieve the specific - logs associated with the event. | - - | page_size | string | No | Controls the number of results per page. Valid inputs - are between 1 and 1000. If an invalid value is provided, it defaults to 25. | - - - ### Additional Notes - - - The action automatically handles pagination to ensure all logs associated with - the event ID are collected, even if they span multiple pages. - - - The action uses a ThreadPoolExecutor to fetch multiple pages concurrently for - better performance. - - - Retrieved logs are added to the case as insights for immediate visibility. - - - ### Flow Description - - 1. **Configuration Extraction:** The action retrieves the Logz.io API token, region, - and optional custom endpoint from the integration configuration. - - 2. **Endpoint Construction:** It determines the correct API URL based on the provided - region or custom endpoint. - - 3. **Initial API Call:** It sends a POST request to the Logz.io search logs endpoint - using the `alert_event_id` and the specified `page_size`. - - 4. **Pagination Handling:** If the total number of available logs exceeds the - initial page, the action calculates the remaining pages and fetches them concurrently. - - 5. **Data Processing:** All collected logs are aggregated into a single JSON structure. - - 6. **Insight Creation:** The action creates case insights within Google SecOps, - containing the retrieved log data. - - 7. **Completion:** The action returns the aggregated JSON results and a success - message indicating the number of logs retrieved. + Fetches logs from Logz.io associated with a specific security event ID. The action + retrieves logs in a paginated manner and adds them as a JSON result to the action + output. Additionally, it creates case insights for the retrieved logs. Flow: 1. + Extracts the alert_event_id and page_size from the action parameters. 2. Constructs + the API request body with the event ID and pagination settings. 3. Sends a POST + request to the Logz.io API to retrieve logs. 4. Handles pagination by fetching + subsequent pages if necessary. 5. Adds the retrieved logs as a JSON result to + the action output. 6. Creates case insights for the retrieved logs. Parameters: + alert_event_id (string, mandatory): Unique GUID of the security event in your + Logz.io security account. page_size (string, optional): Controls the number of + results per page. Valid inputs are 1 to 1000. Defaults to 25. capabilities: can_create_case_comments: false can_create_insight: true @@ -191,10 +244,18 @@ logzio-get-logs-by-event-id: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - The action creates case insights within Google SecOps to display the retrieved - logs. + Creates case insights containing the retrieved logs. + reasoning: >- + The action fetches logs from Logz.io via a POST request (fetches_data=true). + It does not modify external systems (can_mutate_external_data=false). It creates + case insights within the SOAR platform (can_mutate_internal_data=true, can_create_insight=true). categories: - enrichment: true + enrichment: false + reasoning: >- + The action fetches logs from an external source (Logz.io). However, it is not + an enrichment action because it does not provide supplemental context (reputation, + prevalence, etc.) for entities or alerts, but rather retrieves raw log data. + It is classified as a search action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -210,65 +271,59 @@ logzio-get-logs-by-event-id: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over siemplify.target_entities or use entity-specific + identifiers. It relies on a user-provided alert_event_id parameter to fetch + logs. logzio-search-logs: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action searches for logs in Logz.io and returns the results. This matches + the 'Search Events' category. It does not perform enrichment, containment, or + ticket management. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: true + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description - - Searches logs in a Logz.io operations account using Lucene syntax. This action - allows users to retrieve specific log data within a defined time range, providing - raw log results for further analysis within the SOAR platform. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | query | string | No | A search query written in valid Lucene syntax. Defaults - to '*' (wildcard) if not provided. | - - | size | string | No | The number of log results to retrieve per query. It is - limited to a maximum of 1000 logs. If an invalid value is provided, it defaults - to 1000. | - - | from_time | string | Yes | The earliest time to search. It accepts Unix timestamps, - relative time (e.g., '1 hour ago'), or specific date formats. | - - | to_time | string | No | The latest time to search. This should be left empty - if a relative time is used for the 'from_time' parameter. | - - - ### Additional Notes - - - The action requires a valid Logz.io API token and region (or custom endpoint) - to be configured in the integration settings. - - - Time parsing is handled by the `dateparser` library, supporting a wide range - of natural language and technical time formats. - - - ### Flow Description - - 1. **Configuration Extraction:** The action retrieves the Logz.io API token, region, - and optional custom endpoint from the integration configuration. - - 2. **Parameter Processing:** It extracts the search query, validates the result - size (clamping it between 1 and 1000), and parses the 'from' and 'to' time parameters - into Unix timestamps. - - 3. **Request Construction:** A JSON request body is constructed following the - Logz.io Search API schema, including the Lucene query and the timestamp range - filters. - - 4. **API Interaction:** The action performs a POST request to the Logz.io search - endpoint (`v1/search`). - - 5. **Data Parsing:** Upon a successful response (HTTP 200), the action iterates - through the hits and extracts the `_source` data for each log entry. - - 6. **Result Delivery:** The collected logs are formatted into a JSON object and - added to the action's result, and the action completes successfully. + Searches for logs in your Logz.io operations account based on a provided query + and time range. \n\n### Flow Description \n1. The action extracts configuration + parameters (Logz.io API token, region, and optional custom endpoint) and action + parameters (query, size, from_time, and to_time). \n2. It constructs a Lucene-based + search query and prepares the request body. \n3. It sends a POST request to the + Logz.io search API. \n4. It parses the response and returns the log results as + a JSON object to the SOAR platform. \n\n### Parameters Description \n| Parameter + | Type | Mandatory | Description | \n| :--- | :--- | :--- | :--- | \n| query | + string | No | A search query written in valid Lucene syntax. Default is `*`. | + \n| size | string | No | Number of log results per query. Limited to 1000 logs. + | \n| from_time | string | Yes | Earliest time to search. Accepts Unix timestamps, + relative time, or format `%Y-%m-%dT%H:%M:%S.%f`. | \n| to_time | string | No | + Latest time to search. | \n\n### Additional Notes \nIf no size is provided, the + action defaults to 1000 logs. The `from_time` parameter is mandatory for the search + to execute. capabilities: can_create_case_comments: false can_create_insight: false @@ -279,8 +334,16 @@ logzio-search-logs: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a POST request to the Logz.io API to retrieve logs based + on a query and time range. It does not modify external systems or internal SOAR + data (entities, insights, comments). It is a read-only operation. categories: enrichment: false + reasoning: >- + The action is a search utility for logs. It does not operate on specific entities + to enrich them, nor does it meet the criteria for an enrichment action (which + requires operating on entities). entity_usage: entity_types: [] filters_by_additional_properties: false @@ -296,3 +359,6 @@ logzio-search-logs: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over `siemplify.target_entities` or use any entity-specific + logic. It is a standalone search action. diff --git a/content/response_integrations/third_party/community/logzio/resources/ai/connectors_ai_description.yaml b/content/response_integrations/third_party/community/logzio/resources/ai/connectors_ai_description.yaml new file mode 100644 index 000000000..a7f0017b5 --- /dev/null +++ b/content/response_integrations/third_party/community/logzio/resources/ai/connectors_ai_description.yaml @@ -0,0 +1,68 @@ +LOGZIO fetch-security-events: + ai_description: >- + ### General Description + + The Logz.io Fetch Security Events connector enables the ingestion of security + events from a Logz.io account into Google SecOps. It allows security teams to + monitor and respond to security rules triggered within Logz.io by converting these + events into actionable cases within the SOAR platform. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | DeviceProductField | String | Yes | The field name used to determine the device + product. | + + | EventClassId | String | Yes | The field name used to determine the event name + (sub-type). | + + | from_date | String | Yes | Earliest time to search. Accepts Unix timestamps, + relative time, or "%Y-%m-%dT%H:%M:%S.%f". | + + | logzio_custom_endpoint | String | No | Optional custom URL for the Logz.io API; + overrides logzio_region. | + + | logzio_region | String | No | 2-letter region code for your Logz.io account. + | + + | logzio_token | Password | Yes | API token for your Logz.io security account. + | + + | page_size | Integer | No | Controls the number of results per page (1-1000). + | + + | PythonProcessTimeout | String | Yes | The timeout limit (in seconds) for the + python process. | + + | search_term | String | No | Filter for a matching string in the rule name. | + + | severities | String | No | Comma-delimited list of security rules severities + (e.g., "INFO", "LOW", "MEDIUM", "HIGH", "SEVERE"). | + + + ### Flow Description + + 1. Initializes the connector and extracts configuration parameters, including + the API token and region. + + 2. Determines the API endpoint based on the provided region or custom URL. + + 3. Calculates the time range for the query, using either the last saved timestamp + or the user-provided `from_date`. + + 4. Queries the Logz.io Security Rules API (`v2/security/rules/events/search`) + with the specified filters (search term, severities, pagination). + + 5. Iterates through all available pages of results to collect all relevant security + events. + + 6. Maps each Logz.io event to the Google SecOps alert format, including severity + mapping and event details. + + 7. Updates the internal timestamp to ensure subsequent runs fetch only new events. + + 8. Returns the collected alerts to the SOAR platform for case creation. diff --git a/content/response_integrations/third_party/community/logzio/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/logzio/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..995cf1cd3 --- /dev/null +++ b/content/response_integrations/third_party/community/logzio/resources/ai/integration_ai_description.yaml @@ -0,0 +1,20 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: false + reasoning: >- + The Logz.io integration is primarily designed to ingest security events and alerts + from the Logz.io platform into Google SecOps. This functionality aligns directly + with the SIEM category, as it enables the SOAR platform to monitor security rules + triggered in Logz.io, create cases, and provide visibility into security incidents. + It does not perform EDR, Network Security, Threat Intelligence, Email Security, + IAM, Cloud Security (specifically for resource configuration), ITSM, Vulnerability + Management, Asset Inventory, or Collaboration functions. + siem: true + threat_intelligence: false + vulnerability_management: false diff --git a/content/response_integrations/third_party/community/luminar_iocs_and_leaked_credentials/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/luminar_iocs_and_leaked_credentials/resources/ai/actions_ai_description.yaml index a87d40307..58b178cd4 100644 --- a/content/response_integrations/third_party/community/luminar_iocs_and_leaked_credentials/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/luminar_iocs_and_leaked_credentials/resources/ai/actions_ai_description.yaml @@ -1,31 +1,51 @@ Ping: - ai_description: "### General Description\nThe **Ping** action is a diagnostic utility\ - \ used to verify the connectivity between Google SecOps and the Luminar API. Its\ - \ primary purpose is to validate that the integration's configuration parameters\u2014\ - specifically the API credentials and the base URL\u2014are correct and that the\ - \ external service is reachable.\n\n### Parameters Description\n| Parameter Name\ - \ | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| Luminar\ - \ API Client ID | String | Yes | The Client ID used for OAuth2 authentication\ - \ with the Luminar service. |\n| Luminar API Client Secret | String | Yes | The\ - \ Client Secret used for OAuth2 authentication with the Luminar service. |\n|\ - \ Luminar API Account ID | String | Yes | The specific Account ID (Realm) used\ - \ to construct the API endpoint path. |\n| Luminar Base URL | String | Yes | The\ - \ base URL of the Luminar API instance. |\n\n### Additional Notes\nThis action\ - \ does not have any action-specific parameters; it relies entirely on the integration's\ - \ global configuration. It does not process entities, fetch threat intelligence\ - \ data for alerts, or modify any internal or external records. It is strictly\ - \ a connectivity test.\n\n### Flow Description\n1. **Configuration Extraction**:\ - \ The script retrieves the Client ID, Client Secret, Account ID, and Base URL\ - \ from the integration's configuration settings.\n2. **Manager Initialization**:\ - \ It initializes the `LuminarManager` with the retrieved credentials.\n3. **Connectivity\ - \ Test**: The action invokes the `test_connectivity` method, which sends an HTTP\ - \ POST request to the Luminar token endpoint (`/externalApi/realm/{account_id}/token`)\ - \ using the provided credentials.\n4. **Response Evaluation**: The script evaluates\ - \ the HTTP response. If the response is successful (HTTP 200 OK), the connection\ - \ is confirmed. If the response indicates an authentication error (401, 403) or\ - \ other failures, the action reports a connection error.\n5. **Execution Completion**:\ - \ The action terminates, providing a status message and a boolean result indicating\ - \ whether the connection was successful." + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action is a connectivity test (Ping) and does not perform any of the defined + product category operations such as enrichment, ticket creation, or containment. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: >- + The Ping action tests the connectivity between the Google SecOps platform and + the Luminar API. General description: This action verifies that the provided API + credentials and configuration are valid by attempting to authenticate with the + Luminar API. Parameters description: Luminar API Client ID (String, Mandatory): + The client ID for Luminar API authentication. Luminar API Client Secret (String, + Mandatory): The client secret for Luminar API authentication. Luminar API Account + ID (String, Mandatory): The account ID used to construct the API request URL. + Luminar Base URL (String, Mandatory): The base URL for the Luminar API. Additional + notes: All parameters are mandatory for the action to successfully test connectivity. + Flow description: 1. The action extracts the configuration parameters (Client + ID, Client Secret, Account ID, Base URL). 2. It initializes the LuminarManager + with these credentials. 3. It executes the test_connectivity method, which sends + a POST request to the Luminar API token endpoint. 4. The action validates the + response status code (200 OK indicates success, while 400-404 indicate failure). + 5. It logs the result and terminates the action with the appropriate status. capabilities: can_create_case_comments: false can_create_insight: false @@ -36,8 +56,19 @@ Ping: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a connectivity test by sending a POST request to an external + API to validate credentials. It does not fetch contextual data for entities + or alerts (fetches_data=false). It does not change the state of any external + system (can_mutate_external_data=false) or internal system (can_mutate_internal_data=false). + It does not update entities, create insights, modify alert data, or create case + comments. categories: enrichment: false + reasoning: >- + The action is a 'Ping' action designed solely for connectivity testing. According + to the provided rules, 'Ping' actions are not enrichment actions. It does not + fetch data, nor does it mutate any systems. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -53,3 +84,6 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with or iterate over any entities. It is a global + connectivity test. diff --git a/content/response_integrations/third_party/community/luminar_iocs_and_leaked_credentials/resources/ai/connectors_ai_description.yaml b/content/response_integrations/third_party/community/luminar_iocs_and_leaked_credentials/resources/ai/connectors_ai_description.yaml new file mode 100644 index 000000000..897ee95e5 --- /dev/null +++ b/content/response_integrations/third_party/community/luminar_iocs_and_leaked_credentials/resources/ai/connectors_ai_description.yaml @@ -0,0 +1,66 @@ +"Luminar IOCs and Leaked Credentials Connector": + ai_description: >- + ### General Description + + The Luminar IOCs and Leaked Credentials connector integrates with the Luminar + platform to ingest threat intelligence data. It periodically fetches Indicators + of Compromise (IOCs) and leaked credential incidents, maps them to the SOAR data + model, and creates actionable alerts within the Google SecOps platform. This enables + security teams to proactively monitor for malicious activity and compromised accounts + identified by Luminar. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | DeviceProductField | String | Yes | The field name used to determine the device + product. | + + | EventClassId | String | Yes | The field name used to determine the event name + (sub-type). | + + | Luminar API Account ID | Password | Yes | The Luminar API Account ID. | + + | Luminar API Client ID | Password | Yes | The Luminar API Client ID. | + + | Luminar API Client Secret | Password | Yes | The Luminar API Client Secret. + | + + | Luminar Base URL | String | Yes | The base URL for the Luminar API. | + + | Proxy Password | Password | No | Proxy server password. | + + | Proxy Port | Integer | No | Proxy server port. | + + | Proxy Server Address | String | No | Proxy server address. | + + | Proxy Username | String | No | Proxy server username. | + + | PythonProcessTimeout | String | Yes | Timeout limit (in seconds) for the script + execution. | + + | Verify SSL | Boolean | No | Whether to verify SSL certificates. | + + + ### Flow Description + + 1. **Authentication**: The connector authenticates with the Luminar API using + the provided Client ID, Client Secret, and Account ID to obtain an access token. + + 2. **Data Fetching**: It queries the `/externalApi/stix` endpoint to retrieve + threat intelligence objects, utilizing pagination to handle large datasets. + + 3. **Data Processing**: The connector parses the STIX objects, identifying relationships + between malware/incidents and their associated indicators. + + 4. **Enrichment & Mapping**: It maps STIX patterns (e.g., file hashes, IP addresses, + domains) to internal indicator types and enriches the data with relevant metadata. + + 5. **Alert Creation**: The processed data is grouped and sliced into manageable + chunks (up to 500 items per alert) and converted into SOAR `AlertInfo` objects. + + 6. **Ingestion**: The generated alerts are returned to the SOAR platform for further + investigation and response. diff --git a/content/response_integrations/third_party/community/luminar_iocs_and_leaked_credentials/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/luminar_iocs_and_leaked_credentials/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..9de43db75 --- /dev/null +++ b/content/response_integrations/third_party/community/luminar_iocs_and_leaked_credentials/resources/ai/integration_ai_description.yaml @@ -0,0 +1,24 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: false + reasoning: >- + The integration 'Luminar IOCs and Leaked Credentials' is primarily designed to + ingest threat intelligence data, specifically Indicators of Compromise (IOCs) + and leaked credential records, into the SOAR platform. This aligns directly with + the Threat Intelligence category, as the primary purpose is to provide intelligence + for security investigations and alert creation. It does not perform EDR, Network + Security, Cloud Security, or Vulnerability Management functions. While it processes + leaked credentials, it does not provide the capability to manage identities (e.g., + password resets, account suspension), so IAM & Identity Management is false. It + does not interact with email systems, so Email Security is false. The job functionality + is limited to internal case maintenance (closing expired cases) and does not constitute + an ITSM integration. Therefore, only the Threat Intelligence category is applicable. + siem: false + threat_intelligence: true + vulnerability_management: false diff --git a/content/response_integrations/third_party/community/luminar_iocs_and_leaked_credentials/resources/ai/jobs_ai_description.yaml b/content/response_integrations/third_party/community/luminar_iocs_and_leaked_credentials/resources/ai/jobs_ai_description.yaml new file mode 100644 index 000000000..3cc7192a3 --- /dev/null +++ b/content/response_integrations/third_party/community/luminar_iocs_and_leaked_credentials/resources/ai/jobs_ai_description.yaml @@ -0,0 +1,35 @@ +Luminar IOC and Leaked Credentials Job: + ai_description: >- + ### General Description + + This job automates the maintenance of "Luminar IOCs" cases within Google SecOps. + It identifies cases that have expired based on their security event card data + and automatically closes them to keep the case management system clean. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Siemplify Username | String | Yes | The username used to authenticate with the + SOAR API. | + + | Siemplify Password | Password | Yes | The password used to authenticate with + the SOAR API. | + + + ### Flow Description + + 1. Authenticates with the SOAR API using the provided credentials to obtain a + bearer token. + + 2. Queries the SOAR platform for all open cases titled "Luminar IOCs". + + 3. Iterates through each retrieved case to fetch its full details. + + 4. Parses the expiration date from the case's security event card. + + 5. If the expiration date has passed, the job assigns the case to the configured + user and closes it with the reason "Maintenance" and root cause "Other". diff --git a/content/response_integrations/third_party/community/marketo/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/marketo/resources/ai/actions_ai_description.yaml index b97e831c4..70176fe14 100644 --- a/content/response_integrations/third_party/community/marketo/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/marketo/resources/ai/actions_ai_description.yaml @@ -1,45 +1,45 @@ Create lead: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action creates a new lead in Marketo. This does not match any of the predefined + categories (e.g., Enrichment, Ticket, Alert, Blocklist, etc.). + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description - - Creates a new lead in Marketo using provided user details. This action allows - for the programmatic addition of individuals to the Marketo database directly - from a SOAR workflow, facilitating marketing automation and lead management processes. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Email | String | Yes | The email address of the new lead to be created. | - - | First Name | String | Yes | The first name of the new lead. | - - | Last Name | String | Yes | The last name of the new lead. | - - | Country | String | Yes | The country of the new lead. | - - - ### Flow Description - - 1. **Initialization**: The action retrieves Marketo integration credentials (Client - ID, Client Secret, and Munchkin ID) and the specific lead details from the action - parameters. - - 2. **API Connection**: It establishes a connection to the Marketo API using the - `MarketoClient`. - - 3. **Lead Creation**: The action executes a `create_update_leads` call with the - `createOnly` action flag, ensuring that it only attempts to create a new lead - rather than updating an existing one, using the email as the lookup field. - - 4. **Response Handling**: It parses the API response to check for success or specific - failure reasons (such as the lead already existing). - - 5. **Finalization**: The action outputs the raw JSON result from Marketo and provides - a human-readable summary, including the new Lead ID upon success. + This action creates a new lead in the Marketo platform using the provided user + details. Parameters: Email (string, mandatory): The email address of the new lead. + First Name (string, mandatory): The first name of the new lead. Last Name (string, + mandatory): The last name of the new lead. Country (string, mandatory): The country + of the new lead. Flow: 1. Extract integration configuration parameters (Client + Id, Client Secret, Munchkin Id). 2. Extract action parameters (Email, First Name, + Last Name, Country). 3. Initialize the MarketoClient. 4. Execute the create_update_leads + method with action='createOnly' to create the lead in Marketo. 5. Process the + response and set the execution status. 6. Add the result JSON to the action output. capabilities: can_create_case_comments: false can_create_insight: false @@ -48,11 +48,17 @@ Create lead: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates a new lead record in the external Marketo marketing automation system. + Creates a new lead record in the Marketo platform. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a POST-like operation to create a lead in Marketo. It does + not fetch data or modify internal SecOps data. categories: enrichment: false + reasoning: >- + The action creates external data (a lead) rather than retrieving data, so it + cannot be an Enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -68,13 +74,47 @@ Create lead: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with entities. It uses direct input parameters. Get Lead By Email Param: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: true + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves lead details (metadata) for a specific user/email from + Marketo. This aligns with the 'Enrich Asset' category, as it provides contextual + metadata for a user. It is not an IOC enrichment as it targets a user/lead. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - Retrieves lead information from Marketo based on a provided email address. This - action is used to verify the existence of a lead and fetch their associated data - from the Marketo platform. + This action retrieves lead information from Marketo for a specified email address. + It is designed to fetch contextual metadata about a user or lead, which can be + used for further investigation or enrichment within a playbook. ### Parameters Description @@ -83,34 +123,34 @@ Get Lead By Email Param: | :--- | :--- | :--- | :--- | - | Email | String | Yes | The email address of the user to retrieve details for. - | + | Email | string | true | The email address of the user you want to get the details + for. | - ### Flow Description + ### Additional Notes - 1. **Parameter Extraction**: The action retrieves the Client ID, Client Secret, - and Munchkin ID from the integration configuration, and the Email from the action - parameters. + This action requires valid Marketo API credentials (Client ID, Client Secret, + and Munchkin ID) to be configured in the integration settings. The action does + not modify any external or internal data; it only retrieves information and adds + it to the action result. - 2. **Client Initialization**: A MarketoClient is initialized with the retrieved - credentials. - 3. **Data Retrieval**: The action calls the Marketo API to get lead details using - the email as a filter. + ### Flow Description - 4. **Response Handling**: The action checks if lead data was returned. If found, - it extracts the lead ID and sets the result to success. If not, it indicates the - user was not found. + 1. Extract configuration parameters (Client ID, Client Secret, Munchkin ID) from + the integration settings. - 5. **Finalization**: The lead details are added to the action's JSON results, - and the action completes with a summary message. + 2. Extract the `Email` parameter provided by the user. + 3. Initialize the `MarketoClient` using the extracted credentials. - ### Additional Notes + 4. Query Marketo for leads matching the provided email address using the `get_multiple_leads_by_filter_type` + method. + + 5. If a lead is found, return the lead ID and set the action result to true; otherwise, + report that the user does not exist and set the result to false. - This action operates on a manual input parameter and does not automatically iterate - over or enrich entities present in the SecOps case. + 6. Add the raw lead details to the action result JSON for further use in the playbook. capabilities: can_create_case_comments: false can_create_insight: false @@ -121,8 +161,16 @@ Get Lead By Email Param: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action queries the Marketo API to retrieve lead information based on an + email address. It does not modify any external systems or internal SOAR data + (entities, insights, comments). It only adds the result JSON to the action output. categories: - enrichment: false + enrichment: true + reasoning: >- + The action fetches contextual data (lead details) from an external system (Marketo) + without modifying any external or internal state. This fits the definition of + an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -138,40 +186,92 @@ Get Lead By Email Param: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not use `siemplify.target_entities`. It relies on a user-provided + `Email` parameter to perform the lookup. Therefore, it does not process any + entities. Get Lead By Entity Email: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: true + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves contextual metadata (first name, last name, email, lead + ID) for a user entity from Marketo. This matches the 'Enrich Asset' category. + It does not perform IOC enrichment, ticket creation, or other listed actions. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - Retrieves lead information from Marketo for User entities that possess a valid - email address format. This action is used to enrich user profiles with marketing - data such as names and lead identifiers. + This action retrieves lead information from Marketo for entities identified as + users with valid email addresses. It queries the Marketo API using the email address, + retrieves details such as first name, last name, and lead ID, and updates the + entity's additional properties within the SOAR platform. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + | Client Id | String | Yes | The Client ID for Marketo API authentication. | - ### Parameters + | Client Secret | String | Yes | The Client Secret for Marketo API authentication. + | - There are no action-specific parameters for this action. It relies on the Marketo - integration configuration (Client Id, Client Secret, and Munchkin Id). + | Munchkin Id | String | Yes | The Munchkin ID for Marketo API authentication. + | + + + ### Additional Notes + + This action requires valid Marketo API credentials. It only processes entities + of type 'USER' that have a valid email address as their identifier. ### Flow Description - 1. **Configuration Retrieval**: The action fetches the Marketo API credentials - from the integration settings. + 1. Initialize the Marketo client using the provided configuration parameters (Client + ID, Client Secret, Munchkin ID). + + 2. Iterate through the target entities in the SOAR case. - 2. **Entity Filtering**: It iterates through the target entities, selecting only - those of type `USER` that match a standard email regex pattern. + 3. Validate that the entity is of type 'USER' and that its identifier is a valid + email address. - 3. **External API Call**: For each valid email, it queries the Marketo API using - the `get_multiple_leads_by_filter_type` method. + 4. Query the Marketo API for lead details using the email address. - 4. **Data Enrichment**: If a lead is found, the action extracts the first name, - last name, email, and Lead ID. + 5. If a lead is found, update the entity's `additional_properties` with the retrieved + data (first name, last name, email, lead ID) and mark the entity as enriched. - 5. **Internal Update**: The entity's additional properties are updated with the - retrieved data, and the `is_enriched` flag is set to true. + 6. Update the enriched entities in the SOAR platform. - 6. **Finalization**: The action updates all enriched entities in Google SecOps - and provides a JSON summary of the results. + 7. Add the result as a JSON object containing the enriched entities and the total + count of leads found. capabilities: can_create_case_comments: false can_create_insight: false @@ -182,10 +282,19 @@ Get Lead By Entity Email: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates entity additional properties with lead information from Marketo and - sets the 'is_enriched' flag to true. + Updates entity 'additional_properties' and 'is_enriched' status within the SOAR + platform. + reasoning: >- + The action fetches data from the Marketo API (fetches_data=true). It does not + mutate external systems (can_mutate_external_data=false). It updates entity + properties within the SOAR platform (can_mutate_internal_data=true, can_update_entities=true). + It does not create insights, modify alert data, or create case comments. categories: enrichment: true + reasoning: >- + The action fetches lead data from Marketo to enrich user entities. It does not + mutate external systems and only performs allowed internal mutations (updating + entity properties). Therefore, it is an enrichment action. entity_usage: entity_types: - USERUNIQNAME @@ -202,49 +311,78 @@ Get Lead By Entity Email: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over `siemplify.target_entities` and filters using `ent.entity_type + == EntityTypes.USER` and a regex check on `ent.identifier` to ensure it is a + valid email address. Therefore, it targets `USERUNIQNAME` entities, filtering + by entity type and identifier. Ping: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action is a connectivity test ('Ping') and does not perform any of the defined + product category operations (e.g., enriching IOCs, updating tickets, etc.). + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - Tests the connectivity with the Marketo service to ensure that the integration - is correctly configured and that the Google SecOps environment can communicate - with the Marketo API. This action is primarily used for troubleshooting and initial - setup verification. + Tests the connectivity with Marketo by performing a simple API request to verify + the integration's health. ### Parameters Description - There are no action-specific parameters for this action. It utilizes the following - integration configuration parameters: + | Parameter | Type | Mandatory | Description | - * **Client Id**: The client ID for the Marketo API. + | --- | --- | --- | --- | - * **Client Secret**: The client secret for the Marketo API. + | Client Id | String | Yes | Used for authentication with Marketo. | - * **Munchkin Id**: The Munchkin ID for the Marketo instance. + | Client Secret | String | Yes | Used for authentication with Marketo. | + | Munchkin Id | String | Yes | Used for authentication with Marketo. | - ### Additional Notes - This action follows the standard 'Ping' pattern for Google SecOps integrations. - It performs a read-only operation (fetching a lead by a static ID) to verify the - validity of the credentials and the network path. + ### Flow Description + 1. Extract configuration parameters (Client Id, Client Secret, Munchkin Id). - ### Flow Description + 2. Initialize the `MarketoClient`. - 1. **Initialize Action**: The action initializes the Siemplify context. + 3. Execute a `get_lead_by_id` request with a hardcoded ID to verify the connection. - 2. **Retrieve Configuration**: It extracts the Client Id, Client Secret, and Munchkin - Id from the integration settings. + 4. End the action with a success status. - 3. **Establish Connection**: It instantiates the MarketoClient using the provided - credentials. - 4. **Test API Call**: It executes a `get_lead_by_id` call for a lead with ID '1' - to verify that the API responds correctly. + ### Additional Notes - 5. **Finalize**: If the call is successful, the action ends with a success status. + This is a connectivity test action and does not perform any data enrichment or + mutation. capabilities: can_create_case_comments: false can_create_insight: false @@ -255,8 +393,16 @@ Ping: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET-like operation (`get_lead_by_id`) to verify connectivity. + It does not modify external or internal data, nor does it update entities or + create insights. categories: enrichment: false + reasoning: >- + The action is named 'Ping'. According to the instructions, 'Actions named Ping + must not be categorized as enrichment actions.' Therefore, it is not an enrichment + action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -272,13 +418,49 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code does not iterate over `target_entities` or use any entity identifiers. + It uses a hardcoded ID `1` to test connectivity, therefore it does not process + any entities. Request Campaign: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action triggers a campaign in Marketo for a specific lead. This is an external + system mutation. It does not fit any of the provided categories (e.g., Enrichment, + Ticket, Containment, etc.). + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - This action triggers a specific Marketo campaign for a designated lead. It allows - users to programmatically initiate marketing workflows directly from Google SecOps - by providing the campaign and lead identifiers along with optional dynamic tokens. + This action triggers a specific campaign for a lead in the Marketo platform. It + allows users to pass custom tokens to the campaign, enabling automated marketing + workflows directly from the SOAR platform. ### Parameters Description @@ -287,41 +469,29 @@ Request Campaign: | :--- | :--- | :--- | :--- | - | Campaign Id | string | Yes | The unique integer identifier of the Marketo campaign - to be requested. | + | Lead Id | string | Yes | The ID of the lead to be added to the campaign. | - | Lead Id | string | Yes | The unique integer identifier of the lead for whom - the campaign is being requested. | + | Campaign Id | string | Yes | The ID of the campaign to trigger. | - | Tokens Json | string | No | A JSON-formatted string containing key-value pairs - (tokens) to be used within the campaign. The action automatically lowercases keys - and values unless the key contains the word 'password'. | - - - ### Additional Notes + | Tokens Json | string | No | A JSON string containing tokens for the campaign. + | - - This action does not operate on entities within the Google SecOps case; it relies - entirely on the IDs provided in the action parameters. - - The `Campaign Id` and `Lead Id` are treated as integers by the underlying Marketo - SDK. + ### Flow Description + 1. Extract configuration parameters (Client ID, Client Secret, Munchkin ID) from + the integration settings. - ### Flow Description + 2. Extract action parameters (Campaign ID, Lead ID, Tokens) from the action input. - 1. **Initialization**: The action retrieves Marketo integration credentials (Client - ID, Client Secret, and Munchkin ID) and the action parameters. + 3. Parse the `Tokens Json` string into a dictionary. - 2. **Token Processing**: If provided, the `Tokens Json` is parsed. The logic iterates - through the dictionary to lowercase keys and values, preserving the case for any - values associated with keys containing 'password'. + 4. Initialize the Marketo client using the provided configuration. - 3. **API Execution**: The action initializes the `MarketoClient` and calls the - `execute` method with the `request_campaign` operation, passing the `campaign_id`, - `lead_id`, and processed tokens. + 5. Execute the `request_campaign` method in Marketo with the provided Campaign + ID, Lead ID, and tokens. - 4. **Result Handling**: If the API call is successful, the action completes with - a success message. If an error occurs, it logs the exception and fails the execution. + 6. Log the execution status and end the action with a success or failure message. capabilities: can_create_case_comments: false can_create_insight: false @@ -330,12 +500,19 @@ Request Campaign: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Triggers the execution of a marketing campaign for a specific lead within the - Marketo platform, which initiates external workflows and communications. + Triggers a campaign for a specific lead in the Marketo platform. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action triggers a campaign in Marketo, which is an external system mutation. + It does not fetch data, modify internal SOAR data, update entities, create insights, + or modify alert data. categories: enrichment: false + reasoning: >- + The action performs a mutation on an external system (Marketo) by triggering + a campaign. It does not fetch data for enrichment purposes, nor does it modify + internal SOAR data. Therefore, it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -351,3 +528,6 @@ Request Campaign: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code does not iterate over `siemplify.target_entities` or use any entity-specific + logic. It relies solely on the provided `Lead Id` and `Campaign Id` parameters. diff --git a/content/response_integrations/third_party/community/marketo/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/marketo/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..f9b08a3a7 --- /dev/null +++ b/content/response_integrations/third_party/community/marketo/resources/ai/integration_ai_description.yaml @@ -0,0 +1,23 @@ +product_categories: + asset_inventory: true + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: false + reasoning: >- + The Marketo integration provides capabilities to retrieve lead information and + associate it with user entities within the SOAR platform. Specifically, the actions + 'Get Lead By Email Param' and 'Get Lead By Entity Email' are designed to fetch + contextual metadata (first name, last name, lead ID) for user entities, which + aligns with the 'Asset Inventory' category definition of retrieving more information + about an internal asset (in this case, a user). The integration does not perform + SIEM, EDR, Network Security, Threat Intelligence, Email Security, IAM, Cloud Security, + ITSM, Vulnerability Management, or Collaboration functions. While it interacts + with user data, it does not manage identity lifecycles (IAM) or provide security + reputation scores (Threat Intelligence). + siem: false + threat_intelligence: false + vulnerability_management: false diff --git a/content/response_integrations/third_party/community/microsoft_graph_security_tools/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/microsoft_graph_security_tools/resources/ai/actions_ai_description.yaml index af65c55c4..f94d876a7 100644 --- a/content/response_integrations/third_party/community/microsoft_graph_security_tools/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/microsoft_graph_security_tools/resources/ai/actions_ai_description.yaml @@ -1,43 +1,74 @@ Delete Attachment: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action modifies the state of an email by removing an attachment. This aligns + with the 'Update Email' category, which covers modifications to email state. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: true + update_identity: false + update_ticket: false ai_description: >- - ### General Description + Deletes a specific attachment from a user's email message using the Microsoft + Graph API. This action is useful for removing malicious or sensitive attachments + from user mailboxes. - The **Delete Attachment** action allows analysts to programmatically remove a - specific attachment from a user's mailbox within Microsoft 365 using the Microsoft - Graph API. This is primarily used in incident response scenarios to remediate - malicious files delivered via email after they have been identified. + ### Flow Description - ### Parameters Description + 1. Extracts configuration parameters (Client ID, Secret ID, Tenant ID, Certificate + details) and action parameters (User ID, Message ID, Attachment ID). - | Parameter | Type | Mandatory | Description | + 2. Initializes the `MicrosoftGraphSecurityManager` to authenticate with the Microsoft + Graph API. - | :--- | :--- | :--- | :--- | + 3. Executes a DELETE request to the Microsoft Graph API endpoint for the specified + attachment. + + 4. Returns the status and output message of the deletion request. - | **User ID** | String | Yes | The User ID or User Principal Name (typically the - email address) of the mailbox owner. | - | **Message ID** | String | Yes | The unique identifier of the email message that - contains the attachment. | + ### Parameters Description + + | Parameter | Type | Mandatory | Description | - | **Attachment ID** | String | Yes | The unique identifier of the specific attachment - to be deleted. | + | :--- | :--- | :--- | :--- | + | User ID | string | Yes | The email address or user principal name of the user + whose mailbox contains the message. | - ### Flow Description + | Message ID | string | Yes | The unique identifier of the email message. | - 1. **Authentication**: The action establishes a connection to Microsoft Graph - using the provided Client ID, Tenant ID, and either a Secret ID or a Certificate. + | Attachment ID | string | Yes | The unique identifier of the attachment to be + deleted. | - 2. **Parameter Extraction**: It retrieves the target User ID, Message ID, and - Attachment ID from the action input. - 3. **API Execution**: The action sends a `DELETE` request to the Microsoft Graph - endpoint: `https://graph.microsoft.com/v1.0/users/{user_id}/messages/{message_id}/attachments/{attachment_id}`. + ### Additional Notes - 4. **Result Processing**: If the API returns a `204 No Content` status, the action - reports a successful deletion. Otherwise, it reports a failure with the corresponding - status code. + This action performs a destructive operation on external data (Microsoft 365). + Ensure the provided IDs are correct before execution. capabilities: can_create_case_comments: false can_create_insight: false @@ -46,12 +77,20 @@ Delete Attachment: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - This action deletes an attachment from a user's mailbox in Microsoft 365, which - is a permanent state change in an external system. + Deletes an attachment from a user's email message in Microsoft 365 via the Microsoft + Graph API. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a DELETE request to the Microsoft Graph API to remove an + attachment from an email. It does not fetch data, nor does it mutate internal + Google SecOps data (like case comments or insights). It is a direct mutation + of external data. categories: enrichment: false + reasoning: >- + The action is a mutation action (deleting an attachment) and does not fetch + data for enrichment purposes. Therefore, it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -67,32 +106,56 @@ Delete Attachment: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over `siemplify.target_entities`. It extracts parameters + directly from the action configuration using `siemplify.extract_action_param`. Delete Message: - ai_description: "### General Description\nThe **Delete Message** action allows security\ - \ analysts to programmatically remove specific email messages from one or more\ - \ Microsoft 365 mailboxes. This is primarily used for incident response, such\ - \ as removing phishing emails or malicious attachments from user inboxes after\ - \ they have been identified. The action interacts with the Microsoft Graph API\ - \ to perform a hard delete of the specified message.\n\n### Parameters Description\n\ - | Parameter | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n\ - | **Message ID** | string | Yes | The unique identifier of the email message to\ - \ be deleted. This is typically retrieved from previous search or listing actions.\ - \ |\n| **User ID** | string | Yes | The email address (userPrincipalName) or unique\ - \ ID of the user whose mailbox contains the message. This parameter supports a\ - \ comma-separated list (CSV) to target multiple mailboxes simultaneously. |\n\n\ - ### Flow Description\n1. **Authentication**: The action initializes a connection\ - \ to the Microsoft Graph Security API using the configured Client ID, Secret/Certificate,\ - \ and Tenant ID.\n2. **Input Parsing**: It retrieves the `Message ID` and `User\ - \ ID` from the action parameters. If the `User ID` contains commas, it is split\ - \ into a list of individual users.\n3. **API Execution**: For each user provided,\ - \ the action sends a `DELETE` request to the Microsoft Graph endpoint: `https://graph.microsoft.com/v1.0/users/{user_id}/messages/{message_id}`.\n\ - 4. **Result Processing**: The action checks the HTTP response status. A `204\ - \ No Content` status indicates a successful deletion. \n5. **Finalization**:\ - \ The action reports the overall success or failure and attaches the raw JSON\ - \ response data to the action results in Google SecOps.\n\n### Additional Notes\n\ - - This action performs a permanent deletion of the message.\n- If multiple User\ - \ IDs are provided via CSV, the action will attempt to delete the message with\ - \ the same `Message ID` from every specified mailbox." + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: true + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action deletes a message from a user's mailbox, which directly matches the + 'Delete Email' category. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: >- + General Description: This action deletes a specific message from a user's mailbox + using the Microsoft Graph API. It is designed to remove unwanted or malicious + emails from one or more user mailboxes based on the provided Message ID and User + ID. Parameters Description: | Parameter | Type | Mandatory | Description | | --- + | --- | --- | --- | | Message ID | string | Yes | The unique identifier of the + message to be deleted. | | User ID | string | Yes | The email address or user + principal name of the user whose mailbox contains the message. Supports CSV input + to delete from multiple mailboxes. | Flow Description: 1. The action extracts + the necessary integration configuration (Client ID, Secret ID, Tenant ID, and + Certificate details) and action parameters (User ID, Message ID). 2. It initializes + the Microsoft Graph Security Manager using the provided credentials. 3. It executes + a DELETE request to the Microsoft Graph API endpoint for the specified user and + message ID. 4. The action returns the result of the deletion operation, indicating + success or failure. capabilities: can_create_case_comments: false can_create_insight: false @@ -101,12 +164,18 @@ Delete Message: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Deletes email messages from specified user mailboxes in Microsoft 365 using - the Microsoft Graph API. + Deletes a message from a user's mailbox in Microsoft Graph. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a DELETE request to the Microsoft Graph API to remove a + message from a user's mailbox. It does not fetch data, update internal SOAR + entities, or create insights. categories: enrichment: false + reasoning: >- + The action is a mutation action (deletion) and does not retrieve data for enrichment + purposes. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -122,14 +191,50 @@ Delete Message: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not utilize siemplify.target_entities. It operates on parameters + provided directly by the user. Get Message: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves a specific email message from the mail server. This aligns + with the 'Search Email' category, which involves identifying and retrieving + email data. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: true + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - Retrieves the full details of a specific email message from a user's Microsoft - 365 inbox using the Microsoft Graph API. This action is primarily used for forensic - investigation and incident response to inspect the content, headers, and metadata - of a specific email. + Retrieves a specific email message from a user's inbox using the Microsoft Graph + API. This action authenticates with the Microsoft Graph API using the provided + integration credentials, then executes a GET request to fetch the message details + based on the provided User ID and Message ID. The retrieved message data is returned + as a JSON result in the action output. ### Parameters Description @@ -139,32 +244,28 @@ Get Message: | :--- | :--- | :--- | :--- | | User ID | string | Yes | The email address or userPrincipalName of the user - whose inbox contains the message. | + whose inbox to search. | - | Message ID | string | Yes | The unique identifier of the specific email message - to retrieve from the Microsoft Graph API. | + | Message ID | string | Yes | The unique identifier of the message to retrieve. + | - ### Flow Description + ### Additional Notes - 1. **Authentication**: The action initializes the Microsoft Graph Security Manager - using the integration's configuration parameters (Client ID, Secret/Certificate, - and Tenant ID). + There are no additional notes for this action. - 2. **Parameter Extraction**: It extracts the `User ID` and `Message ID` provided - as action inputs. - 3. **Data Retrieval**: It performs a GET request to the Microsoft Graph endpoint - `https://graph.microsoft.com/v1.0/users/{user_id}/messages/{message_id}`. + ### Flow Description - 4. **Result Processing**: The retrieved message data is added to the action's - JSON results and the execution is marked as completed. + 1. Extracts `User ID` and `Message ID` from the action parameters. + 2. Authenticates with the Microsoft Graph API using the configured integration + credentials. - ### Additional Notes + 3. Sends a GET request to the Microsoft Graph API to retrieve the specified message + details. - This action does not operate on SecOps entities (like IP or Hostname) but instead - uses explicit input parameters to target a specific message in a specific mailbox. + 4. Returns the message data as a JSON result in the action output. capabilities: can_create_case_comments: false can_create_insight: false @@ -175,8 +276,17 @@ Get Message: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the Microsoft Graph API to retrieve message + details. It does not modify any external systems or internal SecOps data (no + entity updates, insights, or comments). categories: - enrichment: true + enrichment: false + reasoning: >- + The action retrieves data (a message) but does not perform any of the allowed + internal mutations (add comments, create insights, update entities) to enrich + an entity or alert. Therefore, it does not meet the strict criteria for an Enrichment + Action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -192,55 +302,92 @@ Get Message: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over `siemplify.target_entities` or use entity-specific + identifiers to perform its task. It uses parameters provided directly in the + action configuration. Get User MFA: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: true + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves MFA registration details for a user, which provides contextual + metadata about the user's security posture. This matches 'Enrich Asset'. It + also searches for the user/asset, matching 'Search Asset'. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: true + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - Retrieves Multi-Factor Authentication (MFA) registration and status details for - users from Microsoft Graph. This action is designed to provide visibility into - a user's security posture by checking if they have MFA enabled, registered, and - which authentication methods are in use. It targets a specific email provided - as a parameter and also processes email-based entities within the case. + This action retrieves Multi-Factor Authentication (MFA) registration statistics + for a specified user email address from Microsoft Graph. It can also process email-like + entities found within the current case to provide a comprehensive view of MFA + status across multiple users. - ### Parameters + ### Flow Description - | Parameter | Type | Mandatory | Description | + 1. Extracts configuration parameters (Client ID, Secret ID, Tenant ID, etc.) and + action parameters (User Email, Create Insight). - | :--- | :--- | :--- | :--- | + 2. Initializes the Microsoft Graph Security manager to authenticate and connect + to the Microsoft Graph API. - | User Email | String | Yes | The primary User Principal Name (UPN) to query. - This will always be the first result in the output JSON. | + 3. Retrieves MFA registration statistics for the provided `User Email`. - | Create Insight | Boolean | No | If enabled, the action will create a detailed - insight in the case for every user found with MFA statistics. | + 4. If `Create Insight` is enabled, it generates a case insight containing the + MFA statistics for the provided email. + 5. Iterates through all `target_entities` in the case, identifying those that + appear to be email addresses (containing an '@' symbol). - ### Flow Description + 6. Retrieves MFA statistics for each identified email entity. + + 7. If `Create Insight` is enabled, it generates a case insight for each identified + email entity. + + 8. Aggregates all retrieved MFA statistics and returns them as a JSON result. - 1. **Authentication**: Establishes a connection to the Microsoft Graph API using - the configured Client ID, Secret, and Tenant ID. - 2. **Primary Query**: Fetches MFA registration details for the specific email - provided in the 'User Email' parameter. + ### Parameters Description - 3. **Entity Processing**: Scans all entities associated with the current case. - For any entity whose identifier contains an '@' symbol (identifying it as a potential - email/UPN), the action performs a lookup for its MFA status. + | Parameter | Type | Mandatory | Description | - 4. **Insight Generation**: If 'Create Insight' is set to true, the action generates - a formatted insight for the primary user and each discovered entity, detailing - registration status, enablement, and authentication methods. + | :--- | :--- | :--- | :--- | - 5. **Results**: Aggregates all found MFA records into a JSON result and completes - the execution. + | User Email | string | Yes | The email address to search for (userPrincipalName). + Valid target entities (emails) will also be checked. | + + | Create Insight | boolean | No | If true, creates a case insight for each email + checked with MFA stats. | ### Additional Notes - The action utilizes the Microsoft Graph Beta endpoint (`/beta/reports/credentialUserRegistrationDetails`) - to retrieve comprehensive MFA data. The JSON result will always return the 'User - Email' input first at index zero. + The action filters entities by checking if the identifier contains an '@' symbol. capabilities: can_create_case_comments: false can_create_insight: true @@ -251,46 +398,20 @@ Get User MFA: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Creates case insights containing MFA registration details (isRegistered, isEnabled, - isCapable, authMethods) if the 'Create Insight' parameter is enabled. + Creates case insights for the retrieved MFA statistics. + reasoning: >- + The action fetches MFA statistics from Microsoft Graph for a specific user email + and optionally for email-like entities in the case. It creates case insights + if configured. It does not mutate external data. categories: enrichment: true + reasoning: >- + The action fetches contextual data (MFA stats) about users and adds insights + to the case. It does not mutate external systems. This fits the definition of + an enrichment action. entity_usage: entity_types: - ADDRESS - - ALERT - - APPLICATION - - CHILDHASH - - CHILDPROCESS - - CLUSTER - - CONTAINER - - CREDITCARD - - CVE - - CVEID - - DATABASE - - DEPLOYMENT - - DESTINATIONDOMAIN - - DOMAIN - - EMAILSUBJECT - - EVENT - - FILEHASH - - FILENAME - - GENERICENTITY - - HOSTNAME - - IPSET - - MacAddress - - PARENTHASH - - PARENTPROCESS - - PHONENUMBER - - POD - - PROCESS - - SERVICE - - SOURCEDOMAIN - - THREATACTOR - - THREATCAMPAIGN - - THREATSIGNATURE - - DestinationURL - - USB - USERUNIQNAME filters_by_additional_properties: false filters_by_alert_identifier: false @@ -305,51 +426,79 @@ Get User MFA: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action iterates over `siemplify.target_entities` and filters them by checking + if the identifier contains an '@' symbol. It does not filter by specific entity + types or other attributes. List Attachments: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves a list of attachments from a specific email message. This + does not align with the provided categories, as it is not searching for emails, + enriching IOCs/assets, or performing containment/ticket actions. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description - - The **List Attachments** action retrieves metadata for all attachments associated - with a specific email message in a user's mailbox using the Microsoft Graph API. - This action is primarily used for forensic analysis and automated investigation - to identify files (such as malicious documents or executables) sent via email. + Retrieves a list of attachment objects from a specific email message in Microsoft + Graph. - ### Parameters Description + ### Flow Description - | Parameter | Type | Mandatory | Description | + 1. Extracts the `User ID` (userPrincipalName) and `Message ID` from the action + parameters. - | :--- | :--- | :--- | :--- | + 2. Authenticates with the Microsoft Graph API using the provided integration credentials + (Client ID, Secret/Certificate, Tenant ID). - | **User ID** | String | Yes | The user's principal name (UPN/email address) or - unique Azure AD identifier. | + 3. Queries the Microsoft Graph API endpoint `https://graph.microsoft.com/v1.0/users/{user_id}/messages/{message_id}/attachments` + to fetch the list of attachments. - | **Message ID** | String | No | The unique identifier of the message from which - to retrieve attachments. Note: While marked as non-mandatory in configuration, - the API request requires this ID to successfully locate the message. | + 4. Returns the retrieved attachment data as a JSON result to the action output. - ### Additional Notes + ### Parameters - This action performs a read-only operation and does not download the actual file - content; it retrieves the attachment objects (metadata) which typically include - the name, size, and content type. + | Parameter | Type | Mandatory | Description | + | :--- | :--- | :--- | :--- | - ### Flow Description + | User ID | string | Yes | The email address (userPrincipalName) of the user. + | - 1. **Authentication**: The action initializes the Microsoft Graph Security Manager - using the provided integration credentials (Client ID, Secret/Certificate, and - Tenant ID). + | Message ID | string | No | The ID of the message to retrieve the attachment + list from. | - 2. **Input Extraction**: It extracts the `User ID` and `Message ID` from the action - parameters. - 3. **API Execution**: It sends a GET request to the Microsoft Graph endpoint: - `https://graph.microsoft.com/v1.0/users/{user_id}/messages/{message_id}/attachments`. + ### Additional Notes - 4. **Data Output**: The resulting list of attachment objects is returned as a - JSON object and added to the action's execution results. + This action is a read-only operation that fetches data from Microsoft Graph. It + does not modify any external or internal system state. capabilities: can_create_case_comments: false can_create_insight: false @@ -360,8 +509,16 @@ List Attachments: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the Microsoft Graph API to retrieve attachment + metadata for a specific email message. It does not modify any external or internal + data, nor does it operate on SOAR entities. categories: - enrichment: true + enrichment: false + reasoning: >- + The action retrieves data (attachments) from an external system (Microsoft Graph) + but does not operate on SOAR entities or update internal SOAR data. Therefore, + it is not classified as an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -377,48 +534,73 @@ List Attachments: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over `siemplify.target_entities` or use entity-specific + identifiers to perform its task. It uses direct parameters provided by the user. List Mail Rules: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: true + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves mail rules for a user's inbox, which is contextual metadata + for a resource. This matches the `enrich_asset` category. It does not perform + any other actions like updating alerts, tickets, or blocking IOCs. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - The **List Mail Rules** action retrieves all message rules (messageRule objects) - defined for a specific user's Inbox in Microsoft 365. This action is useful for - security investigations to identify suspicious mail forwarding, deletion, or redirection - rules that might indicate account compromise or data exfiltration. + Retrieves all message rule objects defined for a user's inbox using the Microsoft + Graph API. This action allows analysts to inspect mail forwarding or filtering + rules configured on a specific user's account. ### Parameters Description - | Parameter | Description | Type | Mandatory | + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | **User ID** | The `userPrincipalName` (typically the email address) of the user - whose inbox rules you want to retrieve. | String | Yes | + | User ID | string | True | The email address (userPrincipalName) of the user + whose mail rules are to be retrieved. | ### Flow Description - 1. **Authentication**: The action initializes a connection to the Microsoft Graph - API using the provided Client ID, Secret/Certificate, and Tenant ID from the integration - configuration. - - 2. **Parameter Extraction**: It retrieves the target `User ID` from the action - input. + 1. Extract integration configuration parameters (Client ID, Secret ID, Tenant + ID, Certificate details). - 3. **Data Retrieval**: It calls the Microsoft Graph API endpoint `GET /users/{id}/mailFolders/inbox/messageRules` - to fetch the list of rules. + 2. Extract the `User ID` parameter. - 4. **Result Processing**: The retrieved list of mail rules is attached to the - action's result as a JSON object, and the action completes successfully. - - - ### Additional Notes + 3. Authenticate with Microsoft Graph using the provided credentials. - * This action is read-only and does not modify any settings in the user's mailbox. + 4. Query the Microsoft Graph API for the inbox message rules associated with the + specified `User ID`. - * The output includes rule details such as conditions, actions (e.g., move to - folder, delete), and whether the rule is enabled. + 5. Return the retrieved mail rules as the action result. capabilities: can_create_case_comments: false can_create_insight: false @@ -429,8 +611,16 @@ List Mail Rules: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the Microsoft Graph API to retrieve mail + rules. It does not perform any POST/PUT/DELETE operations (no external mutation). + It does not update any internal SOAR data (entities, insights, comments). categories: - enrichment: true + enrichment: false + reasoning: >- + The action fetches data, but it does not operate on `target_entities` or update + internal SOAR data (entities, insights, comments). Therefore, it does not meet + the criteria for an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -446,60 +636,82 @@ List Mail Rules: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code takes a `User ID` as a parameter but does not iterate over the `target_entities` + list provided by the SOAR platform. Therefore, it does not run on entities. List Messages: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves a list of messages from a user's mailbox, which directly + matches the 'Search Email' category. It does not perform any other actions like + blocking, ticket creation, or alert modification. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: true + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - The **List Messages** action retrieves a list of email messages from a specified - user's mailbox using the Microsoft Graph API. This action is primarily used for - investigative purposes, allowing analysts to search for specific emails or list - recent activity within a mailbox without modifying the content. + This action retrieves a list of messages from a specific user's mailbox using + the Microsoft Graph API. It allows for filtering and selecting specific fields + to refine the returned data, providing visibility into email communications for + investigation purposes. - ### Parameters Description + ### Parameters | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | **User ID** | String | Yes | The User ID or userPrincipalName (email address) - of the target mailbox. | + | User ID | string | Yes | The email address (userPrincipalName) of the user whose + mailbox messages are to be listed. | - | **Select Filter** | String | No | A comma-separated list of specific message - fields to return (e.g., `subject,sender,receivedDateTime`). If omitted, default - fields are returned. | + | Select Filter | string | No | A CSV list of fields to return (e.g., 'sender,subject'). + | - | **Query Parameters** | String | No | OData query parameters used to filter the - results. It should begin with `$` (e.g., `$filter=subject eq 'Urgent'`). | + | Query Parameters | string | No | OData query parameters to filter or sort the + results (e.g., '$filter=subject eq \'test\''). Must begin with '$'. | ### Flow Description - 1. **Authentication**: The action establishes a session with Microsoft Graph using - the integration's Client ID, Secret, and Tenant ID. - - 2. **Parameter Processing**: It extracts the target User ID and any optional OData - query or selection filters provided by the user. - - 3. **Request Construction**: The action builds a GET request targeting the `/users/{user_id}/messages` - endpoint, incorporating the `$select` and `$filter` parameters into the query - string. + 1. **Initialization**: The action extracts integration configuration (Client ID, + Secret ID, Tenant ID, Certificate details) and action parameters (User ID, Select + Filter, Query Parameters). - 4. **Data Retrieval**: It executes the API call to fetch the message data from - the Microsoft 365 environment. + 2. **Authentication**: Initializes the `MicrosoftGraphSecurityManager` to authenticate + with Microsoft Graph using the provided credentials. - 5. **Result Processing**: The retrieved list of messages is formatted and added - to the action's JSON results, making the data available for subsequent playbook - steps. + 3. **Execution**: Calls the `list_messages` method, which constructs the API request + to the Microsoft Graph endpoint (`/users/{user_email}/messages`) with the specified + filters and query parameters. - - ### Additional Notes - - - This action is a read-only operation and does not impact the state of the mailbox - or the messages within it. - - - Ensure that the OData syntax in the `Query Parameters` field follows Microsoft - Graph specifications to avoid API errors. + 4. **Output**: The retrieved message data is added to the action result as a JSON + object, and the action completes successfully. capabilities: can_create_case_comments: false can_create_insight: false @@ -510,8 +722,16 @@ List Messages: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the Microsoft Graph API to retrieve email + messages. It does not modify any external systems, nor does it update internal + SOAR entities or case data. It is a read-only operation. categories: - enrichment: false + enrichment: true + reasoning: >- + The action fetches data (messages) from an external source (Microsoft Graph) + without modifying any external or internal state. This aligns with the definition + of an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -527,30 +747,93 @@ List Messages: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not operate on SOAR entities. It takes a 'User ID' as a direct + input parameter to identify the mailbox to query, rather than iterating over + `target_entities`. Ping: - ai_description: "### General Description\nThe **Ping** action is a diagnostic utility\ - \ designed to verify the connectivity and authentication configuration between\ - \ Google SecOps and the Microsoft Graph Security API. Its primary purpose is to\ - \ ensure that the provided credentials (Client ID, Secret ID, Tenant ID, or Certificates)\ - \ are valid and that the system can successfully establish a secure session with\ - \ Microsoft's identity platform.\n\n### Parameters Description\nThis action does\ - \ not require any input parameters. It utilizes the global configuration settings\ - \ defined at the integration level.\n\n| Parameter Name | Type | Mandatory | Description\ - \ |\n| :--- | :--- | :--- | :--- |\n| N/A | N/A | N/A | This action has no input\ - \ parameters. |\n\n### Additional Notes\n- The action attempts to generate an\ - \ OAuth2 access token. If successful, it confirms that the integration is correctly\ - \ configured.\n- It supports both Client Secret and Certificate-based authentication\ - \ based on the integration's configuration.\n\n### Flow Description\n1. **Configuration\ - \ Retrieval:** The action extracts the integration's configuration parameters,\ - \ including Client ID, Secret ID, Tenant ID, and certificate details.\n2. **Manager\ - \ Initialization:** It initializes the `MicrosoftGraphSecurityManager` using the\ - \ retrieved credentials.\n3. **Authentication Request:** The manager attempts\ - \ to authenticate with the Microsoft Graph API by requesting an access token via\ - \ a POST request to the Microsoft identity endpoint.\n4. **Execution Outcome:**\ - \ \n - If the token is successfully acquired, the action concludes with a 'Connection\ - \ Established' message and a success status.\n - If an exception occurs (e.g.,\ - \ network error, invalid credentials), the action logs the error and returns a\ - \ failure status." + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action is a connectivity test (Ping) and does not perform any of the defined + product category operations such as enrichment, containment, or ticket management. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: >- + ### General Description + + This action performs a connectivity test (Ping) to the Microsoft Graph Security + API. It validates the provided credentials by attempting to generate an access + token, ensuring that the integration is correctly configured and able to communicate + with the Microsoft Graph Security service. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Client ID | String | Yes | The Application ID for the Microsoft Graph Security + integration. | + + | Secret ID | String | Yes | The application secret for the Microsoft Graph Security + integration. | + + | Tenant ID | String | Yes | The domain name from the Azure portal. | + + | Certificate Path | String | No | Path to the certificate on the Siemplify server + if using certificate-based authentication. | + + | Certificate Password | String | No | Password for the certificate if it is password-protected. + | + + + ### Additional Notes + + Either Client Secret or Certificate authentication must be configured for the + action to run. This action does not perform any data retrieval or modification + operations. + + + ### Flow Description + + 1. The action extracts the required configuration parameters (Client ID, Secret + ID, Tenant ID, Certificate Path, and Certificate Password). + + 2. It initializes the `MicrosoftGraphSecurityManager` using the provided credentials. + + 3. The manager attempts to authenticate with the Microsoft Graph Security API. + + 4. If authentication is successful, the action returns a success message and a + result value of "true". + + 5. If an exception occurs during initialization or authentication, the action + returns a failure message and a result value of "false". capabilities: can_create_case_comments: false can_create_insight: false @@ -561,8 +844,16 @@ Ping: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a connectivity test (Ping) to the Microsoft Graph Security + API. It validates credentials by attempting to generate an access token. It + does not fetch contextual data, mutate external systems, or modify internal + SOAR data. categories: enrichment: false + reasoning: >- + The action is a 'Ping' action, which is explicitly excluded from being an enrichment + action per the instructions. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -578,3 +869,6 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with any entities; it only performs a connectivity + check using configuration parameters. diff --git a/content/response_integrations/third_party/community/microsoft_graph_security_tools/resources/ai/connectors_ai_description.yaml b/content/response_integrations/third_party/community/microsoft_graph_security_tools/resources/ai/connectors_ai_description.yaml new file mode 100644 index 000000000..e34a4f037 --- /dev/null +++ b/content/response_integrations/third_party/community/microsoft_graph_security_tools/resources/ai/connectors_ai_description.yaml @@ -0,0 +1,124 @@ +MS SecureScore Alert: + ai_description: >- + ### General Description + + This connector monitors the Microsoft 365 Secure Score via the Microsoft Graph + Security API. It allows security teams to define a threshold; if the organization's + Secure Score falls below this value, the connector automatically generates an + alert within Google SecOps, enabling proactive remediation of security posture + degradation. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Threshold | Integer | No | The Secure Score threshold. An alert is raised if + the score drops below this value. | + + | Tenant ID | String | Yes | The Azure Tenant ID. | + + | Secret ID | Password | Yes | The Azure Secret ID. | + + | Client ID | String | Yes | The Azure Client ID. | + + | Certificate Path | String | No | Path to the certificate file on the Siemplify + server (if using certificate-based authentication). | + + | Certificate Password | Password | No | Password for the certificate file. | + + | PythonProcessTimeout | String | Yes | Timeout limit (in seconds) for the Python + process. | + + | EventClassId | String | Yes | The field name used to determine the event name + (sub-type). | + + | DeviceProductField | String | Yes | The field name used to determine the device + product. | + + | Default Priority | Integer | Yes | The default priority for the alert (-1 to + 100). | + + + ### Flow Description + + 1. Authenticates with the Microsoft Graph Security API using the provided Client + ID and Secret (or Certificate). + + 2. Retrieves the current Secure Score from the Microsoft 365 environment. + + 3. Compares the current score against the user-defined Threshold. + + 4. If the score is below the threshold, it constructs an alert containing relevant + metrics, including active user counts, enabled services, and comparative industry/tenant + averages. + + 5. Ingests the generated alert into the Google SecOps platform for further investigation. +MS365 MFA Alert: + ai_description: >- + ### General Description + + The MS365 MFA Alert connector monitors Microsoft 365 user MFA registration status. + It retrieves credential registration details from the Microsoft Graph API and + generates alerts in Google SecOps for users who are not registered for MFA or + have self-service password reset capabilities enabled, helping security teams + identify potential account vulnerabilities. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Tenant ID | String | Yes | Tenant ID from Azure. | + + | Secret ID | Password | Yes | Secret ID from Azure. | + + | Client ID | String | Yes | Client ID from Azure. | + + | PythonProcessTimeout | String | Yes | The timeout limit (in seconds) for the + python process. | + + | EventClassId | String | Yes | The field name used to determine the event name + (sub-type). | + + | DeviceProductField | String | Yes | The field name used to determine the device + product. | + + | Self Service Reset Alert | Boolean | No | Create alert when a user has the ability + to self-service reset their password/MFA. | + + | MFA Registration Alert | Boolean | No | Create alert when a user is not registered + for MFA. | + + | Exclude Guests | Boolean | No | Exclude guests/external users from alerts (emails + containing #EXT#). | + + | Certificate Path | String | No | Path to the certificate on the Siemplify server + for certificate-based authentication. | + + | Certificate Password | Password | No | Password for the certificate file, if + applicable. | + + + ### Flow Description + + 1. Authenticates with the Microsoft Graph API using the provided Client ID/Secret + or Certificate credentials. + + 2. Retrieves user MFA registration statistics from the `credentialUserRegistrationDetails` + endpoint. + + 3. Iterates through the retrieved user data, applying filters to exclude guests + if configured. + + 4. Checks each user against the system allowlist. + + 5. Evaluates if the user meets the criteria for an alert (e.g., not registered + for MFA or has self-service reset enabled). + + 6. Creates and ingests an alert into Google SecOps for each user matching the + criteria. diff --git a/content/response_integrations/third_party/community/microsoft_graph_security_tools/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/microsoft_graph_security_tools/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..a341e5175 --- /dev/null +++ b/content/response_integrations/third_party/community/microsoft_graph_security_tools/resources/ai/integration_ai_description.yaml @@ -0,0 +1,23 @@ +product_categories: + asset_inventory: false + cloud_security: true + collaboration: false + edr: false + email_security: true + iam_and_identity_management: true + itsm: false + network_security: false + reasoning: >- + The integration provides capabilities across Email Security, IAM & Identity Management, + Cloud Security, and SIEM. It includes multiple actions for managing email messages + and attachments (e.g., Delete Message, Get Message, List Messages), which directly + supports Email Security investigations and remediation. The integration monitors + identity-related security posture, such as MFA registration and self-service password + reset capabilities, aligning with IAM & Identity Management. It interacts with + Microsoft 365/Azure via the Microsoft Graph API to monitor cloud-native security + configurations like Secure Score, fitting the Cloud Security category. Finally, + the connectors ingest security alerts into the platform based on these findings, + which fulfills the SIEM category for monitoring and alerting. + siem: true + threat_intelligence: false + vulnerability_management: false diff --git a/content/response_integrations/third_party/community/nucleon_cyber/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/nucleon_cyber/resources/ai/actions_ai_description.yaml index bdfa19a92..e03246a82 100644 --- a/content/response_integrations/third_party/community/nucleon_cyber/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/nucleon_cyber/resources/ai/actions_ai_description.yaml @@ -1,48 +1,53 @@ GetIPs: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves a feed of active threat intelligence data from an external + API. It does not match any of the specific categories like 'Enrich IOC', 'Enrich + Asset', 'Search Events', or 'Get Alert Information' as it is a general-purpose + data retrieval action for a threat feed. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description - - The **GetIPs** action retrieves a feed of active cyber threat intelligence from - the Nucleon Cyber Active Threats API. It is designed to provide security teams - with a list of recently collected malicious or suspicious IP addresses and associated - metadata to be used for further analysis or automated blocking in a playbook. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | **limit** | String | Yes | Specifies the maximum number of threat records to - retrieve from the API. Default is "10". | - - - ### Additional Notes - - - This action requires valid Nucleon Cyber credentials (Username, Password, Client - Name, and Client ID) configured at the integration level. - - - The action does not process specific entities from the SOAR case; instead, it - fetches a global feed of data. - - - ### Flow Description - - 1. **Configuration Extraction**: The action retrieves the necessary API credentials - and the `limit` parameter. - - 2. **API Request**: It performs a POST request to the Nucleon Cyber `activethreats` - endpoint using Basic Authentication. - - 3. **Error Handling**: The script checks for successful authentication and valid - response codes. If authentication fails or the data section is missing, it raises - an exception. - - 4. **Data Processing**: The "data" section of the JSON response is extracted. - - 5. **Output Generation**: The retrieved threat data is added to the action's JSON - results, making it available for downstream playbook tasks. + ### General Description\nThis action retrieves active threat intelligence data + from the Nucleon Cyber API. It is designed to fetch a feed of cyber intelligence, + which can then be used in subsequent playbook steps for analysis or automated + response.\n\n### Parameters Description\n* **limit** (string, mandatory): Specifies + the maximum number of threat intelligence records to retrieve from the API. The + default value is '10'.\n\n### Flow Description\n1. The action extracts the necessary + integration configuration parameters, including 'Username', 'Password', 'client + name', and 'client id', as well as the 'limit' parameter.\n2. It initiates a POST + request to the Nucleon Cyber Active Threats API endpoint ('https://api.nucleoncyber.com/feed/activethreats') + using the provided credentials and parameters.\n3. The action validates the API + response status. If the status is not 200, it raises an authentication error.\n4. + It parses the JSON response to extract the 'data' section.\n5. The retrieved threat + intelligence data is added to the action results using 'siemplify.result.add_result_json' + and 'siemplify.result.add_json' for use in the playbook.\n6. The action concludes + with a success message. capabilities: can_create_case_comments: false can_create_insight: false @@ -53,8 +58,16 @@ GetIPs: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a POST request to an external API to fetch threat intelligence + data. It does not mutate external systems, nor does it modify internal SOAR + data (entities, insights, or case comments). It is a data retrieval action. categories: enrichment: false + reasoning: >- + The action fetches data from an external source (Nucleon Cyber API) but does + not perform enrichment on specific entities or alerts. It is a global data retrieval + action, not an enrichment action as defined by the SOAR SDK guidelines. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -70,20 +83,70 @@ GetIPs: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with 'siemplify.target_entities'. It operates globally + to fetch a threat intelligence feed. Ping: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action is a connectivity test ('Ping') and does not perform any of the defined + functional outcomes (e.g., enrichment, containment, ticketing). + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description The Ping action is designed to verify the connectivity - between Google SecOps and the NucleonCyber API. It ensures that the provided credentials - and client identifiers are valid and that the service is reachable. ### Parameters - Description | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- - | :--- | | limit | String | Yes | Specifies the maximum number of results to request - from the API during the connectivity test. | ### Flow Description 1. Configuration - Retrieval: The action fetches the integration's global settings, including the - Username, Password, Client Name, and Client ID. 2. Parameter Extraction: It retrieves - the limit parameter from the action input. 3. API Request: It executes a POST - request to the NucleonCyber activethreats endpoint using Basic Authentication. - 4. Validation: The action checks if the API returns a HTTP 200 status code. 5. - Completion: If successful, it reports a Successful Connection. + General Description: This action verifies connectivity to the NucleonCyber API + by sending a POST request to the `activethreats` endpoint. It validates the provided + credentials and configuration parameters. + + + Parameters description: + + | Parameter | Type | Mandatory | Description | + + | --- | --- | --- | --- | + + | limit | string | Yes | Specifies the limit for API results. | + + + Additional notes: None. + + + Flow description: + + 1. Extracts configuration parameters (Username, Password, client name, client + id) and the action parameter `limit`. + + 2. Sends a POST request to the NucleonCyber API endpoint (`https://api.nucleoncyber.com/feed/activethreats`) + using the provided credentials and parameters. + + 3. Validates the response status code to ensure the connection is successful. + + 4. Terminates the action with a success message if the connection is established. capabilities: can_create_case_comments: false can_create_insight: false @@ -94,8 +157,15 @@ Ping: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a connectivity check (Ping) to the NucleonCyber API. It + does not fetch contextual data for entities, nor does it mutate external or + internal systems. It simply validates credentials and connectivity. categories: enrichment: false + reasoning: >- + The action is a 'Ping' (connectivity test). Per the instructions, Ping actions + are not categorized as enrichment actions. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -111,3 +181,5 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with any entities. diff --git a/content/response_integrations/third_party/community/nucleon_cyber/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/nucleon_cyber/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..1ee00d679 --- /dev/null +++ b/content/response_integrations/third_party/community/nucleon_cyber/resources/ai/integration_ai_description.yaml @@ -0,0 +1,23 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: false + reasoning: >- + The Nucleon Cyber integration is primarily designed to provide high-quality threat + intelligence feeds to secure environments against APTs and professional hacking + groups. The 'GetIPs' action retrieves active threat intelligence data from the + Nucleon Cyber API, which directly aligns with the Threat Intelligence category's + purpose of providing enrichment data (such as risk scores or threat indicators) + to confirm if an alert is a True Positive. The integration does not perform actions + related to SIEM log searching, EDR host management, network security blocking, + email management, identity management, cloud resource configuration, ITSM ticketing, + vulnerability scanning, asset inventory management, or collaboration/notification + workflows. + siem: false + threat_intelligence: true + vulnerability_management: false diff --git a/content/response_integrations/third_party/community/pager_duty/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/pager_duty/resources/ai/actions_ai_description.yaml index 84d3c8195..af2dbd3b7 100644 --- a/content/response_integrations/third_party/community/pager_duty/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/pager_duty/resources/ai/actions_ai_description.yaml @@ -1,11 +1,42 @@ Create Incident: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: true + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action performs a POST request to the PagerDuty API to create a new incident. + This aligns with the 'Create Ticket' category, as it generates a new record + in an external system. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - This action creates a new incident in PagerDuty. It is used to programmatically - trigger incident response workflows by providing specific details such as title, - urgency, and description. The incident is associated with a specific service defined - in the integration configuration. + This action creates a new incident in PagerDuty using the provided details, title, + email, and urgency level. It interacts with the PagerDuty API to generate a new + incident record based on the parameters supplied by the user. ### Parameters Description @@ -14,40 +45,36 @@ Create Incident: | :--- | :--- | :--- | :--- | - | Details | String | Yes | Detailed information about the incident, such as logs - or investigation context. | + | Details | string | Yes | The description or body of the incident. | - | Title | String | Yes | A concise summary of the incident. | + | Title | string | Yes | The title of the incident. | - | Email | String | Yes | The email address of the PagerDuty user creating the - incident. This is used for attribution in PagerDuty. | + | Email | string | Yes | The email address of the user creating the incident (used + for the 'From' header). | - | Urgency | String | Yes | The urgency level of the incident (e.g., 'high' or - 'low'). | + | Urgency | string | Yes | The urgency level of the incident. | ### Additional Notes - - The **Service ID** used to create the incident is retrieved from the 'Services' - parameter in the integration configuration. - - - The action returns the full JSON response from PagerDuty, including the incident - number and ID. + This action requires a valid PagerDuty API token and a configured Service ID in + the integration settings to function correctly. ### Flow Description - 1. **Initialization**: Retrieves the API token and Service ID from the PagerDuty - integration configuration. + 1. Initialize the `PagerDutyManager` with the API token retrieved from the integration + configuration. + + 2. Extract the required parameters (Title, Email, Urgency, Details) and the Service + ID from the configuration. - 2. **Input Collection**: Captures the Title, Email, Urgency, and Details from - the action parameters. + 3. Execute the `create_incident` method, which sends a POST request to the PagerDuty + `/incidents` endpoint. - 3. **API Request**: Sends a POST request to the PagerDuty `/incidents` endpoint - with the incident payload. + 4. Add the resulting incident data to the action result. - 4. **Completion**: Processes the API response, attaches the incident data to the - action results, and marks the action as completed. + 5. Terminate the action with a success or failure status based on the API response. capabilities: can_create_case_comments: false can_create_insight: false @@ -56,12 +83,19 @@ Create Incident: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates a new incident record in the PagerDuty platform via the /incidents API - endpoint. + Creates a new incident in the PagerDuty platform. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a POST request to create an incident in PagerDuty, which + is an external mutation. It does not fetch data, update entities, or modify + internal SOAR data. categories: enrichment: false + reasoning: >- + The action creates a new incident in an external system (PagerDuty) and does + not retrieve contextual data for enrichment, therefore it is not an enrichment + action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -77,14 +111,50 @@ Create Incident: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over `siemplify.target_entities` or use any entity-specific + identifiers. It relies entirely on user-provided parameters to create an incident + in PagerDuty. Filtered Incident List: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: true + reasoning: >- + The action retrieves a list of incidents from PagerDuty based on search criteria. + This matches 'Search Events' (as it returns a collection of historical logs/telemetry/incidents) + and 'Get Alert Information' (as it fetches information about incidents/alerts + from the 3rd party product). + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: true + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - The **Filtered Incident List** action retrieves a list of incidents from PagerDuty - based on a variety of user-defined filters. It allows security analysts to search - for specific incidents by status, urgency, assigned users, teams, or specific - timeframes, providing a flexible way to query PagerDuty data directly from a playbook. + Retrieves a filtered list of incidents from PagerDuty based on user-defined criteria + such as status, urgency, and time range. This action queries the PagerDuty API + and returns the matching incident records for further analysis. ### Parameters Description @@ -93,70 +163,52 @@ Filtered Incident List: | :--- | :--- | :--- | :--- | - | **Email** | String | Yes | The email address of the PagerDuty user. While mandatory - for the action configuration, it is primarily used for auditing and header requirements - in PagerDuty API interactions. | + | Email | String | Yes | The email address associated with the PagerDuty account. + | - | **Additional_Data** | Multi-select | No | Specifies additional details to include - in the response, such as 'users', 'services', 'assignees', or 'teams'. | + | Urgencies | Multi-choice | No | Filter incidents by urgency (e.g., low, high). + | - | **sort_by** | Multi-select | No | Determines the field to sort by (e.g., incident_number, - created_at) and the order (asc, desc). | + | Incidents_Statuses | Multi-choice | No | Filter incidents by status (e.g., triggered, + acknowledged, resolved). | - | **Urgencies** | Multi-select | No | Filters the results by incident urgency - level (low or high). | + | Since | String | No | Start date for the filter (YYYY-MM-DD). | - | **User_IDS** | String | No | Filters incidents assigned to specific user IDs. - Can be provided as a single ID or a JSON-formatted list of IDs. | + | Until | String | No | End date for the filter (YYYY-MM-DD). | - | **Team_IDS** | String | No | Filters incidents associated with specific team - IDs. Supports JSON-formatted lists. | + | Service_IDS | String | No | Filter by specific service IDs. | - | **Incident_Key** | String | No | Filters results by a specific PagerDuty incident - key. | + | Team_IDS | String | No | Filter by specific team IDs. | - | **Incidents_Statuses** | Multi-select | No | Filters incidents by their current - state: triggered, acknowledged, or resolved. | + | User_IDS | String | No | Filter by specific user IDs. | - | **Since** | String | No | The start date for the incident search (format: YYYY-MM-DD). - | + | Incident_Key | String | No | Filter by a specific incident key. | - | **Until** | String | No | The end date for the incident search (format: YYYY-MM-DD). - | + | Data_Range | String | No | Filter by a specific data range. | - | **Data_Range** | String | No | A predefined data range filter for the query. - | + | sort_by | Multi-choice | No | Sort the results by field (e.g., incident_number, + created_at) and order (asc, desc). | - | **Service_IDS** | String | No | Filters incidents associated with specific service - IDs. | + | Additional_Data | Multi-choice | No | Additional details to include in the response. + | ### Additional Notes - - Parameters that accept multiple values (like `User_IDS` or `Team_IDS`) can be - passed as a standard string or a JSON array string (e.g., `["P123", "P456"]`). - - - The action performs a read-only query and does not modify any incident data - in PagerDuty. + This action performs a GET request to the PagerDuty API. Ensure the API key is + correctly configured in the integration settings. ### Flow Description - 1. **Initialization**: The action initializes the PagerDuty manager using the - API token from the integration configuration. + 1. Extracts filter parameters (e.g., `Urgencies`, `Incidents_Statuses`, `Since`, + `Until`) from the action configuration. - 2. **Parameter Parsing**: It extracts all input parameters and processes them, - converting JSON-formatted strings into Python lists and removing empty values. + 2. Constructs a query dictionary based on the provided filters. - 3. **Query Construction**: A dictionary of filter parameters is constructed, mapping - SOAR inputs to PagerDuty API query keys (e.g., `statuses[]`, `service_ids[]`). + 3. Sends a GET request to the PagerDuty API to fetch the filtered list of incidents. - 4. **API Execution**: The action sends a GET request to the PagerDuty `/incidents` - endpoint with the constructed query parameters. - - 5. **Result Handling**: The retrieved list of incidents is attached to the action's - result as a JSON object, and the execution status is updated based on whether - incidents were found. + 4. Adds the retrieved incident data to the action result for the user. capabilities: can_create_case_comments: false can_create_insight: false @@ -167,8 +219,18 @@ Filtered Incident List: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the PagerDuty API to retrieve a list of + incidents based on provided filters. It does not modify any external data, nor + does it update any internal SOAR entities or insights. It simply fetches and + returns data. categories: enrichment: false + reasoning: >- + The action is a search/list operation. It does not perform enrichment on specific + entities (it does not iterate over `target_entities`), nor does it meet the + criteria for an enrichment action as defined (it doesn't update entities or + create insights). Therefore, it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -184,50 +246,80 @@ Filtered Incident List: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with `target_entities`. It operates independently + of any specific entity context. Get Incident By ID: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: true + reasoning: >- + The action fetches incident details from PagerDuty. This directly aligns with + the 'Get Alert Information' category, which is defined as fetching information + about an alert or incident from a 3rd party product. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - Retrieves detailed information about a specific PagerDuty incident using its unique - Incident Key. This action is primarily used to fetch the current status, urgency, - and metadata of an incident from PagerDuty to provide context within a Google - SecOps case. + This action retrieves detailed information about a specific incident from PagerDuty. + It allows analysts to fetch the full incident payload, including status, urgency, + and body details, by providing the unique incident key. - ### Parameters Description + ### Flow Description - | Parameter | Type | Mandatory | Description | + 1. The action extracts the `Incident Key` and `Email` parameters provided by the + user. - | :--- | :--- | :--- | :--- | + 2. It initializes the PagerDuty manager using the configured API token. - | Incident Key | String | Yes | The unique identifier (Incident Key) of the PagerDuty - incident to retrieve. | + 3. It queries the PagerDuty API to retrieve the incident details associated with + the provided key. - | Email | String | Yes | The email address of the PagerDuty user performing the - action. This is required for the 'From' header in PagerDuty API requests. | + 4. The retrieved incident data is returned as a JSON result in the action output. - ### Flow Description + ### Parameters Description - 1. **Initialization**: The action extracts the `Incident Key` and `Email` from - the input parameters and retrieves the API token from the integration configuration. + | Parameter | Type | Mandatory | Description | - 2. **API Request**: The action calls the PagerDuty API's `/incidents` endpoint - using a GET request, passing the user's email in the 'From' header. + | :--- | :--- | :--- | :--- | - 3. **Data Processing**: The script receives a list of incidents and iterates through - them to find the specific entry where the `incident_key` matches the provided - input. + | Incident Key | string | Yes | The unique identifier of the incident to retrieve. + | - 4. **Result Delivery**: If found, the incident details are returned as a JSON - object. If no match is found, the action completes with a 'No Incident Found' - message. + | Email | string | Yes | The email address used for authentication or identification + in the PagerDuty request. | ### Additional Notes - This action does not operate on SecOps entities (like IPs or Hostnames); it is - a standalone utility that relies on the provided `Incident Key` parameter. + This action performs a read-only operation and does not modify any data within + Google SecOps or PagerDuty. capabilities: can_create_case_comments: false can_create_insight: false @@ -238,8 +330,17 @@ Get Incident By ID: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the PagerDuty API to retrieve incident + details. It does not modify any external systems (no POST/PUT/DELETE) and does + not modify any internal Google SecOps data (no entity updates, insights, or + case comments). categories: - enrichment: true + enrichment: false + reasoning: >- + While the action fetches data, it does not operate on SOAR entities or alerts + to provide enrichment context. It is a standalone utility action for retrieving + incident information, thus it does not meet the criteria for an Enrichment Action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -255,14 +356,47 @@ Get Incident By ID: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with the `target_entities` list or any specific + entity objects. It operates independently of the entity model. Get User By Email: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: true + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves user information from PagerDuty. This matches the 'Enrich + Asset' category (returning contextual metadata for a user). + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - The **Get User By Email** action retrieves comprehensive details for a specific - user in PagerDuty using their email address. This action is primarily used to - fetch user-specific metadata such as user IDs, roles, contact methods, and team - associations from the PagerDuty platform. + This action retrieves user details from PagerDuty by providing a specific user + email address. It queries the PagerDuty API to find a matching user and returns + the user's information as a JSON result. ### Parameters Description @@ -271,36 +405,28 @@ Get User By Email: | :--- | :--- | :--- | :--- | - | **Email** | String | Yes | The exact email address of the PagerDuty user whose - information you want to retrieve. | + | Email | string | Yes | The email address of the user to retrieve from PagerDuty. + | - ### Flow Description + ### Additional Notes - 1. **Parameter Extraction**: The action extracts the `Email` parameter provided - in the action configuration. + - This action does not modify any data in PagerDuty or the SOAR platform. - 2. **API Initialization**: It initializes the PagerDuty manager using the integration's - API key. + - If no user is found with the provided email, the action will fail. - 3. **Data Retrieval**: The action performs a GET request to the PagerDuty `/users` - endpoint, using the email as a query parameter. - 4. **Exact Match Filtering**: Since the PagerDuty API may return partial matches, - the script iterates through the results to identify the user object that exactly - matches the provided email address. + ### Flow Description - 5. **Result Processing**: If a match is found, the user's full JSON profile is - added to the action results. If no user is found, the action returns a failure - state. + 1. Initialize the PagerDuty manager with the API key retrieved from the configuration. + 2. Retrieve the user email from the action parameters. - ### Additional Notes + 3. Query the PagerDuty API for users matching the provided email. - - This action does not operate on SecOps entities; it relies entirely on the manual - input of an email address. + 4. If a match is found, return the user details as a JSON result. - - The action is read-only and does not modify any data within PagerDuty. + 5. If no user is found, return a failure status. capabilities: can_create_case_comments: false can_create_insight: false @@ -311,8 +437,17 @@ Get User By Email: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the PagerDuty API to retrieve user information. + It does not modify any external systems or internal SOAR data (entities, insights, + comments). categories: - enrichment: true + enrichment: false + reasoning: >- + The action fetches data (user details) from an external system (PagerDuty) without + modifying any external or internal state. It does not meet the criteria for + 'Enrichment' because it does not update entities, create insights, or add comments. + It is a data retrieval action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -328,14 +463,48 @@ Get User By Email: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code does not iterate over `siemplify.target_entities` or use any entity + objects. It takes a raw string parameter `Email`. Get User By ID: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: true + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves user details from PagerDuty, which provides contextual + metadata about a user. This aligns with the 'Enrich Asset' category. It does + not perform any other actions like updating alerts, tickets, or blocking IOCs. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - This action retrieves detailed information for a specific user in PagerDuty using - their unique User ID. It is primarily used to fetch user metadata such as name, - email, time zone, role, and contact methods for further investigation or automation - logic within a playbook. + Retrieves user details from PagerDuty by providing a specific User ID. This action + fetches comprehensive user information from the PagerDuty platform and returns + it as a JSON result for further analysis or display within the SOAR platform. ### Parameters Description @@ -344,32 +513,23 @@ Get User By ID: | :--- | :--- | :--- | :--- | - | UserID | String | Yes | The unique identifier (ID) of the user in PagerDuty - whose information you want to retrieve. | - - - ### Additional Notes - - - This action does not run on entities; it requires a specific User ID provided - as a parameter. - - - The action returns the full user object as a JSON result if the ID is valid. + | UserID | string | Yes | The unique identifier of the user in PagerDuty. | ### Flow Description - 1. **Parameter Retrieval**: The action extracts the `UserID` from the input parameters - and the `api_key` from the integration configuration. + 1. Initialize the PagerDuty manager using the API key retrieved from the integration + configuration. - 2. **API Interaction**: It initializes the PagerDuty manager and performs a GET - request to the `/users/{id}` endpoint. + 2. Retrieve the `UserID` parameter provided by the user. - 3. **Data Processing**: If the user is found, the action extracts the user details - from the response. + 3. Call the PagerDuty API to fetch the user's details using the provided `UserID`. - 4. **Output**: The retrieved user data is attached to the action's JSON result, - and the action completes successfully. If the user is not found or an error occurs, - the action fails with an appropriate error message. + 4. If the user is found, return the user information as a JSON result and mark + the action as completed. + + 5. If the user is not found or an error occurs, return an error message and mark + the action as failed. capabilities: can_create_case_comments: false can_create_insight: false @@ -380,8 +540,16 @@ Get User By ID: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the PagerDuty API to retrieve user information + based on a provided ID. It does not modify any external systems or internal + SOAR data. categories: - enrichment: true + enrichment: false + reasoning: >- + The action fetches data from an external system (PagerDuty) but does not operate + on SOAR entities (it uses a raw parameter). Therefore, it does not meet the + criteria for an Enrichment Action as defined for SOAR entities. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -397,42 +565,75 @@ Get User By ID: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over `siemplify.target_entities`. It uses a direct + input parameter `UserID` to fetch data. List All OnCall: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves a list of on-call users from PagerDuty. It does not match + any of the defined categories (e.g., Enrich IOC, Enrich Asset, Update Alert, + etc.) as it is a general information retrieval task that does not operate on + specific entities or alerts. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - The **List All OnCall** action retrieves a comprehensive list of all current on-call - entries from PagerDuty. This utility action is designed to provide visibility - into which personnel are currently active across various escalation policies, - schedules, and services within the PagerDuty environment. + This action retrieves the list of all on-call users and schedules from the PagerDuty + platform. It provides visibility into who is currently on-call, which can be useful + for incident response and escalation management. - ### Parameters Description + ### Parameters - There are no parameters for this action. + There are no parameters required for this action. - ### Flow Description + ### Additional Notes - 1. **Initialization**: The action initializes the PagerDuty API manager using - the API key defined in the integration's configuration. + This action does not require any input entities and operates globally to fetch + on-call information from PagerDuty. - 2. **API Request**: It executes a GET request to the PagerDuty `/oncalls` endpoint - to retrieve the current on-call status for the entire organization. - 3. **Data Output**: The retrieved list of on-call records is processed and added - to the action's execution results as a JSON object. + ### Flow Description - 4. **Finalization**: The action completes with a success message if the data is - retrieved, or a failure message if the PagerDuty API returns an error or no data - is found. + 1. Initialize the `SiemplifyAction` and retrieve the PagerDuty API configuration. + 2. Initialize the `PagerDutyManager` with the provided API token. - ### Additional Notes + 3. Execute the `list_oncalls` method to fetch the current on-call data from the + PagerDuty API. + + 4. Add the retrieved on-call information to the action results using `add_result_json`. - This action does not operate on specific entities (like Hostnames or Users) within - the Google SecOps case; it fetches global organizational data from the external - PagerDuty service. + 5. Terminate the action with a success status if the data is retrieved, or a failure + status if an error occurs. capabilities: can_create_case_comments: false can_create_insight: false @@ -443,8 +644,15 @@ List All OnCall: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the PagerDuty API to retrieve on-call information. + It does not modify any external systems, nor does it update any internal SOAR + entities or cases. categories: enrichment: false + reasoning: >- + The action retrieves data from an external source but does not perform enrichment + on specific entities or alerts. It is a general information retrieval action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -460,44 +668,67 @@ List All OnCall: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with any entities; it fetches a global list of + on-call users from PagerDuty. List Incidents: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: true + reasoning: >- + The action retrieves a list of incidents from PagerDuty. This matches the 'Get + Alert Information' category, as it fetches incident data from the 3rd party + product. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - The **List Incidents** action retrieves a comprehensive list of all incidents - from the PagerDuty platform. It is primarily used for visibility and data retrieval, - allowing playbooks to access current incident data for reporting, cross-referencing, - or conditional logic based on the state of PagerDuty incidents. + This action retrieves a comprehensive list of all incidents from the PagerDuty + platform. It is designed to provide visibility into current incidents managed + within PagerDuty. ### Parameters Description - There are no input parameters for this action. It retrieves all incidents accessible - via the configured API token. - - - ### Additional Notes - - * This action does not require or process any specific entities from the Google - SecOps case. - - * The results are returned as a raw JSON array containing incident details such - as status, urgency, and service information. + There are no action parameters required for this action. ### Flow Description - 1. **Initialization**: The action initializes the PagerDuty manager using the - API token provided in the integration configuration. + 1. Initialize the `SiemplifyAction` and retrieve the `api_key` from the integration + configuration. - 2. **Data Retrieval**: It performs a GET request to the PagerDuty `/incidents` - endpoint to fetch all active and historical incidents. + 2. Initialize the `PagerDutyManager` with the provided API key. - 3. **Processing**: The script captures the API response and checks for the presence - of incident data. + 3. Call the `get_all_incidents` method to fetch the list of incidents from PagerDuty. - 4. **Output**: The retrieved incident list is attached to the action's JSON results, - and the action completes with a success message if data is found. + 4. Add the retrieved incident data to the action result using `add_result_json`. + + 5. Terminate the action with a success or failure message based on the outcome. capabilities: can_create_case_comments: false can_create_insight: false @@ -508,8 +739,15 @@ List Incidents: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the PagerDuty API to retrieve a list of + incidents. It does not modify any external or internal data. categories: enrichment: false + reasoning: >- + The action fetches a list of incidents from PagerDuty. It does not enrich specific + entities or alerts within the SOAR platform. It is a retrieval action, not an + enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -525,22 +763,76 @@ List Incidents: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with `target_entities`. It fetches a global list + of incidents from the PagerDuty API. List Users: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves a list of users from PagerDuty. It does not match any of + the specific categories provided (e.g., it is not enriching a specific IOC or + Asset, nor is it performing a management action like blocking or updating). + It is a general data retrieval/listing action. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description: Retrieves a comprehensive list of all users associated - with the configured PagerDuty account. This action is primarily used for administrative - auditing or to gather contact information for users within the PagerDuty environment. - ### Parameters Description: There are no parameters for this action. Note: Although - the integration metadata mentions hostname parameters, none are defined or used - in the implementation. ### Additional Notes: This action does not operate on specific - entities and instead fetches the global user list for the integration instance. - ### Flow Description: 1. **Initialization**: The action initializes the PagerDuty - manager using the API key provided in the integration configuration. 2. **API - Request**: It performs a GET request to the PagerDuty `/users` endpoint to retrieve - all user records. 3. **Data Handling**: The action extracts the user data from - the API response and attaches it to the action's JSON results. 4. **Completion**: - The action concludes by reporting the success of the retrieval and providing the - user list as output. + ### General Description + + This action retrieves a comprehensive list of all users from the PagerDuty platform. + It is designed to provide visibility into the user directory within PagerDuty, + returning the data as a JSON result for further analysis or display within the + SOAR platform. + + + ### Parameters Description + + There are no user-configurable input parameters for this action. The action utilizes + the API key configured in the PagerDuty integration settings to authenticate and + fetch the data. + + + ### Additional Notes + + This action does not require any specific entities to be selected. It performs + a global fetch operation against the PagerDuty API. + + + ### Flow Description + + 1. **Initialization**: The action initializes the `SiemplifyAction` and retrieves + the PagerDuty API token from the integration configuration. + + 2. **Execution**: It instantiates the `PagerDutyManager` and calls the `list_users` + method to query the PagerDuty `/users` endpoint. + + 3. **Output**: The retrieved list of users is added to the action results as a + JSON object. If the operation is successful, a success message is returned; otherwise, + an error message is generated. capabilities: can_create_case_comments: false can_create_insight: false @@ -551,8 +843,17 @@ List Users: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the PagerDuty API to retrieve a list of + users. It does not modify any external systems (no POST/PUT/DELETE), nor does + it modify any internal SOAR data (entities, insights, or case comments). It + simply returns the fetched data as a result. categories: - enrichment: true + enrichment: false + reasoning: >- + The action does not operate on entities, nor does it enrich them. It is a utility + action that fetches a global list of users from an external system. Therefore, + it does not meet the criteria for an Enrichment Action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -568,52 +869,72 @@ List Users: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not reference `siemplify.target_entities` or perform any operations + on specific entities. It fetches a global list of users from the PagerDuty API. Ping: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action is a connectivity test ('Ping') and does not perform any functional + operations like enriching data, creating tickets, or modifying alerts. Therefore, + it does not match any of the defined product categories. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description - - The **Ping** action is a diagnostic utility designed to verify the connectivity - and authentication between Google SecOps and the PagerDuty API. Its primary purpose - is to ensure that the provided API key is valid and that the network environment - allows for outbound communication to PagerDuty's infrastructure. - - - ### Parameters Description - + This action tests connectivity to the PagerDuty API to ensure the provided credentials + are valid and the service is reachable. - | Parameter | Type | Mandatory | Description | - | :--- | :--- | :--- | :--- | + ### Flow Description - | api_key | String | Yes | The API key used to authenticate with the PagerDuty - API. This is typically retrieved from the integration configuration. | + 1. The action extracts the `api_key` from the integration configuration. + 2. It initializes the `PagerDutyManager` using the provided API key. - ### Additional Notes + 3. It executes a `GET` request to the PagerDuty `/abilities` endpoint. - - This action does not interact with or process any entities (e.g., IPs, Hostnames). + 4. If the request is successful, the action completes; otherwise, it raises an + error. - - It is strictly a connectivity test and does not retrieve or modify any incident - data. - - According to standard SOAR practices, this action is not classified as an enrichment - action. + ### Parameters Description + | Parameter | Type | Mandatory | Description | - ### Flow Description + | :--- | :--- | :--- | :--- | - 1. **Parameter Extraction**: The action retrieves the mandatory `api_key` from - the integration's configuration settings. + | `api_key` | String | Yes | The API key used to authenticate with the PagerDuty + API. | - 2. **Client Initialization**: It initializes the `PagerDutyManager` with the provided - API key to handle HTTP requests. - 3. **Connectivity Test**: The action executes a GET request to the PagerDuty `/abilities` - endpoint. + ### Additional Notes - 4. **Validation**: If the API responds with a successful status code, the action - confirms connectivity. If the request fails (e.g., 401 Unauthorized or network - timeout), an error message is generated. + There are no additional notes for this action. capabilities: can_create_case_comments: false can_create_insight: false @@ -624,8 +945,15 @@ Ping: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the PagerDuty `/abilities` endpoint to + verify connectivity and authentication. It does not modify any external or internal + data, update entities, or create insights. categories: enrichment: false + reasoning: >- + The action is a 'Ping' action, which is explicitly excluded from being an enrichment + action according to the instructions. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -641,54 +969,74 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with any entities. Run Response Play: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action triggers a response play in PagerDuty. This does not align with the + provided categories such as enrichment, ticket management, alert modification, + or containment. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description - - Runs a specified PagerDuty response play on a given incident. Response plays are - pre-defined sets of actions in PagerDuty that can be manually or automatically - triggered to streamline incident response, such as notifying specific stakeholders - or adding responders. This action is currently marked as deprecated. + Triggers a specific response play in PagerDuty for a given incident. This action + allows users to automate incident response workflows by executing predefined response + plays directly from the SOAR platform. - ### Parameters Description + ### Parameters | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Email | String | Yes | The email address of the PagerDuty user performing the - action. This is required for the 'From' header in the API request. | + | Email | string | Yes | The email address associated with the user triggering + the response play. | - | Response ID | String | Yes | The unique identifier of the response play to be + | Response ID | string | Yes | The unique identifier of the response play to be executed. | - | Incident_ID | String | Yes | The unique identifier of the PagerDuty incident - on which the response play will be applied. | + | Incident_ID | string | Yes | The unique identifier of the incident on which + the response play will be run. | ### Flow Description - 1. **Parameter Extraction**: The action retrieves the user's email, the specific - Response Play ID, and the target Incident ID from the input parameters. + 1. The action extracts the required parameters: `Email`, `Response ID`, and `Incident_ID`. - 2. **Manager Initialization**: Initializes the PagerDuty API manager using the - integration's API key. + 2. It initializes the `PagerDutyManager` using the configured API token. - 3. **API Execution**: Sends a POST request to the PagerDuty `/response_plays/{response_play_id}/run` - endpoint with the incident reference in the payload. + 3. It executes the response play by sending a POST request to the PagerDuty API + endpoint `/response_plays/{response_plays_id}/run`. - 4. **Result Reporting**: Captures the API response, adds it to the action results, - and provides a success or failure message based on the HTTP response status. - - - ### Additional Notes - - * **Deprecated**: This action is officially marked as deprecated in the integration - metadata. - - * **No Entity Support**: This action does not iterate over or utilize Google SecOps - entities; it operates strictly based on the provided parameters. + 4. The result of the operation is added to the action results, and the action + concludes with a success or failure status. capabilities: can_create_case_comments: false can_create_insight: false @@ -697,12 +1045,20 @@ Run Response Play: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Triggers a response play in PagerDuty, which initiates automated workflows and - state changes (like adding responders or notifying users) on a specific incident. + Triggers a response play in PagerDuty for a specific incident via a POST request. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a POST request to an external system (PagerDuty) to trigger + a response play, which constitutes an external data mutation. It does not fetch + contextual data for enrichment, nor does it modify internal SOAR data, entities, + or case comments. categories: enrichment: false + reasoning: >- + The action is a trigger/mutation action that executes a process in an external + system. It does not fetch data for enrichment purposes, nor does it meet the + criteria for an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -718,27 +1074,59 @@ Run Response Play: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with or iterate over SOAR entities. It operates + on specific identifiers provided as input parameters. Snooze Incident: - ai_description: "### General Description\nThe **Snooze Incident** action allows\ - \ users to temporarily silence a PagerDuty incident for a fixed duration of one\ - \ hour (3600 seconds). This action is primarily used to pause notifications for\ - \ an active incident while it is being addressed or during known maintenance periods.\n\ - \n### Parameters Description\n| Parameter | Type | Mandatory | Description |\n\ - | :--- | :--- | :--- | :--- |\n| **Email** | String | Yes | The email address\ - \ of the PagerDuty user performing the action. This is required by PagerDuty for\ - \ the 'From' header to track who initiated the snooze. |\n| **IncidentID** | String\ - \ | Yes | The unique identifier of the PagerDuty incident that needs to be snoozed.\ - \ |\n\n### Flow Description\n1. **Initialization**: The action extracts the `Email`\ - \ and `IncidentID` from the input parameters and retrieves the API key from the\ - \ integration configuration.\n2. **API Request**: It utilizes the `PagerDutyManager`\ - \ to send a POST request to the PagerDuty `/incidents/{incident_id}/snooze` endpoint.\n\ - 3. **Payload**: The request includes a hardcoded payload setting the snooze duration\ - \ to 3600 seconds (1 hour).\n4. **Response Handling**: \n * If successful,\ - \ the action retrieves the updated incident details, adds them to the JSON results,\ - \ and completes the execution.\n * If an HTTP error occurs (e.g., invalid ID\ - \ or unauthorized), the action captures the error details and marks the execution\ - \ as failed.\n\n### Additional Notes\n* The snooze duration is currently fixed\ - \ at 1 hour and cannot be adjusted via parameters." + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action performs a POST request to PagerDuty to snooze an incident. This + is a state change in an external system (PagerDuty). It aligns with the 'Update + Ticket' category as it modifies the status/state of an incident in an external + ticketing/incident management system. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: true + ai_description: >- + ### General Description\nSnoozes a PagerDuty incident for a specified duration + (default 3600 seconds). This action allows analysts to temporarily suppress notifications + for an incident directly from the SOAR platform.\n\n### Parameters Description\n| + Parameter | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| + Email | string | Yes | The email address of the user performing the action, used + for PagerDuty API authentication headers. |\n| IncidentID | string | Yes | The + unique identifier of the PagerDuty incident to snooze. |\n\n### Additional Notes\nThe + action requires a valid PagerDuty API token configured in the integration settings. + The snooze duration is hardcoded to 3600 seconds.\n\n### Flow Description\n1. + Extract the `Email` and `IncidentID` parameters from the action configuration.\n2. + Initialize the `PagerDutyManager` using the API token retrieved from the integration + configuration.\n3. Execute the `snooze_incident` method, which sends a POST request + to the PagerDuty API endpoint `/incidents/{incident_id}/snooze`.\n4. The request + includes the provided email in the headers and a default snooze duration of 3600 + seconds.\n5. Return the resulting incident details in the action result. capabilities: can_create_case_comments: false can_create_insight: false @@ -747,12 +1135,19 @@ Snooze Incident: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Snoozes an incident in PagerDuty, which changes the incident's state to 'snoozed' - and suppresses notifications for a duration of 1 hour. - fetches_data: true + Snoozes an incident in PagerDuty by sending a POST request to the PagerDuty + API. + fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a POST request to the PagerDuty API to snooze an incident, + which is an external system mutation. It does not fetch additional contextual + data, nor does it modify any internal SecOps data, entities, or alerts. categories: enrichment: false + reasoning: >- + The action is a mutation action (snoozing an incident) and does not fetch data + for enrichment purposes. Therefore, it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -768,3 +1163,6 @@ Snooze Incident: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over or process any entities. It uses action parameters + to identify the incident to snooze. diff --git a/content/response_integrations/third_party/community/pager_duty/resources/ai/connectors_ai_description.yaml b/content/response_integrations/third_party/community/pager_duty/resources/ai/connectors_ai_description.yaml new file mode 100644 index 000000000..b8bd85d3a --- /dev/null +++ b/content/response_integrations/third_party/community/pager_duty/resources/ai/connectors_ai_description.yaml @@ -0,0 +1,49 @@ +PagerDutyConnector: + ai_description: >- + ### General Description + + The PagerDuty connector integrates with the PagerDuty API to fetch incidents and + ingest them as alerts into Google SecOps. It supports optional automatic acknowledgment + of incidents within PagerDuty upon successful ingestion into the SOAR platform. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | acknowledge | Boolean | No | If enabled, acknowledges the incident in PagerDuty + after ingestion. Note: The API key must have permissions to modify incidents. + | + + | apiKey | String | Yes | The API key used to authenticate with the PagerDuty + API. | + + | DeviceProductField | String | Yes | The field name used to determine the device + product. | + + | EventClassId | String | Yes | The field name used to determine the event name + (sub-type). | + + | PythonProcessTimeout | String | Yes | The timeout limit (in seconds) for the + Python process. | + + + ### Flow Description + + 1. The connector initializes the PagerDuty manager using the provided API key. + + 2. It queries the PagerDuty API to retrieve a list of active incidents. + + 3. For each retrieved incident, it maps the PagerDuty urgency level to the corresponding + SOAR severity. + + 4. It constructs a SOAR alert object containing incident details, including title, + ID, and creation time. + + 5. If the `acknowledge` parameter is enabled, the connector sends an acknowledgment + request back to PagerDuty for the processed incident. + + 6. Finally, the connector returns the list of processed alerts to the SOAR platform + for case creation. diff --git a/content/response_integrations/third_party/community/pager_duty/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/pager_duty/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..d8f3de73f --- /dev/null +++ b/content/response_integrations/third_party/community/pager_duty/resources/ai/integration_ai_description.yaml @@ -0,0 +1,23 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: true + edr: false + email_security: false + iam_and_identity_management: false + itsm: true + network_security: false + reasoning: >- + The PagerDuty integration is primarily an ITSM tool used for incident management, + ticketing, and alerting. It qualifies as ITSM because it allows for the creation, + listing, and management of incidents (tickets). It qualifies as Collaboration + because it manages on-call schedules and triggers response plays, which are essential + for notifying teams and coordinating incident response. It does not qualify as + SIEM because, while it ingests alerts, it does not perform the core SIEM functions + of log aggregation, timeline analysis, or IOC tracking across logs. It does not + meet the criteria for EDR, Network Security, Threat Intelligence, Email Security, + IAM, Cloud Security, Vulnerability Management, or Asset Inventory as it does not + perform the specific security-focused tasks defined for those categories. + siem: false + threat_intelligence: false + vulnerability_management: false diff --git a/content/response_integrations/third_party/community/perimeter_x/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/perimeter_x/resources/ai/actions_ai_description.yaml index a5191b64c..1f17c386a 100644 --- a/content/response_integrations/third_party/community/perimeter_x/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/perimeter_x/resources/ai/actions_ai_description.yaml @@ -1,47 +1,48 @@ Ping: - ai_description: >- - ### General Description - - The Ping action is designed to verify the connectivity and authentication status - between Google SecOps and the Slack API as part of the PerimeterX integration. - It ensures that the configured credentials are correct and that the system can - successfully communicate with Slack. - - - ### Parameters Description - - | Parameter Name | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Slack API Key | String | Yes | The API token used to authenticate requests to - the Slack platform. This is a configuration-level parameter. | - - | Slack Channel | String | Yes | The specific Slack channel name associated with - the integration. This is a configuration-level parameter. | - - - ### Flow Description - - 1. **Parameter Extraction**: The action retrieves the Slack API Key and Slack - Channel from the integration's configuration settings. - - 2. **Manager Initialization**: It initializes the PerimeterXManager with the provided - credentials. - - 3. **Authentication Check**: The action calls the auth() method, which performs - a POST request to the Slack auth.test endpoint to verify the token. - - 4. **Result Reporting**: If the API returns a successful authentication response, - the action completes with a success message. If an error occurs or authentication - fails, it reports a failure status. - - - ### Additional Notes - - This action does not process any entities and is strictly used for health checks - of the integration configuration. As a Ping action, it is not categorized as an - enrichment action. + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action is a connectivity test ('Ping') and does not perform any of the defined + functional operations (enrichment, containment, ticket management, etc.). + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: "The Ping action verifies connectivity to the Slack API by performing\ + \ an authentication test. It is used to ensure that the integration is correctly\ + \ configured and can communicate with the Slack workspace. \n\n### Parameters\n\ + | Parameter | Type | Mandatory | Description |\n| --- | --- | --- | --- |\n| Slack\ + \ API Key | String | Yes | The API key used to authenticate with the Slack workspace.\ + \ |\n| Slack Channel | String | Yes | The name of the Slack channel to verify\ + \ connectivity against. |\n\n### Flow\n1. Extract the configuration parameters\ + \ (Slack API Key and Slack Channel) from the integration settings.\n2. Initialize\ + \ the PerimeterXManager with the provided credentials and connector type.\n3.\ + \ Execute the auth() method, which sends a POST request to the Slack auth.test\ + \ endpoint to validate the API key.\n4. If the authentication is successful, return\ + \ a success message; otherwise, return an error message indicating the failure.\n\ + 5. Terminate the action with the appropriate execution status (Completed or Failed)." capabilities: can_create_case_comments: false can_create_insight: false @@ -52,8 +53,15 @@ Ping: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a connectivity test (Ping) to verify Slack API authentication. + It does not fetch contextual data for entities, nor does it modify any external + or internal systems. categories: enrichment: false + reasoning: >- + The action is a 'Ping' action, which is explicitly excluded from being an enrichment + action. It does not perform any data retrieval or state modification. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -69,3 +77,5 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with any entities. diff --git a/content/response_integrations/third_party/community/perimeter_x/resources/ai/connectors_ai_description.yaml b/content/response_integrations/third_party/community/perimeter_x/resources/ai/connectors_ai_description.yaml new file mode 100644 index 000000000..4b0302ee2 --- /dev/null +++ b/content/response_integrations/third_party/community/perimeter_x/resources/ai/connectors_ai_description.yaml @@ -0,0 +1,24 @@ +Slack Connector For Code Defender: + ai_description: >- + ### General Description\nThe PerimeterX Code Defender Connector integrates Google + SecOps with Slack to ingest security alerts generated by PerimeterX Code Defender. + It monitors a designated Slack channel for specific incident notifications, parses + the message content, and creates corresponding alerts within the SOAR platform + for further investigation and response.\n\n### Parameters Description\n| Parameter + | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| Slack Channel + | String | Yes | The name of the Slack channel to monitor (without the "#" prefix). + |\n| Slack API Key | Password | Yes | The API key used to authenticate with the + Slack API. |\n| PythonProcessTimeout | String | Yes | The timeout limit (in seconds) + for the Python process execution. |\n| EventClassId | String | Yes | The field + name used to determine the event name (sub-type). |\n| DeviceProductField | String + | Yes | The field name used to determine the device product. |\n\n### Flow Description\n1. + The connector initializes by connecting to the Slack API using the provided API + key.\n2. It resolves the configured Slack channel name to a channel ID.\n3. It + fetches message history from the channel, starting from the last successful execution + timestamp to ensure only new alerts are processed.\n4. It filters messages to + identify those specifically related to "Code Defender" incidents.\n5. For each + identified incident, it parses the message attachments to extract relevant data + such as severity, affected script, domain, and deep links.\n6. It maps the extracted + data into a standardized `AlertInfo` format and ingests the alerts into the SOAR + platform.\n7. Finally, it updates the last run timestamp to ensure subsequent + runs continue from the correct point in time. diff --git a/content/response_integrations/third_party/community/perimeter_x/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/perimeter_x/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..d67a52d48 --- /dev/null +++ b/content/response_integrations/third_party/community/perimeter_x/resources/ai/integration_ai_description.yaml @@ -0,0 +1,22 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: true + reasoning: >- + The integration provides a connector to ingest security alerts from PerimeterX + Code Defender via Slack. PerimeterX Code Defender is a web application security + solution that detects client-side attacks. By ingesting these alerts into the + SOAR platform, the integration enables security teams to respond to web-based + attacks, which aligns with the 'Network Security' category definition of verifying + if a web-based attack was blocked or detected. The integration does not perform + host-level analysis (EDR), identity management (IAM), or ticketing (ITSM), nor + does it provide enrichment or log searching capabilities (SIEM/Threat Intelligence). + Therefore, it is classified under Network Security. + siem: false + threat_intelligence: false + vulnerability_management: false diff --git a/content/response_integrations/third_party/community/philips_hue/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/philips_hue/resources/ai/actions_ai_description.yaml index c361f78df..89b12f22e 100644 --- a/content/response_integrations/third_party/community/philips_hue/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/philips_hue/resources/ai/actions_ai_description.yaml @@ -1,11 +1,42 @@ Ping: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action is a connectivity test (Ping) for the Philips HUE Bridge. It does + not perform any of the defined actions like enriching IOCs, updating tickets, + or blocking hosts. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - Tests the connectivity to the Philips HUE Bridge to ensure that the provided configuration - parameters (Bridge IP and Authorized Username) are correct and that the bridge - is reachable over the network. This action is primarily used for health checks - and verifying integration settings. + This action tests the connectivity to a Philips HUE Bridge by performing a GET + request to the bridge's API. It is a diagnostic tool used to verify that the SOAR + platform can communicate with the external device. ### Parameters Description @@ -14,35 +45,27 @@ Ping: | :--- | :--- | :--- | :--- | - | Bridge IP | String | Yes (Config) | The IP address of the Philips HUE bridge, - retrieved from the integration configuration. | + | Bridge IP | String | Yes | The IP address of the Philips HUE bridge. | - | Authorized Username | String | Yes (Config) | The username used to authorize - access to the bridge's API, retrieved from the integration configuration. | + | Authorized Username | String | Yes | The username to authorize access to the + product's attributes. | ### Additional Notes - This action does not take any runtime parameters; it relies entirely on the integration's - configuration settings. As per standard practice, Ping actions are used for health - checks and do not perform data enrichment or mutation. + This action is a connectivity test (Ping) and does not perform any data enrichment + or state changes on the bridge or within the SOAR platform. ### Flow Description - 1. **Initialization**: The action starts by initializing the Siemplify context - and logging the start of the process. + 1. Extract the `Bridge IP` and `Authorized Username` from the integration configuration. - 2. **Configuration Retrieval**: It extracts the 'Bridge IP' and 'Authorized Username' - from the integration's configuration parameters. + 2. Initialize the `PhilipsManager` with the provided credentials. - 3. **Connectivity Test**: It uses the PhilipsManager to perform a GET request - to the bridge's API endpoint (https://{bridge_ip}/api/{user_name}). + 3. Execute the `test_connectivity` method, which sends a GET request to the bridge. - 4. **Result Handling**: If the GET request is successful (returns a 200 OK), the - action returns a success message. If an error occurs (e.g., timeout, authentication - failure, or network unreachable), it catches the exception and returns a failure - message with the error details. + 4. Return the connection status and an output message indicating success or failure. capabilities: can_create_case_comments: false can_create_insight: false @@ -51,10 +74,17 @@ Ping: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null - fetches_data: true + fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to verify connectivity to the Philips HUE + Bridge. It does not modify external or internal data, nor does it update entities + or create insights. It is a diagnostic action. categories: enrichment: false + reasoning: >- + The action is a 'Ping' action. According to the guidelines, 'Actions named Ping + must not be categorized as enrichment actions.' entity_usage: entity_types: [] filters_by_additional_properties: false @@ -70,14 +100,48 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with `target_entities` or any specific entity types. + It operates on global configuration parameters. Turn Off Light: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action interacts with a Philips HUE bridge to change the state of a light. + This does not align with any of the provided security-focused categories such + as IOC enrichment, ticket management, or host containment. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - The **Turn Off Light** action allows users to programmatically turn off a specific - Philips HUE light bulb via the Philips HUE Bridge. This action is useful for physical - security responses or automation scenarios where lighting control is required - based on security events. + This action turns off a specific Philips HUE light by its unique identifier. It + interacts with a Philips HUE bridge to verify the light's existence and reachability + before sending a command to change its power state to 'off'. ### Parameters Description @@ -86,26 +150,25 @@ Turn Off Light: | :--- | :--- | :--- | :--- | - | **Light ID** | String | Yes | The unique identifier of the light bulb you wish - to turn off. This ID is specific to the Philips HUE Bridge configuration. | + | Light ID | string | Yes | The identifier of the light to be turned off. | ### Flow Description - 1. **Initialization**: The action retrieves the Bridge IP and Authorized Username - from the integration configuration and the Light ID from the action parameters. + 1. **Initialization**: The action extracts the required configuration parameters + (Bridge IP, Authorized Username) and the 'Light ID' action parameter. - 2. **Validation**: It first checks if the provided Light ID exists within the - Philips HUE Bridge environment. + 2. **Verification**: It initializes the `PhilipsManager` and performs a search + to verify that the provided 'Light ID' exists on the bridge. - 3. **Reachability Check**: If the ID exists, the action verifies if the light - bulb is currently reachable by the bridge. + 3. **Reachability Check**: If the light exists, it checks if the light is currently + reachable from the bridge. - 4. **State Mutation**: If reachable, the action sends a PUT request to the bridge's - API to set the light's 'on' state to `false` (off). + 4. **Execution**: If the light is reachable, it sends a PUT request to the bridge + to set the light's state to 'off'. - 5. **Reporting**: The action returns a success message if the light was successfully - turned off, or an error message if the light was unreachable or the ID was invalid. + 5. **Result**: The action returns the result of the operation, indicating success + or failure based on the bridge's response. capabilities: can_create_case_comments: false can_create_insight: false @@ -114,12 +177,21 @@ Turn Off Light: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - The action performs a PUT request to the Philips HUE Bridge API to change the - physical state of a light bulb from 'on' to 'off'. + Sends a PUT request to the Philips HUE bridge to change the state of the specified + light to 'off'. fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs GET requests to verify the light's existence and reachability + (fetches_data=true). It then performs a PUT request to change the state of the + light on the external Philips HUE bridge (can_mutate_external_data=true). It + does not modify internal SOAR data, entities, or case information. categories: enrichment: false + reasoning: >- + The action mutates external data (turns off a light) and does not perform any + enrichment or internal data modification. Therefore, it is not an enrichment + action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -135,50 +207,89 @@ Turn Off Light: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over or utilize `target_entities`. It operates based + on a user-provided 'Light ID' parameter. Turn On Light and Color: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action controls a physical IoT device (Philips Hue light). It does not match + any of the standard security-focused categories such as IOC enrichment, ticket + management, or host containment. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - The **Turn On Light and Color** action allows users to control a specific Philips - Hue light bulb by its ID. It enables turning the light on while simultaneously - setting a specific color and an optional visual alert effect (like flickering). - This is often used in physical security or SOC environments to provide visual - cues for alerts. + This action controls a Philips Hue light by adjusting its power state, color, + and alert effects via the Philips Hue Bridge API. It allows analysts to trigger + visual indicators on physical hardware, which can be useful for physical security + alerting or status signaling. - ### Parameters Description + ### Flow Description - | Parameter | Type | Mandatory | Description | + 1. **Initialization**: The action extracts the Philips Hue Bridge IP and authorized + username from the integration configuration. - | :--- | :--- | :--- | :--- | + 2. **Parameter Retrieval**: It retrieves the `Light ID`, `Color`, and `Alert effect` + from the action parameters. - | **Light ID** | String | Yes | The unique identifier of the light bulb to be - controlled. | + 3. **Validation**: It performs a GET request to the Philips Hue Bridge to verify + that the specified `Light ID` exists. - | **Color** | DDL | Yes | The color to set the light to. Options include Red, - Orange, Yellow, Green, Blue, Purple, and Pink. | + 4. **Execution**: If the light exists, it performs a PUT request to the Bridge + API to update the light's state (power, color, and effect). - | **Alert effect** | DDL | Yes | The visual effect to apply. `None` just turns - it on, `Flicker-Once` performs a single flash, and `Flicker-Loop` flashes for - 15 seconds. | + 5. **Result**: The action returns the status of the operation, indicating success + or failure based on the API response. - ### Flow Description + ### Parameters Description - 1. **Initialization**: Connects to the Philips Hue Bridge using the provided IP - and authorized username. + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | - 2. **Validation**: Checks if the specified `Light ID` exists on the bridge via - a GET request. + | Light ID | string | Yes | The unique identifier of the Philips Hue light to + control. | - 3. **Reachability Check**: Verifies if the light bulb is currently reachable by - the bridge. + | Color | ddl | Yes | The color to set the light to (Options: Red, Orange, Yellow, + Green, Blue, Purple, Pink). | - 4. **State Mutation**: Sends a PUT request to the bridge to turn the light on - and apply the selected color and alert effect. + | Alert effect | ddl | Yes | The visual effect to apply (Options: None, Flicker-Once, + Flicker-Loop). | + + + ### Additional Notes - 5. **Completion**: Returns the result of the operation and updates the action - status in Google SecOps. + This action requires a valid Philips Hue Bridge IP and an authorized username + configured in the integration settings to communicate with the device. capabilities: can_create_case_comments: false can_create_insight: false @@ -187,13 +298,20 @@ Turn On Light and Color: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - This action changes the physical state of a Philips Hue light bulb (turning - it on, changing color, or triggering an alert effect) via a PUT request to the - Philips Hue Bridge API. + Updates the state of a Philips Hue light (power, color, effect) via the Philips + Hue Bridge API. fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action interacts with an external Philips Hue Bridge API. It performs GET + requests to verify light existence and reachability, and a PUT request to modify + the light's state (color, effect, power). It does not modify internal SOAR data + (entities, insights, etc.). categories: enrichment: false + reasoning: >- + The action mutates external data (changes light state) and does not perform + enrichment on entities or alerts. Therefore, it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -209,3 +327,6 @@ Turn On Light and Color: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code does not reference `siemplify.target_entities` or any entity objects. + It uses a provided `Light ID` parameter to identify the target device. diff --git a/content/response_integrations/third_party/community/philips_hue/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/philips_hue/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..495f6e690 --- /dev/null +++ b/content/response_integrations/third_party/community/philips_hue/resources/ai/integration_ai_description.yaml @@ -0,0 +1,20 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: false + reasoning: >- + The philips_hue integration provides actions to control physical IoT lighting + devices (turning lights on/off, changing colors). These actions do not align with + any of the defined security-focused product categories such as SIEM, EDR, Network + Security, Threat Intelligence, Email Security, IAM, Cloud Security, ITSM, Vulnerability + Management, Asset Inventory, or Collaboration. The integration is purely for physical + environment control and does not perform security operations, data enrichment, + or incident response tasks as defined in the provided schema. + siem: false + threat_intelligence: false + vulnerability_management: false diff --git a/content/response_integrations/third_party/community/phish_tank/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/phish_tank/resources/ai/actions_ai_description.yaml index a8e8a5a2a..a7a61e2aa 100644 --- a/content/response_integrations/third_party/community/phish_tank/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/phish_tank/resources/ai/actions_ai_description.yaml @@ -1,55 +1,74 @@ Check Url: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves reputation and threat intelligence (suspicious status) + for a URL from PhishTank. This matches the 'Enrich IOC' category. It does not + perform any other actions like blocking, ticketing, or alert management. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description Checks if a specific URL is marked as suspicious by the PhishTank Community. This - action enriches URL entities with reputation data, including verification status - and links to PhishTank detail pages. It helps security analysts quickly identify - known phishing links based on community-sourced intelligence. + action queries the PhishTank API for each URL entity in the scope, retrieves threat + intelligence, and updates the entity's status if it is verified as malicious. + It also generates insights for the analyst to review. - ### Parameters + ### Parameters Description | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Service Url | String | Yes | The API endpoint for the PhishTank service, retrieved - from the integration configuration. | + | Service Url | String | Yes | The API endpoint URL for the PhishTank service. + | ### Flow Description - 1. **Configuration Retrieval**: Fetches the PhishTank Service URL from the integration - settings. - - 2. **Entity Filtering**: Identifies all URL entities within the current scope - for processing. - - 3. **External Lookup**: For each URL, performs a POST request to the PhishTank - API to retrieve its status. + 1. Extract the `Service Url` configuration parameter. - 4. **Data Parsing**: Converts the XML response from PhishTank into a structured - format. + 2. Iterate through all target entities, filtering for those of type `URL`. - 5. **Reputation Assessment**: Checks if the URL exists in the PhishTank database - and evaluates its verification status. + 3. For each URL, send a POST request to the PhishTank API to retrieve reputation + data. - 6. **Internal Updates**: - * Adds an **Entity Insight** to the URL entity containing the verification - status and a link to the PhishTank detail page. - * Marks the entity as **Suspicious** within Google SecOps if the URL is confirmed - as verified phishing. - * Updates the entity attributes to reflect the new suspicious status. - 7. **Result Reporting**: Consolidates the findings into a final action message - and provides a detailed JSON result for downstream playbooks. + 4. Parse the XML response to determine if the URL is in the database and if it + is verified as malicious. + 5. If the URL is found, add an insight to the entity containing details such as + the link, verification status, and validity. - ### Additional Notes + 6. If the URL is verified as malicious, mark the entity as suspicious and update + it in the SOAR platform. - * The action attempts to use the `OriginalIdentifier` from the entity's additional - properties to ensure the most accurate URL is queried, falling back to the standard - identifier if necessary. + 7. Add the raw API response as a JSON result to the action output. capabilities: can_create_case_comments: false can_create_insight: true @@ -60,10 +79,21 @@ Check Url: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates the 'is_suspicious' attribute of URL entities if they are verified as - phishing in PhishTank and adds entity insights with the lookup results. + Updates the entity's 'is_suspicious' attribute and adds insights to the entity + within the SOAR platform. + reasoning: >- + The action fetches threat intelligence data from the PhishTank API (fetches_data=true). + It does not modify any external systems (can_mutate_external_data=false). It + performs internal mutations by updating the entity's suspicious status and adding + insights to the entity (can_mutate_internal_data=true, can_update_entities=true, + can_create_insight=true). categories: enrichment: true + reasoning: >- + The action fetches data from an external source (PhishTank) to enrich the entity + context. It does not mutate external systems. It performs allowed internal mutations + (updating entities, adding insights). Therefore, it is classified as an enrichment + action. entity_usage: entity_types: - DestinationURL @@ -80,39 +110,74 @@ Check Url: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over `siemplify.target_entities` and explicitly filters for + entities where `entity.entity_type == EntityTypes.URL` (mapped to DestinationURL). Ping: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action is a connectivity test ('Ping') and does not perform any of the defined + operational tasks such as enrichment, containment, or ticket management. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - Tests the connectivity to the PhishTank service to ensure the integration is properly - configured and the service is reachable. + Tests the connectivity between the Google SecOps environment and the PhishTank + service. This action verifies that the integration is correctly configured and + can communicate with the external API. ### Parameters Description - There are no action-specific parameters for this action. It utilizes the 'Service - Url' defined in the integration's global configuration. + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + | Service Url | String | Yes | The base URL for the PhishTank API. | - ### Flow Description - 1. **Configuration Retrieval**: The action retrieves the 'Service Url' from the - PhishTank integration settings. + ### Additional Notes + + This action is a diagnostic tool and does not perform any functional operations + or data retrieval. - 2. **Connectivity Check**: It sends a POST request to the configured URL with - a sample payload (checking the status of 'google.com') to verify the API's responsiveness. - 3. **Validation**: The action checks the HTTP response status code using `res.raise_for_status()`. + ### Flow Description - 4. **Completion**: If the request is successful, it reports that PhishTank is - connected. + 1. Retrieve the `Service Url` from the integration configuration. + 2. Send a POST request to the provided URL with a test payload (`{"url": "google.com", + "format": "json"}`). - ### Additional Notes + 3. Validate the response status code. - This action is primarily used for troubleshooting and verifying the initial setup - of the PhishTank integration. Per the guidelines, Ping actions are not categorized - as enrichment actions. + 4. Terminate the action with a success message. capabilities: can_create_case_comments: false can_create_insight: false @@ -123,8 +188,16 @@ Ping: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a connectivity test (Ping) to the configured PhishTank service + URL. It does not fetch contextual data for entities, nor does it mutate any + external or internal systems. It is strictly a diagnostic action. categories: enrichment: false + reasoning: >- + The action is a 'Ping' action, which is explicitly excluded from being an enrichment + action per the guidelines. It does not fetch data or perform any operational + tasks. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -140,3 +213,6 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with any entities; it is a global connectivity + test. diff --git a/content/response_integrations/third_party/community/phish_tank/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/phish_tank/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..dbd140091 --- /dev/null +++ b/content/response_integrations/third_party/community/phish_tank/resources/ai/integration_ai_description.yaml @@ -0,0 +1,22 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: false + edr: false + email_security: true + iam_and_identity_management: false + itsm: false + network_security: false + reasoning: >- + The phish_tank integration is primarily designed to provide threat intelligence + by checking the reputation of URL indicators against the PhishTank community database. + This aligns directly with the Threat Intelligence category, as it is used to enrich + URL entities to determine their malicious status. Additionally, because PhishTank + is a specialized service for identifying phishing attempts, the integration is + highly relevant to Email Security investigations, where analysts need to verify + suspicious links found in emails. It does not perform SIEM, EDR, Network Security + (blocking at the gateway), IAM, Cloud Security, ITSM, Vulnerability Management, + Asset Inventory, or Collaboration functions. + siem: false + threat_intelligence: true + vulnerability_management: false diff --git a/content/response_integrations/third_party/community/pulsedive/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/pulsedive/resources/ai/actions_ai_description.yaml index 87ca18363..ed40dc16c 100644 --- a/content/response_integrations/third_party/community/pulsedive/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/pulsedive/resources/ai/actions_ai_description.yaml @@ -1,31 +1,66 @@ Enrich IP: - ai_description: "### General Description\nEnriches IP Address entities using Pulsedive\ - \ threat intelligence. This action retrieves comprehensive indicator data, including\ - \ risk levels, risk factors, and community comments, to provide context for security\ - \ investigations. It allows users to define a risk threshold to automatically\ - \ flag suspicious entities within Google SecOps.\n\n### Parameters Description\n\ - | Parameter | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n\ - | **Threshold** | DDL | Yes | The minimum risk level (verylow, low, medium, high,\ - \ critical) required for the action to mark an entity as suspicious. |\n| **Retrieve\ - \ Comments** | Boolean | No | If enabled, the action will fetch and display community\ - \ comments associated with the IP indicator. Default is true. |\n| **Only Suspicious\ - \ Entity Insight** | Boolean | No | If enabled, the action will only generate\ - \ a case insight for entities that meet or exceed the specified risk threshold.\ - \ Default is false. |\n| **Max Comments To Return** | String | No | Specifies\ - \ the maximum number of comments to retrieve and display in the case wall data\ - \ table. Default is 50. |\n\n### Flow Description\n1. **Parameter Extraction**:\ - \ Retrieves integration configuration (API Key, Root) and action-specific parameters\ - \ (Threshold, Comment settings).\n2. **Entity Filtering**: Identifies all `ADDRESS`\ - \ (IP) entities within the current context.\n3. **External Lookup**: For each\ - \ IP, queries the Pulsedive API to fetch indicator details and risk scores.\n\ - 4. **Risk Assessment**: Compares the retrieved Pulsedive risk level against the\ - \ user-defined `Threshold`. If the threshold is met, the entity is marked as suspicious.\n\ - 5. **Internal Enrichment**: Updates the entity's additional properties with Pulsedive\ - \ metadata and marks the entity as enriched.\n6. **Case Documentation**: \n \ - \ * Creates a data table on the case wall containing community comments (if enabled).\n\ - \ * Generates a detailed insight for the entity (subject to the `Only Suspicious\ - \ Entity Insight` filter).\n7. **Finalization**: Updates the entities in the Google\ - \ SecOps platform and returns a JSON summary of the results." + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves reputation, risk levels, and threat intelligence for an + IP address (IOC). This matches the 'Enrich IOC' category. It does not perform + any containment, ticketing, or alert modification actions. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: "### General Description\nThis action enriches IP Address entities\ + \ by retrieving threat intelligence from Pulsedive. It fetches reputation data,\ + \ risk factors, and comments (if requested) for the specified IP addresses. The\ + \ action evaluates the risk level of the IP against a user-defined threshold and\ + \ updates the entity's suspicious status, adds enrichment properties, and generates\ + \ insights within the Google SecOps platform.\n\n### Flow Description\n1. **Parameter\ + \ Extraction**: The action retrieves configuration parameters (API Root, API Key,\ + \ SSL verification) and action-specific parameters (Threshold, Retrieve Comments,\ + \ etc.).\n2. **Entity Filtering**: It filters the target entities to process only\ + \ those of type `ADDRESS`.\n3. **Data Retrieval**: For each valid entity, it queries\ + \ the Pulsedive API to fetch indicator data, including risk levels and comments.\n\ + 4. **Risk Evaluation**: It compares the retrieved risk score against the configured\ + \ `Threshold`. If the risk meets or exceeds the threshold, the entity is marked\ + \ as suspicious.\n5. **Enrichment & Insight Creation**: \n - Updates the entity's\ + \ `additional_properties` with the retrieved threat data.\n - Optionally constructs\ + \ a data table of comments and adds it to the case.\n - Creates an entity insight\ + \ summarizing the risk and threat details.\n6. **SOAR Update**: Updates the enriched\ + \ entities in the SOAR platform and adds a final JSON result containing the processed\ + \ data.\n\n### Parameters Description\n| Parameter | Type | Mandatory | Description\ + \ |\n| :--- | :--- | :--- | :--- |\n| Threshold | ddl | Yes | The risk level threshold\ + \ (verylow, low, medium, high, critical) used to determine if an entity should\ + \ be marked as suspicious. |\n| Retrieve Comments | boolean | No | If enabled,\ + \ the action will retrieve and display comments associated with the entity. |\n\ + | Only Suspicious Entity Insight | boolean | No | If enabled, the action will\ + \ only create an entity insight if the entity is determined to be suspicious based\ + \ on the threshold. |\n| Max Comments To Return | string | No | Specifies the\ + \ maximum number of comments to retrieve for the entity. |\n\n### Additional Notes\n\ + - The action requires a valid Pulsedive API key and connectivity to the Pulsedive\ + \ API endpoint.\n- If no entities of type `ADDRESS` are found, the action will\ + \ not perform any enrichment." capabilities: can_create_case_comments: false can_create_insight: true @@ -36,10 +71,20 @@ Enrich IP: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates entity attributes (enrichment fields and suspicious status), creates - case insights, and adds data tables to the case wall. + The action updates entity properties, adds entity insights, and adds data tables + to the case wall within Google SecOps. + reasoning: >- + The action fetches threat intelligence data from Pulsedive (fetches_data=true). + It does not perform any actions that change the state of external systems (can_mutate_external_data=false). + It performs internal mutations by updating entity properties, adding entity + insights, and adding data tables to the case (can_mutate_internal_data=true). categories: enrichment: true + reasoning: >- + The action is designed to fetch threat intelligence (enrichment) for IP addresses. + It does not mutate external systems and only performs allowed internal mutations + (updating entities, creating insights, adding data tables). Therefore, it qualifies + as an enrichment action. entity_usage: entity_types: - ADDRESS @@ -56,56 +101,72 @@ Enrich IP: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code explicitly filters `siemplify.target_entities` to process only entities + where `entity.entity_type == EntityTypes.ADDRESS`. Enrich URL: - ai_description: >- - Enriches URL entities using threat intelligence from Pulsedive. The action retrieves - comprehensive indicator data, including risk levels, risk factors, and community - comments. It evaluates the URL's risk against a user-defined threshold to determine - if the entity should be marked as suspicious within Google SecOps. - - - ### Parameters - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Threshold | DDL | Yes | The risk level (verylow, low, medium, high, critical) - at which the URL is marked suspicious. | - - | Retrieve Comments | Boolean | No | If enabled, fetches community comments associated - with the URL from Pulsedive. | - - | Max Comments To Return | String | No | The maximum number of comments to retrieve - (default is 50). | - - | Only Suspicious Entity Insight | Boolean | No | If enabled, entity insights - will only be created for URLs that meet or exceed the risk threshold. | - - - ### Flow Description - - 1. **Entity Filtering:** Filters the target entities to identify URL types. - - 2. **Data Retrieval:** For each URL, it queries the Pulsedive API to fetch indicator - details, risk scores, and risk factors. - - 3. **Risk Evaluation:** Compares the Pulsedive risk level against the user-provided - `Threshold` parameter. If the risk is equal to or higher than the threshold, the - entity is marked as suspicious. - - 4. **Enrichment:** Updates the entity's additional properties with Pulsedive metadata - (e.g., indicator ID, retired status, seen dates). - - 5. **Comment Processing:** If `Retrieve Comments` is active, it fetches comments - and adds them as a structured data table to the case wall. - - 6. **Insight Generation:** Creates an HTML-formatted entity insight containing - a risk summary and detailed risk factors. This is conditional based on the `Only - Suspicious Entity Insight` parameter. - - 7. **Finalization:** Updates the entities in the system and returns a JSON result - containing the raw data and a global risk flag. + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves threat intelligence (reputation, risk level) for a URL + indicator. This aligns with the 'Enrich IOC' category. It does not perform any + other actions like ticketing, blocking, or identity management. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: "### General Description\nThis action enriches URL entities by querying\ + \ the Pulsedive threat intelligence platform. It retrieves detailed indicator\ + \ information, including risk levels, risk factors, and associated comments. The\ + \ action evaluates the URL's risk against a user-defined threshold to determine\ + \ if it should be marked as suspicious within the SOAR platform. It updates the\ + \ entity's properties, generates insights, and provides a detailed data table\ + \ of comments for analyst review.\n\n### Flow Description\n1. **Initialization**:\ + \ The action extracts configuration parameters (API Root, API Key, SSL verification)\ + \ and action-specific parameters (Threshold, Retrieve Comments, etc.).\n2. **Filtering**:\ + \ It filters the target entities to process only those with the type `URL`.\n\ + 3. **Enrichment**: For each URL, it queries the Pulsedive API to retrieve indicator\ + \ data.\n4. **Risk Evaluation**: It compares the retrieved risk level against\ + \ the configured threshold. If the risk meets or exceeds the threshold, the entity\ + \ is marked as suspicious.\n5. **Data Update**: \n - Updates the entity's `additional_properties`\ + \ with the enrichment data.\n - Adds a data table containing comments to the\ + \ case wall if comments are retrieved.\n - Creates an entity insight summarizing\ + \ the risk and findings.\n6. **Finalization**: Updates the entities in the SOAR\ + \ platform and adds a JSON result containing the full enrichment details.\n\n\ + ### Parameters Description\n| Parameter | Type | Mandatory | Description |\n|\ + \ :--- | :--- | :--- | :--- |\n| Max Comments To Return | string | No | Specifies\ + \ the maximum number of comments to retrieve for the entity. Defaults to 50. |\n\ + | Threshold | ddl | Yes | The risk level threshold (verylow, low, medium, high,\ + \ critical) used to determine if an entity is marked as suspicious. |\n| Retrieve\ + \ Comments | boolean | No | If enabled, the action retrieves comments associated\ + \ with the entity. Defaults to true. |\n| Only Suspicious Entity Insight | boolean\ + \ | No | If enabled, the action only creates an insight if the entity is determined\ + \ to be suspicious. Defaults to false. |\n\n### Additional Notes\n- The action\ + \ requires a valid Pulsedive API key configured in the integration settings.\n\ + - The `Threshold` parameter is mandatory and dictates the sensitivity of the suspicious\ + \ status assignment." capabilities: can_create_case_comments: false can_create_insight: true @@ -116,10 +177,21 @@ Enrich URL: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates entity suspicious status, populates enrichment fields, adds data tables - for comments to the case wall, and creates entity insights. + The action updates entity properties, adds entity insights, and adds data tables + to the case wall. + reasoning: >- + The action fetches data from the Pulsedive API (fetches_data=true). It does + not modify external systems (can_mutate_external_data=false). It performs internal + mutations by updating entity properties, adding insights, and adding data tables + to the case (can_mutate_internal_data=true). It updates entities and creates + insights, but does not modify alert data or create case comments. categories: enrichment: true + reasoning: >- + The action is designed to fetch threat intelligence data from an external source + (Pulsedive) to enrich entities. It does not mutate external systems. It performs + allowed internal mutations (updating entities, creating insights). Therefore, + it qualifies as an enrichment action. entity_usage: entity_types: - DestinationURL @@ -136,72 +208,65 @@ Enrich URL: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code explicitly filters `siemplify.target_entities` using `entity.entity_type + == EntityTypes.URL`. Therefore, it only processes URL entities. Get Threat Details: - ai_description: >- - ### General Description - - This action retrieves comprehensive threat intelligence from Pulsedive based on - a provided threat name or threat ID. It is designed to provide security analysts - with deep context regarding specific threat actors, campaigns, or malware families, - including risk levels, wiki summaries, associated news, and user comments. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Threat Name | String | No | The name of the threat to retrieve information for - (e.g., 'Zeus'). | - - | Threat ID | String | No | The specific Pulsedive ID (TID) of the threat to retrieve - information for. | - - | Retrieve Comments | Boolean | No | If set to `true`, the action will fetch user - comments associated with the threat. Default is `true`. | - - | Split Risk | Boolean | No | If set to `true`, the action will provide a breakdown - of indicator counts by risk level (Critical, High, Medium, etc.). Default is `true`. - | - - | Create Insight | Boolean | No | If set to `true`, the action will generate a - formatted HTML insight in the Google SecOps case containing the threat summary. - Default is `false`. | - - - ### Additional Notes - - * **Input Requirement**: Either the `Threat Name` or the `Threat ID` must be - provided for the action to successfully identify a threat. If both are provided, - the `Threat Name` takes precedence in the logic. - - * **Data Tables**: If comments are retrieved, they are presented in a dedicated - data table on the case wall. - - - ### Flow Description - - 1. **Initialization**: The action initializes the Pulsedive manager using the - provided API Root and API Key. - - 2. **Parameter Extraction**: It extracts the threat identifier (Name or ID) and - configuration flags (Retrieve Comments, Split Risk, Create Insight) from the action - parameters. - - 3. **Data Retrieval**: The action queries the Pulsedive API (`/api/info.php`) - to fetch detailed information about the specified threat. - - 4. **Internal Mutation (Data Table)**: If the threat has associated comments - and `Retrieve Comments` is enabled, the action constructs a CSV-formatted table - and adds it to the case wall. - - 5. **Internal Mutation (Insight)**: If `Create Insight` is enabled, the action - generates a formatted HTML insight containing the threat's risk level, category, - risk summary, wiki summary, and recent news. - - 6. **Completion**: The action populates the JSON results with the full threat - data and completes the execution with a success message. + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves threat intelligence (risk, description, news, etc.) for + a specific threat, which aligns with the 'Enrich IOC' category. It does not + perform any other listed actions. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: "### General Description\nThis action retrieves detailed threat\ + \ intelligence from Pulsedive based on a provided Threat Name or Threat ID. It\ + \ fetches comprehensive data including risk summaries, news, and comments, and\ + \ provides options to visualize this information within the Google SecOps platform\ + \ via data tables and case insights.\n\n### Parameters\n| Parameter | Type | Mandatory\ + \ | Description |\n| :--- | :--- | :--- | :--- |\n| Threat Name | string | No\ + \ | The name of the threat to retrieve. Either this or 'Threat ID' must be provided.\ + \ |\n| Threat ID | string | No | The ID of the threat to retrieve. Either this\ + \ or 'Threat Name' must be provided. |\n| Retrieve Comments | boolean | No | Whether\ + \ to fetch and display comments associated with the threat. Defaults to true.\ + \ |\n| Split Risk | boolean | No | Whether to split indicator counts by risk level.\ + \ Defaults to true. |\n| Create Insight | boolean | No | Whether to create a case\ + \ insight containing the threat details. Defaults to false. |\n\n### Additional\ + \ Notes\nEither 'Threat Name' or 'Threat ID' must be provided for the action to\ + \ execute successfully. The action does not operate on entities; it uses these\ + \ parameters to query the Pulsedive API directly.\n\n### Flow Description\n1.\ + \ **Initialization**: Extracts configuration parameters (API Root, API Key, SSL\ + \ verification) and action parameters.\n2. **Data Retrieval**: Initializes the\ + \ PulsediveManager and queries the Pulsedive API using the provided Threat Name\ + \ or Threat ID.\n3. **Data Processing**: \n - If comments are retrieved, constructs\ + \ a data table and adds it to the case results.\n - If 'Create Insight' is\ + \ enabled, generates a case insight with the threat details.\n4. **Output**: Returns\ + \ the threat data as a JSON result and logs the execution status." capabilities: can_create_case_comments: false can_create_insight: true @@ -212,10 +277,19 @@ Get Threat Details: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - The action adds a data table to the case wall containing threat comments and - can create a detailed case insight with threat summaries and risk scores. + Creates a case insight and adds a data table to the case results. + reasoning: >- + The action fetches threat intelligence data from the Pulsedive API (fetches_data=true). + It does not mutate any external systems. It performs internal mutations by creating + a case insight and adding a data table to the case results, which are permitted + internal mutations for enrichment actions. categories: - enrichment: false + enrichment: true + reasoning: >- + The action fetches threat intelligence data from an external source (Pulsedive) + and does not mutate external systems. It performs allowed internal mutations + (creating an insight and adding a data table). Thus, it qualifies as an enrichment + action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -231,47 +305,51 @@ Get Threat Details: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not operate on entities. It uses direct input parameters ('Threat + Name' or 'Threat ID') to query the Pulsedive API. Ping: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action is a connectivity test and does not perform any of the defined operational + tasks like enrichment, containment, or ticketing. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - Tests the connectivity to the Pulsedive server using the provided configuration - parameters. This action ensures that the API Root and API Key are valid and that - the network connection to Pulsedive is functional. - - - ### Parameters - - | Parameter Name | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | API Root | String | Yes | The base URL of the Pulsedive API. | - - | API Key | String | Yes | The API key used for authentication with Pulsedive. - | - - | Verify SSL | Boolean | No | If enabled, the action will verify the SSL certificate - of the Pulsedive server. Default is True. | - - - ### Flow Description - - 1. **Parameter Extraction**: Retrieves the API Root, API Key, and SSL verification - settings from the integration configuration. - - 2. **Manager Initialization**: Initializes the PulsediveManager with the extracted - credentials. - - 3. **Connectivity Test**: Executes a test search request to the Pulsedive API - to verify the connection and credentials. - - 4. **Result Reporting**: Returns a success message if the connection is established, - or a failure message with error details if the test fails. - - - ### Additional Notes - - - This action does not process any entities and is used solely for configuration - validation. + Tests connectivity to the Pulsedive server. This action verifies that the provided + API credentials and endpoint are valid by performing a test request to the Pulsedive + API. ### Flow 1. Extracts configuration parameters (API Root, API Key, Verify + SSL). 2. Initializes the PulsediveManager with the provided credentials. 3. Executes + a connectivity test against the Pulsedive API. 4. Returns the success or failure + status of the connection. ### Parameters | Parameter | Type | Mandatory | Description + | | --- | --- | --- | --- | | API Root | String | Yes | The base URL for the Pulsedive + API. | | API Key | String | Yes | The API key for authentication. | | Verify SSL + | Boolean | No | Whether to verify SSL certificates. Defaults to True. | capabilities: can_create_case_comments: false can_create_insight: false @@ -282,8 +360,15 @@ Ping: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a connectivity test by making a GET request to the Pulsedive + API. It does not modify external or internal systems, nor does it process entities. + It fetches data in the sense that it performs a network request to verify connectivity. categories: enrichment: false + reasoning: >- + The action is a connectivity test ('Ping'). Per the instructions, Ping actions + are explicitly excluded from being categorized as enrichment actions. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -299,72 +384,98 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with entities. It is a global connectivity test. Scan Indicator: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves reputation, risk scores, and threat intelligence for indicators + from Pulsedive, which aligns with the 'Enrich IOC' category. It does not perform + any containment, ticket management, or alert modification actions. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - Performs an automated scan on indicators (IPs, Domains, URLs, and Hashes) using - the Pulsedive threat intelligence platform. This action is asynchronous, meaning - it submits indicators for analysis, polls for completion, and then retrieves the - final report. It supports both Passive scans (retrieving existing data) and Active - scans (initiating a fresh probe). The action enriches entities with risk levels, - risk factors, and community comments, and can automatically mark entities as suspicious - based on a configurable risk threshold. + Performs a scan on an indicator (e.g., IP, URL, Hash) using the Pulsedive platform + to retrieve threat intelligence, risk assessments, and associated comments. This + action automates the submission of indicators for analysis, polls for completion, + and enriches the entity within Google SecOps with the gathered intelligence. - ### Parameters Description + ### Flow Description - | Parameter | Type | Mandatory | Description | + 1. **Submission**: The action submits the target indicators to Pulsedive for analysis + using either a 'Passive' or 'Active' scan type. - | :--- | :--- | :--- | :--- | + 2. **Polling**: The action periodically checks the status of the scan reports + until they are completed. - | Scan Type | DDL | Yes | Determines the scan depth. 'Passive' fetches existing - data without direct interaction, while 'Active' performs a more intrusive, real-time - scan. | + 3. **Retrieval**: Once completed, it fetches the detailed scan data, including + risk scores, risk factors, and comments. - | Threshold | DDL | Yes | The risk level (verylow, low, medium, high, critical) - at which an entity will be labeled as suspicious in Google SecOps. | + 4. **Enrichment**: It updates the entity's `additional_properties` with the retrieved + data, marks the entity as suspicious if it meets the configured risk threshold, + and generates an entity insight. - | Only Suspicious Entity Insight | Boolean | No | If enabled, the action will - only generate an entity insight if the indicator's risk score meets or exceeds - the specified threshold. | + 5. **Reporting**: It adds a data table containing comments to the case and returns + a JSON result containing the full scan details. - | Retrieve Comments | Boolean | No | If enabled, the action fetches community - comments associated with the indicator from Pulsedive. | - | Max Comments To Return | String | No | Specifies the maximum number of comments - to retrieve and display in the case wall data table. Defaults to 50. | + ### Parameters Description + | Parameter | Type | Mandatory | Description | - ### Additional Notes + | :--- | :--- | :--- | :--- | - - This action is **Asynchronous**: It will transition through 'In Progress' states - while waiting for Pulsedive to complete the analysis. + | **Scan Type** | ddl | Yes | Determines the scan method: 'Passive' (no direct + reach-out) or 'Active' (more noisy). | - - The action uses the `OriginalIdentifier` of an entity if available, ensuring - accurate lookups for renamed or modified entities. + | **Threshold** | ddl | Yes | The risk level (verylow, low, medium, high, critical) + at which an entity is marked as suspicious. | + | **Only Suspicious Entity Insight** | boolean | No | If enabled, creates insights + only for entities identified as suspicious. | - ### Flow Description + | **Retrieve Comments** | boolean | No | If enabled, fetches and includes comments + associated with the indicator. | - 1. **Submission (First Run):** The action iterates through all target entities - and submits them to Pulsedive's analysis engine using the specified `Scan Type` - (Active or Passive). + | **Max Comments To Return** | string | No | Specifies the maximum number of comments + to retrieve. | - 2. **Status Polling:** The action enters an asynchronous loop, checking the status - of each submitted scan ID until Pulsedive reports the analysis is 'done'. - 3. **Data Retrieval:** Once completed, the action fetches the full report for - each indicator, including risk scores, risk factors, and comments. + ### Additional Notes - 4. **Risk Evaluation:** It compares the retrieved risk level against the user-defined - `Threshold`. If the risk is equal to or higher than the threshold, the entity - is marked as suspicious. + - This action is designed for indicator enrichment and does not perform any external + blocking or containment operations. - 5. **Enrichment & Insights:** The action updates the entity's additional properties - with Pulsedive data, creates detailed entity insights (optionally filtered by - the 'Only Suspicious' flag), and adds data tables containing community comments - to the case. + - The action supports asynchronous execution, allowing it to wait for scan results + without blocking the entire workflow. capabilities: can_create_case_comments: false can_create_insight: true @@ -375,10 +486,22 @@ Scan Indicator: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates entity suspicious status, adds enrichment properties to entities, creates - entity insights, and adds data tables for comments within the case. + The action updates entity properties, adds entity insights, and adds data tables + to the case. + reasoning: >- + The action fetches threat intelligence data from Pulsedive (fetches_data=true). + It does not perform any external mutations (can_mutate_external_data=false). + It performs internal mutations by updating entity properties, adding insights, + and adding data tables to the case (can_mutate_internal_data=true). It updates + entities and creates insights, but does not modify alert data or create case + comments. categories: enrichment: true + reasoning: >- + The action fetches data from an external source (Pulsedive) to enrich entities. + It does not mutate external systems. It performs allowed internal mutations + (updating entities, creating insights). Therefore, it qualifies as an enrichment + action. entity_usage: entity_types: - ADDRESS @@ -429,3 +552,6 @@ Scan Indicator: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over `siemplify.target_entities` without applying any type-based + filtering. Therefore, it is considered to run on all supported entity types. diff --git a/content/response_integrations/third_party/community/pulsedive/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/pulsedive/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..06be9bae8 --- /dev/null +++ b/content/response_integrations/third_party/community/pulsedive/resources/ai/integration_ai_description.yaml @@ -0,0 +1,20 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: false + reasoning: >- + The Pulsedive integration is a dedicated Threat Intelligence platform. Its primary + actions, such as 'Enrich IP', 'Enrich URL', 'Get Threat Details', and 'Scan Indicator', + are designed to retrieve reputation, risk scores, and threat intelligence data + for various indicators (IPs, URLs, Hashes). It does not perform log analysis (SIEM), + host containment (EDR), network blocking (Network Security), identity management + (IAM), or ticket management (ITSM). Consequently, it aligns exclusively with the + 'Threat Intelligence' category. + siem: false + threat_intelligence: true + vulnerability_management: false diff --git a/content/response_integrations/third_party/community/sample_integration/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/sample_integration/resources/ai/actions_ai_description.yaml index 28f4750f0..bf899194b 100644 --- a/content/response_integrations/third_party/community/sample_integration/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/sample_integration/resources/ai/actions_ai_description.yaml @@ -1,32 +1,59 @@ Async Action Example: - ai_description: "### General Description\nThis is an asynchronous utility action\ - \ designed to synchronize workflows by waiting for specific tags to be applied\ - \ to one or more Google SecOps cases. It is primarily used in playbooks where\ - \ a subsequent step should only proceed once a manual or automated tagging event\ - \ has occurred on designated cases.\n\n### Parameters Description\n| Parameter\ - \ | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| Case IDs\ - \ | String | No | A comma-separated list of Case IDs to monitor. If left empty,\ - \ the action defaults to monitoring the Case ID from which it was executed. |\n\ - | Case Tag To Wait For | String | Yes | The specific tag string the action will\ - \ look for in the target cases. The action remains 'In Progress' until all specified\ - \ cases contain this tag. |\n\n### Additional Notes\n- This action is defined\ - \ as `is_async: true`, meaning it will yield execution and resume periodically\ - \ until the condition is met or the system timeout is reached.\n- It uses the\ - \ `additional_data` parameter internally to maintain state (tracking which cases\ - \ have already been tagged) between asynchronous iterations.\n\n### Flow Description\n\ - 1. **Initialization**: The action extracts the target Case IDs and the required\ - \ tag from the input parameters.\n2. **Validation**: If no Case IDs are provided,\ - \ it identifies the current case ID as the target. It then parses the CSV string\ - \ into a list of integers.\n3. **Status Check**: The action iterates through the\ - \ target cases and calls the SOAR API to retrieve their current metadata, specifically\ - \ looking at the tags.\n4. **Tag Verification**: It compares the tags found on\ - \ each case against the 'Case Tag To Wait For' parameter.\n5. **State Management**:\ - \ \n - If all target cases possess the required tag, the action sets its state\ - \ to `COMPLETED` and returns a success message.\n - If any cases are still\ - \ missing the tag, the action updates its internal state (tracking progress) and\ - \ sets the execution state to `IN_PROGRESS` to be retried in the next cycle.\n\ - 6. **Timeout Handling**: If the action approaches the global asynchronous timeout\ - \ before all cases are tagged, it will exit gracefully with a timeout error." + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action is an orchestration/workflow action that monitors case tags. It does + not match any of the provided product categories (e.g., it does not enrich IOCs, + update tickets, or contain hosts). + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: "This is an asynchronous action that monitors specific Google SecOps\ + \ cases until they are assigned a designated tag. It is designed to pause execution\ + \ and wait for a specific condition (a case tag) to be met on one or more cases.\n\ + \n### Flow Description\n1. **Parameter Extraction**: The action extracts the `Case\ + \ IDs` (a comma-separated list of cases to monitor) and the `Case Tag To Wait\ + \ For` (the tag to look for). If no `Case IDs` are provided, it defaults to the\ + \ current case ID.\n2. **Case Data Retrieval**: In each iteration, the action\ + \ fetches the details of the specified cases using the `get_case_overview_details`\ + \ function.\n3. **Tag Verification**: It checks if the specified tag exists in\ + \ the tags list of each case.\n4. **Status Management**: \n - If a case has\ + \ the required tag, it is marked as \"done\".\n - If not all cases have the\ + \ tag, the action sets its execution state to `IN_PROGRESS` and stores the progress\ + \ (which cases are done and which are still waiting) in the `additional_data`\ + \ parameter for the next iteration.\n5. **Completion**: Once all specified cases\ + \ have the required tag, the action completes successfully.\n\n### Parameters\n\ + | Parameter | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n\ + | `Case IDs` | string | No | A comma-separated list of case IDs to monitor. If\ + \ not provided, the action defaults to the current case ID. |\n| `Case Tag To\ + \ Wait For` | string | Yes | The specific case tag that the action will wait for.\ + \ |\n\n### Additional Notes\nThis action is asynchronous and will continue to\ + \ run in iterations until all specified cases have the required tag or the action\ + \ reaches its timeout limit. It does not perform any external mutations or modifications\ + \ to the cases themselves." capabilities: can_create_case_comments: false can_create_insight: false @@ -37,8 +64,17 @@ Async Action Example: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action fetches case details from the internal SOAR platform to check for + the presence of a specific tag. It does not mutate any external systems, nor + does it modify any internal SOAR data (like case tags or status). It does not + update entities, create insights, or add comments. categories: enrichment: false + reasoning: >- + The action is an orchestration/workflow action designed to wait for a specific + condition. It does not enrich entities or alerts with external data, nor does + it meet the criteria for an enrichment action as defined in the guidelines. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -54,53 +90,72 @@ Async Action Example: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action operates on case IDs provided as parameters or the current case ID. + It does not iterate over `target_entities` or use any entity-specific logic. Enrich Entity Action Example: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action does not fetch data from an external source, which is a requirement + for the 'Enrich IOC' or 'Enrich Asset' categories. It only adds static metadata + to the entity within the SOAR platform. Therefore, it does not match any of + the defined product categories. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - Enriches entities within Google SecOps by adding metadata and data tables. This - action serves as a template for processing entities based on their type (IP, Hash, - or User) and applying enrichment logic. It generates a timestamped enrichment - record for each eligible entity to provide context within the SOAR platform. + Enriches entities by adding a static 'enriched' flag and a timestamp to the entity's + data within the SOAR platform. This action allows users to select specific entity + types (IP, Hash, User) or all entities to process. ### Parameters Description | Parameter | Type | Mandatory | Description | - | :--- | :--- | :--- | :--- | + | --- | --- | --- | --- | - | Entity Type | DDL | Yes | Defines which entities from the alert scope should - be processed. Options include 'All Entities', 'IP', 'Hash', and 'User'. This selection - determines the filtering logic applied to the target entities. | + | Entity Type | DDL | Yes | Defines what entities from the scope of the alert + should be processed. Options: All Entities, IP, Hash, User. | ### Flow Description - 1. **Parameter Extraction**: Retrieves the 'Entity Type' selection from the action - configuration to define the scope of work. - - 2. **Entity Filtering**: Identifies entities in the current alert scope that match - the selected type (e.g., mapping 'IP' to ADDRESS entities or 'Hash' to FILEHASH, - CHILDHASH, and PARENTHASH entities). + 1. Extract the 'Entity Type' parameter. - 3. **Enrichment Generation**: For each matching entity, the action generates a - data dictionary containing a 'true' enrichment status and a current Unix timestamp. + 2. Validate the parameter. - 4. **Internal Updates**: - * **Entity Attributes**: Updates the entity's attributes with prefixed fields - (e.g., `SampleIntegration_enriched` and `SampleIntegration_timestamp`). - * **Data Tables**: Attaches a Data Table to the entity containing the enrichment - details in CSV format for visibility in the entity's profile. - 5. **Finalization**: Produces a summary message listing all successfully enriched - entities and sets the action result to success. + 3. Iterate through the target entities matching the selected type. + 4. Generate a static enrichment dictionary. - ### Additional Notes - - This is a synchronous action designed for demonstration and template purposes. - It does not interact with an external API but simulates the enrichment process - internally. + 5. Update the entity with this data and add a data table. capabilities: can_create_case_comments: false can_create_insight: false @@ -109,48 +164,27 @@ Enrich Entity Action Example: can_mutate_internal_data: true can_update_entities: true external_data_mutation_explanation: null - fetches_data: true + fetches_data: false internal_data_mutation_explanation: >- - Updates entity attributes with enrichment data and attaches data tables to the - entities. + Updates entity data with enrichment fields and adds a data table to the SOAR + case. + reasoning: >- + The action does not perform any external API calls (fetches_data=false). It + updates entity data internally by adding a static enrichment flag and a data + table to the SOAR case (can_mutate_internal_data=true, can_update_entities=true). + It does not mutate external systems, modify alert data, or create case comments. categories: - enrichment: true + enrichment: false + reasoning: >- + The action does not fetch data from an external source, which is a requirement + for the 'Enrichment' category. It only adds static metadata to the entity within + the SOAR platform. entity_usage: entity_types: - ADDRESS - - ALERT - - APPLICATION - - CHILDHASH - - CHILDPROCESS - - CLUSTER - - CONTAINER - - CREDITCARD - - CVE - - CVEID - - DATABASE - - DEPLOYMENT - - DESTINATIONDOMAIN - - DOMAIN - - EMAILSUBJECT - - EVENT - FILEHASH - - FILENAME - - GENERICENTITY - - HOSTNAME - - IPSET - - MacAddress + - CHILDHASH - PARENTHASH - - PARENTPROCESS - - PHONENUMBER - - POD - - PROCESS - - SERVICE - - SOURCEDOMAIN - - THREATACTOR - - THREATCAMPAIGN - - THREATSIGNATURE - - DestinationURL - - USB - USERUNIQNAME filters_by_additional_properties: false filters_by_alert_identifier: false @@ -165,48 +199,77 @@ Enrich Entity Action Example: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action iterates over `siemplify.target_entities` and filters them based + on the 'Entity Type' parameter provided by the user. The supported entity types + are mapped from the 'Entity Type' DDL parameter, which includes IP (ADDRESS), + Hash (FILEHASH, CHILDHASH, PARENTHASH), and User (USERUNIQNAME). Ping: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action is a connectivity test (Ping). It does not perform any of the defined + product category operations (e.g., enrichment, containment, ticketing). + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - The Ping action is a diagnostic tool used to verify the connectivity between Google - SecOps and the API Service (VatComply). It ensures that the integration's configuration - parameters, such as the API Root and authentication credentials, are correct and - that the external service is reachable. + Tests connectivity to the configured API Service. This action verifies that the + integration can successfully communicate with the external service using the provided + authentication parameters. ### Parameters - There are no action-specific parameters for this action. It relies entirely on - the integration's global configuration settings: - - - | Parameter Name | Type | Mandatory | Description | + | Parameter | Type | Mandatory | Description | - | :--- | :--- | :--- | :--- | + | --- | --- | --- | --- | - | API Root | String | Yes | The base URL of the API Service (default: https://api.vatcomply.com). - | + | API Root | String | Yes | The base URL of the API service to test connectivity + against. | | Password Field | String | No | The password or API key used for authentication. | | Verify SSL | Boolean | Yes | Whether to verify the SSL certificate of the API - server. | + service. | ### Flow Description - 1. **Initialization**: The action initializes the API client by retrieving the - global integration configuration (API Root, Password, and SSL settings). + 1. The action initializes the API client using the provided configuration parameters + (API Root, Password, Verify SSL). - 2. **Authentication**: It sets up an authenticated session using the provided - password in a custom header. + 2. It establishes an authenticated session with the API service. - 3. **Connectivity Test**: The action calls the `test_connectivity` method, which - typically performs a lightweight GET request to a predefined endpoint (e.g., `/rates`) - to check for a valid response. + 3. The action calls the `test_connectivity` method on the API client to verify + the connection. - 4. **Result Reporting**: If the request is successful, it returns a success message. - If the connection fails or returns an error, it reports a failure message. + 4. If the connection is successful, it returns a success message; otherwise, it + returns an error message. capabilities: can_create_case_comments: false can_create_insight: false @@ -217,8 +280,14 @@ Ping: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a connectivity test (`test_connectivity`) to the API service. + It does not fetch data, mutate external systems, or modify internal SOAR data. categories: enrichment: false + reasoning: >- + The action is a 'Ping' action used for connectivity testing. Per instructions, + Ping actions are not enrichment actions. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -234,14 +303,50 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with entities; it performs a global connectivity + test. Simple Action Example: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves historical exchange rate data based on user-defined parameters. + This matches the 'Search Events' category, which involves returning historical + logs or telemetry data. It does not match other categories like 'Enrich IOC' + or 'Enrich Asset' as it does not provide reputation or asset metadata. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: true + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - This action retrieves currency exchange rate data from the external service 'api.vatcomply.com'. - It allows users to specify multiple currencies and a time range to fetch historical - or current rates. The results are presented as data tables, links on the case - wall, and a JSON file attachment within the Google SecOps case. + This action fetches historical exchange rate data from the `api.vatcomply.com` + service based on user-provided currencies and time frames. It processes the requested + data, generates data tables and links for the case, and saves the results as a + JSON attachment to the current case. ### Parameters Description @@ -250,53 +355,52 @@ Simple Action Example: | :--- | :--- | :--- | :--- | - | Currencies String | string | No | A comma-separated list of currency codes (e.g., - USD, EUR) to be processed. | + | Currencies String | string | No | A comma-separated list of currencies to process. + | - | Currencies DDL | ddl | No | A dropdown menu to select a single currency. The - action combines values from both 'Currencies String' and 'Currencies DDL'. | + | Currencies DDL | ddl | No | A dropdown selection for a currency. Either this + or 'Currencies String' must be provided. | - | Time Frame | ddl | No | Defines the temporal scope of the data. Options include - 'Today', 'Last 7 Days', or 'Custom'. | + | Time Frame | ddl | No | The time range for the results (Today, Last 7 Days, + Custom). | - | Start Time | string | No | The starting timestamp in ISO 8601 format. This is - **mandatory** if 'Time Frame' is set to 'Custom'. | + | Start Time | string | No | The start date in ISO 8601 format. Mandatory if 'Time + Frame' is set to 'Custom'. | - | End Time | string | No | The ending timestamp in ISO 8601 format. If omitted - while 'Custom' is selected, the current time is used. | + | End Time | string | No | The end date in ISO 8601 format. If not provided when + 'Time Frame' is 'Custom', it defaults to the current time. | - | Return JSON Result | boolean | Yes | If enabled, the action will populate the - JSON result field in the SOAR output. | + | Return JSON Result | boolean | Yes | If enabled, the action returns the results + as a JSON object. | ### Additional Notes - - At least one currency must be provided via either 'Currencies String' or 'Currencies - DDL'. + - If 'Time Frame' is set to 'Custom', 'Start Time' is mandatory. The delta between + 'Start Time' and 'End Time' cannot exceed 7 days; if it does, the action automatically + adjusts the 'End Time' to be exactly 7 days after the 'Start Time'. - - The maximum allowed time delta between 'Start Time' and 'End Time' is 7 days; - the action will automatically truncate the range if it exceeds this limit. - - - This action does not process or interact with Google SecOps entities. + - At least one of 'Currencies String' or 'Currencies DDL' must be provided. ### Flow Description - 1. **Parameter Extraction**: The action retrieves input parameters including currency - lists and time frame configurations. + 1. **Extraction**: Extracts all action parameters from the configuration. + + 2. **Validation**: Validates the currency and time frame parameters, ensuring + required fields are present and constraints (like the 7-day limit) are met. - 2. **Validation**: It validates that at least one currency is provided and ensures - the time range logic is sound (e.g., checking if 'Start Time' is provided for - 'Custom' ranges). + 3. **Data Retrieval**: Calls the `api_client.get_rates` method to fetch exchange + rate data from the external API. - 3. **Data Retrieval**: The action performs a GET request to the VatComply API - to fetch exchange rates for the specified currencies and dates. + 4. **Processing**: Creates data tables and links based on the retrieved exchange + rates. - 4. **Internal Data Processing**: It constructs data tables and case wall links - for each retrieved rate. + 5. **Attachment**: Saves the JSON results as a file and adds it as an attachment + to the current case. - 5. **Case Mutation**: The action saves the raw JSON response as a temporary file - and attaches it to the current Google SecOps case for audit and review. + 6. **Completion**: Returns a success message summarizing the processed currencies + and the time range. capabilities: can_create_case_comments: false can_create_insight: false @@ -307,10 +411,17 @@ Simple Action Example: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - The action creates a temporary JSON file containing the retrieved exchange rates - and adds it as an attachment to the current case. + Adds a JSON file as an attachment to the current case. + reasoning: >- + The action fetches data from an external API (api.vatcomply.com). It does not + mutate external data. It mutates internal data by adding an attachment to the + case. It does not update entities, create insights, or modify alert data. categories: enrichment: false + reasoning: >- + The action fetches data, but it performs an internal mutation (adding an attachment) + that is not in the allowed list for enrichment actions (Add Case Comments, Create + Case Insights, Update Entity fields). Therefore, it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -326,3 +437,6 @@ Simple Action Example: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code does not reference `target_entities` or perform any operations on entities. + Therefore, it does not run on any entity types. diff --git a/content/response_integrations/third_party/community/sample_integration/resources/ai/connectors_ai_description.yaml b/content/response_integrations/third_party/community/sample_integration/resources/ai/connectors_ai_description.yaml new file mode 100644 index 000000000..a14c25576 --- /dev/null +++ b/content/response_integrations/third_party/community/sample_integration/resources/ai/connectors_ai_description.yaml @@ -0,0 +1,82 @@ +"Sample Integration - Simple Connector Example": + ai_description: >- + ### General Description + + This connector integrates with the `api.vatcomply.com` service to fetch currency + exchange rates. It processes these rates and creates alerts within Google SecOps, + allowing users to monitor financial data or exchange rate fluctuations as security + events. The connector supports flexible configuration for filtering, alert creation, + and proxy settings. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | DeviceProductField | String | Yes | Source field name for the Product Field. + | + + | EventClassId | String | Yes | Source field name for the Event Field. | + + | Environment Field Name | String | No | Field name where the environment name + is stored. | + + | Environment Regex Pattern | String | No | Regex pattern to manipulate the environment + field value. | + + | PythonProcessTimeout | String | Yes | Timeout limit (in seconds) for the script. + | + + | API Root | String | Yes | API Root URL for the service. | + + | Password Field | Password | No | API password (for showcase). | + + | Currencies To Fetch | String | No | Comma-separated list of currencies to fetch. + | + + | Create Alert Per Exchange Rate | Boolean | No | If enabled, creates a separate + alert per exchange rate. | + + | Alert Severity | String | No | Severity level for created alerts. | + + | Add Attachment | Boolean | No | If enabled, attaches JSON data to the alert. + | + + | Max Days Backwards | Integer | Yes | Number of days to fetch alerts from. | + + | Max Alerts To Fetch | String | Yes | Maximum number of alerts to process per + iteration. | + + | Use dynamic list as blocklist | Boolean | Yes | If enabled, uses the dynamic + list as a blocklist. | + + | Disable Overflow | Boolean | No | If enabled, ignores the overflow mechanism. + | + + | Verify SSL | Boolean | Yes | If enabled, verifies the SSL certificate. | + + | Proxy Server Address | String | No | Proxy server address. | + + | Proxy Username | String | No | Proxy username. | + + | Proxy Password | Password | No | Proxy password. | + + + ### Flow Description + + 1. Initializes the API client using the provided API Root and authentication parameters. + + 2. Reads existing alert IDs from the SOAR context to prevent duplicate processing. + + 3. Fetches exchange rate data from `api.vatcomply.com` for the configured currencies. + + 4. Transforms the fetched data into `AlertInfo` objects, optionally creating separate + alerts for each currency or a combined alert. + + 5. Filters alerts based on the whitelist/blocklist configuration and checks for + overflow. + + 6. Stores the processed alert IDs in the SOAR context and updates the last success + time. diff --git a/content/response_integrations/third_party/community/sample_integration/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/sample_integration/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..481f89952 --- /dev/null +++ b/content/response_integrations/third_party/community/sample_integration/resources/ai/integration_ai_description.yaml @@ -0,0 +1,20 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: true + network_security: false + reasoning: >- + The integration includes a connector that ingests external data (exchange rates) + and creates alerts in Google SecOps, which aligns with the SIEM category's pattern + of data ingestion and alert creation. The integration also includes a job that + manages case lifecycle (closing cases and adding comments), which aligns with + the ITSM category's pattern of documenting investigations and managing ticket/case + states. Other categories are not applicable as the integration does not perform + security-specific functions like EDR, Network Security, or Threat Intelligence. + siem: true + threat_intelligence: false + vulnerability_management: false diff --git a/content/response_integrations/third_party/community/sample_integration/resources/ai/jobs_ai_description.yaml b/content/response_integrations/third_party/community/sample_integration/resources/ai/jobs_ai_description.yaml new file mode 100644 index 000000000..f2d4c441d --- /dev/null +++ b/content/response_integrations/third_party/community/sample_integration/resources/ai/jobs_ai_description.yaml @@ -0,0 +1,41 @@ +Simple Job Example: + ai_description: >- + ### General Description + + This job automates case management tasks in Google SecOps based on specific case + tags. It performs two primary functions: closing cases tagged as "Closed" and + enriching cases tagged as "Currency" by adding the latest exchange rate as a comment. + The job maintains a persistent context to track processed cases and prevent duplicate + comments within the same day. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | API Root | String | Yes | The base URL for the API service. | + + | Password Field | Password | No | An example field for API authentication. | + + | Verify SSL | Boolean | Yes | If enabled, validates the SSL certificate when + connecting to the API. | + + + ### Flow Description + + 1. Initializes the API client using the provided configuration parameters. + + 2. Loads the job context to retrieve the state of previously processed cases and + the current date. + + 3. Queries Google SecOps for open cases tagged with either "Closed" or "Currency". + + 4. Iterates through the retrieved cases: + * If the case is tagged "Closed", it closes the case in Google SecOps. + * If the case is tagged "Currency" and has not been commented on today, it + fetches the current exchange rate from the API and adds it as a comment to the + case. + 5. Updates the job context with the IDs of newly commented cases and saves the + context for future runs. diff --git a/content/response_integrations/third_party/community/send_grid/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/send_grid/resources/ai/actions_ai_description.yaml index eb0b6589e..0d8e04136 100644 --- a/content/response_integrations/third_party/community/send_grid/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/send_grid/resources/ai/actions_ai_description.yaml @@ -1,43 +1,57 @@ Ping: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + This action is a connectivity test ('Ping'). It does not perform any of the + listed operational tasks such as enrichment, containment, ticket management, + or alert modification. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description - - This action is designed to test the connectivity between Google SecOps and the - SendGrid API. It validates the provided API Token by checking if it has the necessary - permissions to perform core functions, specifically the ability to send emails. - - - ### Parameters Description - - There are no parameters for this action. It relies solely on the 'API Token' provided - in the SendGrid integration configuration. - - - ### Additional Notes + General description: This action tests the connectivity to the SendGrid API by + verifying the provided API token's permissions. This ensures that the integration + is correctly configured and authorized to perform operations. - - This action is a standard 'Ping' utility used to ensure the integration is correctly - configured before running other functional actions. - - It specifically looks for the `mail.send` scope in the API response to confirm - the token is valid for sending operations. + Parameters description: There are no parameters for this action. - ### Flow Description + Flow description: - 1. **Configuration Retrieval**: The action retrieves the 'API Token' from the - SendGrid integration settings. + 1. Retrieve the API token from the SendGrid integration configuration. - 2. **API Connection**: It establishes an HTTPS connection to `api.sendgrid.com`. + 2. Establish an HTTPS connection to the SendGrid API endpoint (api.sendgrid.com). - 3. **Permission Check**: A GET request is sent to the `/v3/scopes` endpoint to - retrieve the list of permissions associated with the token. + 3. Perform a GET request to the /v3/scopes endpoint to verify the token's permissions. - 4. **Validation**: The script parses the JSON response and uses a regular expression - to search for the `mail.send` scope. + 4. Parse the response to check for the mail.send scope. - 5. **Result Reporting**: If the scope is found, the action completes successfully - with a confirmation message. If the scope is missing or the connection fails, - it returns an error message. + 5. Return a success status if the connection is established and the required scope + is present, or an error message otherwise. capabilities: can_create_case_comments: false can_create_insight: false @@ -48,8 +62,16 @@ Ping: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to verify connectivity and permissions. It + does not modify external systems, update entities, or create insights. While + it fetches data (scopes), it is a connectivity test and not an enrichment action. categories: enrichment: false + reasoning: >- + The action is named 'Ping'. According to the provided instructions, actions + named 'Ping' must not be categorized as enrichment actions, regardless of whether + they fetch data. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -65,29 +87,84 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code does not reference target_entities or perform any operations on entities. + It is a standalone connectivity test. Send Email: - ai_description: "### General Description\nSends an email message through the SendGrid\ - \ service using the SendGrid API. This action is designed to facilitate automated\ - \ communication within playbooks, such as sending notifications, reports, or alerts\ - \ to specific recipients.\n\n### Parameters Description\n| Parameter | Type |\ - \ Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| Email From | String\ - \ | Yes | The email address that will appear as the sender. |\n| Email To | String\ - \ | Yes | The email address of the recipient. |\n| Subject | String | Yes | The\ - \ subject line of the email. |\n| Content | Email Content | Yes | The HTML-formatted\ - \ body of the email. |\n| Return Message Status | Boolean | No | If set to true,\ - \ the action will include the SendGrid API response status code and metadata in\ - \ the action's JSON results. Default is false. |\n\n### Flow Description\n1. **Configuration\ - \ Retrieval**: The action retrieves the SendGrid API Token from the integration\ - \ settings.\n2. **Message Construction**: It builds a mail object using the provided\ - \ 'Email From', 'Email To', 'Subject', and 'Content' parameters.\n3. **API Interaction**:\ - \ The action initializes the SendGrid API client and attempts to send the email.\n\ - 4. **Result Processing**: \n * If the email is sent successfully, it logs the\ - \ success.\n * If 'Return Message Status' is enabled, it captures the status\ - \ code and recipient details into the action's JSON result.\n5. **Error Handling**:\ - \ If the API call fails, the action logs the exception and returns a failure state.\n\ - \n### Additional Notes\nThis action does not operate on entities (IPs, Hosts,\ - \ etc.) within the case; it relies entirely on the provided input parameters to\ - \ execute the email delivery." + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action sends an email using the SendGrid API, which directly matches the + 'Send Email' category. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: true + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: >- + ### General Description + + Sends an email message using the SendGrid API. This action allows users to dispatch + notifications or reports to specified recipients. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Return Message Status | boolean | No | If set to true, the action saves the + response status code and recipient list as a JSON result. | + + | Subject | string | Yes | The subject line of the email. | + + | Email To | string | Yes | The recipient's email address. | + + | Email From | string | Yes | The sender's email address. | + + | Content | email_content | Yes | The HTML content of the email. | + + + ### Additional Notes + + This action does not require any entities to run. + + + ### Flow Description + + 1. Initializes the SendGrid API client using the configured API token. + + 2. Constructs the email message using the provided sender, recipient, subject, + and content. + + 3. Sends the email via the SendGrid API. + + 4. If 'Return Message Status' is enabled, saves the response status code and recipient + information as a JSON result in the action output. + + 5. Logs the operation status and returns the execution result. capabilities: can_create_case_comments: false can_create_insight: false @@ -95,13 +172,18 @@ Send Email: can_mutate_external_data: true can_mutate_internal_data: false can_update_entities: false - external_data_mutation_explanation: >- - Sends an email message to an external recipient via the SendGrid API, which - creates a new outbound communication record in the SendGrid service. + external_data_mutation_explanation: Sends an email via the SendGrid API. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action sends an email via the SendGrid API, which is an external system + mutation. It does not fetch data, update entities, or create insights. categories: enrichment: false + reasoning: >- + The action is not an enrichment action as it does not fetch data from an external + source to enrich entities or alerts. It is an action that performs an external + operation (sending an email). entity_usage: entity_types: [] filters_by_additional_properties: false @@ -117,3 +199,6 @@ Send Email: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not use or process any entities. It operates independently of + the entity list. diff --git a/content/response_integrations/third_party/community/send_grid/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/send_grid/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..860df3c72 --- /dev/null +++ b/content/response_integrations/third_party/community/send_grid/resources/ai/integration_ai_description.yaml @@ -0,0 +1,20 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: true + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: false + reasoning: >- + The SendGrid integration provides capabilities to send emails via an API. It does + not perform defensive email security operations such as searching or deleting + emails in inboxes, so it does not fit the 'Email Security' category. It also does + not perform SIEM, EDR, Network Security, Threat Intelligence, IAM, Cloud Security, + ITSM, Vulnerability Management, or Asset Inventory functions. However, it is used + to send notifications to stakeholders regarding alerts or critical findings, which + aligns with the 'Collaboration' category's purpose of notifying stakeholders. + siem: false + threat_intelligence: false + vulnerability_management: false diff --git a/content/response_integrations/third_party/community/signal_sciences/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/signal_sciences/resources/ai/actions_ai_description.yaml new file mode 100644 index 000000000..01c44962b --- /dev/null +++ b/content/response_integrations/third_party/community/signal_sciences/resources/ai/actions_ai_description.yaml @@ -0,0 +1,691 @@ +Add IP to Allow List: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: true + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action adds an IP address to an allow list in an external security product + (Signal Sciences). This directly matches the 'Add IOC To Allowlist' category. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: >- + ### General Description + + This action adds one or more IP addresses to the Allow List for a specific site + within the Signal Sciences platform. It ensures that traffic from these IP addresses + is permitted by updating the site's security configuration. The action supports + both manual input of IP addresses and the processing of IP entities attached to + the case. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Site Name | string | Yes | The API name of the site as defined in the Signal + Sciences dashboard. | + + | IP Address | string | No | A comma-separated list of IP addresses to add to + the Signal Sciences allow list. If not provided, the action will attempt to process + IP entities from the case. | + + | Note | string | Yes | A descriptive note or justification for adding the IP + address to the allow list. This is required by the Signal Sciences API. | + + + ### Additional Notes + + - The action will attempt to process IP addresses provided in the 'IP Address' + parameter. If no IPs are provided via the parameter, it will fall back to processing + any 'ADDRESS' type entities associated with the current case. + + - The action validates that the provided strings are valid IPv4 or IPv6 addresses + before attempting to add them. + + - If an IP address already exists in the allow list for the specified site, the + action will skip the addition for that IP. + + + ### Flow Description + + 1. **Extraction**: The action extracts the 'Site Name', 'IP Address', and 'Note' + parameters. + + 2. **Collection**: It collects target IP addresses from the 'IP Address' parameter + and any 'ADDRESS' entities found in the case. + + 3. **Validation**: Each collected IP is validated to ensure it is a correct IP + format. + + 4. **Check Existing**: The action fetches the current allow list for the specified + site to avoid duplicate entries. + + 5. **Execution**: For each unique, valid IP not already in the allow list, the + action sends a PUT request to the Signal Sciences API to add the IP with the provided + note. + + 6. **Reporting**: The action constructs a result summary detailing which IPs were + successfully added and which failed. + capabilities: + can_create_case_comments: false + can_create_insight: false + can_modify_alert_data: false + can_mutate_external_data: true + can_mutate_internal_data: false + can_update_entities: false + external_data_mutation_explanation: >- + Adds the specified IP address to the allow list configuration for a specific + site in the Signal Sciences platform. + fetches_data: true + internal_data_mutation_explanation: null + reasoning: >- + The action performs a PUT request to the Signal Sciences API to add an IP address + to an allow list, which constitutes an external data mutation. It fetches existing + allow list data to check for duplicates, but does not modify internal SOAR case + data (entities, insights, etc.). + categories: + enrichment: false + reasoning: >- + The action mutates external data (adds an IP to an allow list), which violates + the 'External State Preservation' rule for enrichment actions. Therefore, it + is not an enrichment action. + entity_usage: + entity_types: + - ADDRESS + filters_by_additional_properties: false + filters_by_alert_identifier: false + filters_by_case_identifier: false + filters_by_creation_time: false + filters_by_entity_type: true + filters_by_identifier: false + filters_by_is_artifact: false + filters_by_is_enriched: false + filters_by_is_internal: false + filters_by_is_pivot: false + filters_by_is_suspicious: false + filters_by_is_vulnerable: false + filters_by_modification_time: false + reasoning: >- + The code iterates over `self.soar_action.target_entities` and filters them using + `entity.entity_type == EntityTypes.ADDRESS`. It does not apply other filters. +Add IP to Block List: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: true + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action adds an IP address to a blocklist in an external security product + (Signal Sciences). This directly matches the 'Add IOC To Blocklist' category. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: >- + The **Add IP to Block List** action enables security analysts to block specific + IP addresses within a designated site in the Signal Sciences platform. This action + helps mitigate threats by preventing malicious traffic from interacting with protected + resources. + + + ### Flow Description + + 1. **Parameter Extraction**: The action extracts the `Site Name`, `IP Address` + (optional), and `Note` (mandatory) from the action configuration. + + 2. **Target Identification**: It aggregates IP addresses from the `IP Address` + parameter and any `ADDRESS` type entities present in the current case. + + 3. **Pre-check**: It fetches the existing block list for the specified site to + identify if any target IPs are already blocked, preventing redundant API calls. + + 4. **Execution**: For each new IP address, it performs a PUT request to the Signal + Sciences API to add the IP to the block list with the provided justification note. + + 5. **Result Reporting**: It compiles the results, indicating which IPs were successfully + added and which failed, and updates the action output message accordingly. + + + ### Parameters + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Site Name | string | Yes | The API name of the site as defined in the Signal + Sciences dashboard. | + + | IP Address | string | No | A comma-separated list of IP addresses to add to + the Signal Sciences block list. If not provided, the action will attempt to use + IP entities from the case. | + + | Note | string | Yes | The descriptive note or justification associated with + the blocked IP address. | + + + ### Additional Notes + + - The action requires either the `IP Address` parameter to be populated or `ADDRESS` + type entities to be present in the case for it to perform any blocking operations. + If neither is provided, the action will terminate without performing any changes. + capabilities: + can_create_case_comments: false + can_create_insight: false + can_modify_alert_data: false + can_mutate_external_data: true + can_mutate_internal_data: false + can_update_entities: false + external_data_mutation_explanation: >- + Adds the specified IP address to the block list of a designated site in the + Signal Sciences platform. + fetches_data: true + internal_data_mutation_explanation: null + reasoning: >- + The action fetches existing block list data from the Signal Sciences API to + check for duplicates (fetches_data=true). It then performs a PUT request to + add new IPs to the block list (can_mutate_external_data=true). It does not modify + any internal SOAR case data, entities, or insights. + categories: + enrichment: false + reasoning: >- + The action performs a mutation on an external system (Signal Sciences) to block + an IP. It does not meet the criteria for an enrichment action as it is not read-only + and does not enrich internal SOAR data. + entity_usage: + entity_types: + - ADDRESS + filters_by_additional_properties: false + filters_by_alert_identifier: false + filters_by_case_identifier: false + filters_by_creation_time: false + filters_by_entity_type: true + filters_by_identifier: false + filters_by_is_artifact: false + filters_by_is_enriched: false + filters_by_is_internal: false + filters_by_is_pivot: false + filters_by_is_suspicious: false + filters_by_is_vulnerable: false + filters_by_modification_time: false + reasoning: >- + The code iterates over `self.soar_action.target_entities` and filters them based + on `entity.entity_type == EntityTypes.ADDRESS`. +List Sites: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves a list of sites from the Signal Sciences API. It does not + match any of the provided categories (e.g., Enrich IOC, Enrich Asset, Update + Alert, etc.). + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: >- + ### General Description + + Use the **List Sites** action to retrieve a list of all sites available within + the corporation in Signal Sciences. This action fetches site information from + the Signal Sciences API and presents it as a table and JSON results. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Max Sites To Return | string | No | The maximum number of sites to return. If + set to 0 or left empty, the action returns all available sites. Defaults to 50. + | + + + ### Flow Description + + 1. Extract the `Max Sites To Return` parameter from the action configuration. + + 2. Call the Signal Sciences API to fetch site information, utilizing pagination + if necessary to retrieve the requested number of sites. + + 3. Format the retrieved site data into a table and JSON results. + + 4. Update the action output with the list of retrieved sites and a success message. + + + ### Additional Notes + + If no sites are found for the given corporation, the action will return a message + indicating that no sites were found. + capabilities: + can_create_case_comments: false + can_create_insight: false + can_modify_alert_data: false + can_mutate_external_data: false + can_mutate_internal_data: false + can_update_entities: false + external_data_mutation_explanation: null + fetches_data: true + internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the Signal Sciences API to retrieve a list + of sites. It does not modify any external or internal data, nor does it update + entities or create insights. + categories: + enrichment: false + reasoning: >- + The action fetches data from an external system (Signal Sciences) but does not + enrich specific entities (e.g., IP, User). It is a configuration/utility action, + not an enrichment action. + entity_usage: + entity_types: [] + filters_by_additional_properties: false + filters_by_alert_identifier: false + filters_by_case_identifier: false + filters_by_creation_time: false + filters_by_entity_type: false + filters_by_identifier: false + filters_by_is_artifact: false + filters_by_is_enriched: false + filters_by_is_internal: false + filters_by_is_pivot: false + filters_by_is_suspicious: false + filters_by_is_vulnerable: false + filters_by_modification_time: false + reasoning: >- + The action does not iterate over `target_entities` or use entity-specific identifiers. + It fetches global corporation data. +Ping: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + This is a connectivity test action. It does not match any of the functional + categories like enrichment, blocking, or ticketing. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: >- + Tests connectivity to the Signal Sciences API. This action verifies that the provided + connection parameters (API Root, Email, API Token, and Corporation Name) are valid + and that the SOAR platform can successfully communicate with the Signal Sciences + service. + + + ### Parameters + + There are no parameters for this action. + + + ### Flow Description + + 1. The action initializes the Signal Sciences API client using the configured + integration settings. + + 2. It sends a GET request to the Signal Sciences corporation endpoint to verify + connectivity. + + 3. If the request is successful, it returns a success message indicating connectivity + is established. + + 4. If the request fails (e.g., due to invalid credentials or network issues), + it logs the error and marks the action as failed. + capabilities: + can_create_case_comments: false + can_create_insight: false + can_modify_alert_data: false + can_mutate_external_data: false + can_mutate_internal_data: false + can_update_entities: false + external_data_mutation_explanation: null + fetches_data: false + internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to test connectivity. It does not mutate external + or internal data, nor does it update entities or create insights. + categories: + enrichment: false + reasoning: >- + The action is a 'Ping' action. According to the instructions, Ping actions must + not be categorized as enrichment actions. + entity_usage: + entity_types: [] + filters_by_additional_properties: false + filters_by_alert_identifier: false + filters_by_case_identifier: false + filters_by_creation_time: false + filters_by_entity_type: false + filters_by_identifier: false + filters_by_is_artifact: false + filters_by_is_enriched: false + filters_by_is_internal: false + filters_by_is_pivot: false + filters_by_is_suspicious: false + filters_by_is_vulnerable: false + filters_by_modification_time: false + reasoning: >- + The action does not interact with any entities. +Remove IP from Allow List: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action removes an IP from an allow list in Signal Sciences, which directly + matches the 'Remove IOC From Allowlist' category. + remove_ioc_from_allowlist: true + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: >- + The **Remove IP from Allow List** action removes specified IP addresses from the + allow list of a designated site within the Signal Sciences platform. This action + helps maintain security posture by ensuring that only authorized IPs remain on + the allow list. + + + ### Flow Description + + 1. **Parameter Extraction**: The action extracts the `Site Name` and an optional + comma-separated list of `IP Address` values from the action parameters. + + 2. **Entity Collection**: It collects IP addresses from the provided `IP Address` + parameter and identifies any `ADDRESS` entities present in the current SOAR case. + + 3. **Data Retrieval**: It fetches the current allow list for the specified site + from Signal Sciences to identify the unique `item_id` associated with each target + IP. + + 4. **Removal**: For each identified IP, the action performs a DELETE request to + remove the corresponding entry from the Signal Sciences allow list. + + 5. **Finalization**: The action reports the success or failure of the removal + process for each IP address. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Site Name | string | Yes | The API name of the site as defined in the Signal + Sciences dashboard. | + + | IP Address | string | No | A comma-separated list of IP addresses to remove + from the Signal Sciences allow list. If not provided, the action will process + `ADDRESS` entities from the case. | + + + ### Additional Notes + + - The action requires either the `IP Address` parameter to be populated or `ADDRESS` + entities to be present in the case for it to perform any removal operations. If + neither is provided, the action will terminate with a message indicating no IPs + were found. + capabilities: + can_create_case_comments: false + can_create_insight: false + can_modify_alert_data: false + can_mutate_external_data: true + can_mutate_internal_data: false + can_update_entities: false + external_data_mutation_explanation: >- + Removes IP addresses from the Signal Sciences allow list for a specific site. + fetches_data: true + internal_data_mutation_explanation: null + reasoning: >- + The action fetches the current allow list from the external system to identify + the correct item IDs for removal (fetches_data=true). It then performs a DELETE + request to remove the IP from the allow list, which constitutes an external + data mutation (can_mutate_external_data=true). It does not modify internal SOAR + data, entities, or insights. + categories: + enrichment: false + reasoning: >- + The action is not an enrichment action because it mutates external data (removes + an IP from an allow list). + entity_usage: + entity_types: + - ADDRESS + filters_by_additional_properties: false + filters_by_alert_identifier: false + filters_by_case_identifier: false + filters_by_creation_time: false + filters_by_entity_type: true + filters_by_identifier: false + filters_by_is_artifact: false + filters_by_is_enriched: false + filters_by_is_internal: false + filters_by_is_pivot: false + filters_by_is_suspicious: false + filters_by_is_vulnerable: false + filters_by_modification_time: false + reasoning: >- + The action iterates over `target_entities` and filters for entities where the + type is `ADDRESS`. +Remove IP from Block List: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action removes an IP address from the Signal Sciences blocklist, which directly + matches the 'Remove IOC From Blocklist' category defined as restoring connectivity + or execution rights for an indicator by removing it from restricted lists. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: true + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: >- + ### General Description + + The **Remove IP from Block List** action removes specific IP addresses from the + block list of a designated site within the Signal Sciences platform. This action + helps restore connectivity or access for IPs that were previously blocked. + + + ### Parameters + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Site Name | string | Yes | The API name of the site as defined in the Signal + Sciences dashboard. | + + | IP Address | string | No | A comma-separated list of IP addresses to remove + from the Signal Sciences block list. | + + + ### Additional Notes + + - The action processes IP addresses provided in the 'IP Address' parameter and + any 'ADDRESS' entities attached to the case. If no IPs are provided via parameters + or entities, the action will terminate. + + + ### Flow Description + + 1. **Parameter Extraction**: Retrieves the 'Site Name' and 'IP Address' parameters. + + 2. **Entity Identification**: Collects IP addresses from the 'IP Address' parameter + and identifies any 'ADDRESS' entities from the current case. + + 3. **Data Retrieval**: Fetches the current blocklist for the specified site from + the Signal Sciences API. + + 4. **Validation & Removal**: Iterates through the target IPs, validates their + format, checks if they exist in the fetched blocklist, and sends a DELETE request + to remove them if found. + + 5. **Reporting**: Logs the success or failure of each removal operation and updates + the action output message with the final status. + capabilities: + can_create_case_comments: false + can_create_insight: false + can_modify_alert_data: false + can_mutate_external_data: true + can_mutate_internal_data: false + can_update_entities: false + external_data_mutation_explanation: >- + Removes the specified IP address from the block list in the Signal Sciences + dashboard. + fetches_data: true + internal_data_mutation_explanation: null + reasoning: >- + The action fetches the current blocklist from the external system to identify + the ID of the IP to be removed (fetches_data=true). It then performs a DELETE + request to the Signal Sciences API to remove the IP from the blocklist (can_mutate_external_data=true). + It does not modify internal SOAR data, entities, or case insights. + categories: + enrichment: false + reasoning: >- + The action performs a mutation on an external system (removing an IP from a + blocklist), which violates the 'External State Preservation' constraint required + for enrichment actions. + entity_usage: + entity_types: + - ADDRESS + filters_by_additional_properties: false + filters_by_alert_identifier: false + filters_by_case_identifier: false + filters_by_creation_time: false + filters_by_entity_type: true + filters_by_identifier: false + filters_by_is_artifact: false + filters_by_is_enriched: false + filters_by_is_internal: false + filters_by_is_pivot: false + filters_by_is_suspicious: false + filters_by_is_vulnerable: false + filters_by_modification_time: false + reasoning: >- + The code iterates over `self.soar_action.target_entities` and filters specifically + for entities of type `ADDRESS` to include them in the list of IPs to be removed. diff --git a/content/response_integrations/third_party/community/signal_sciences/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/signal_sciences/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..1e30cec40 --- /dev/null +++ b/content/response_integrations/third_party/community/signal_sciences/resources/ai/integration_ai_description.yaml @@ -0,0 +1,20 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: true + reasoning: >- + The Signal Sciences integration is a Web Application Firewall (WAF) management + tool. Its primary capabilities involve managing IP allow and block lists, which + directly aligns with the Network Security category, as it allows the agent to + block or permit malicious IPs at the gateway. It does not perform SIEM log analysis, + EDR host-level investigation, threat intelligence enrichment (it does not provide + reputation scores), or any other functions related to IAM, ITSM, or cloud resource + management. + siem: false + threat_intelligence: false + vulnerability_management: false diff --git a/content/response_integrations/third_party/community/spell_checker/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/spell_checker/resources/ai/actions_ai_description.yaml index 5fd183f8e..28f07cdd2 100644 --- a/content/response_integrations/third_party/community/spell_checker/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/spell_checker/resources/ai/actions_ai_description.yaml @@ -1,32 +1,50 @@ Ping: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action is a connectivity check ('Ping') and does not perform any of the + defined product category operations (enrichment, ticketing, containment, etc.). + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description + General description: This action performs a connectivity check to verify that + the Spell Checker integration is properly configured and reachable. It does not + perform any data processing or external system modifications. - The **Ping** action is a diagnostic utility used to verify the connectivity and - functional status of the **Spell Checker** integration within Google SecOps. Its - primary purpose is to ensure that the integration environment is correctly set - up and that the action execution engine can successfully initialize the integration's - components. + Parameters description: There are no parameters for this action. - ### Parameters - There are no parameters required for this action. + Additional notes: This is a standard connectivity check action. - ### Additional Notes - - This action does not interact with any external APIs or perform any spell-checking - logic. It is strictly used for health checks. - - - ### Flow Description - - 1. **Initialization**: The action initializes the Siemplify API context. - - 2. **Connectivity Confirmation**: The action immediately concludes, returning - a success message ('Spell Checker is connected') to indicate that the integration - is reachable and active. + Flow description: 1. The action initializes the `SiemplifyAction` module. 2. It + executes a connectivity check. 3. It returns a success message indicating the + integration is connected. capabilities: can_create_case_comments: false can_create_insight: false @@ -37,8 +55,15 @@ Ping: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action is a simple connectivity check ('Ping'). It does not fetch data, + mutate external systems, or modify internal SOAR data. categories: enrichment: false + reasoning: >- + The action is named 'Ping', which is explicitly excluded from being an enrichment + action per the guidelines. It does not fetch data or perform any enrichment + tasks. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -54,55 +79,54 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with any entities. It is a standalone connectivity + check. Spelling Check: - ai_description: >- - ### General Description - - This action identifies misspelled words within a provided text string and suggests - potential corrections based on word frequency. It is designed to help analysts - clean up notes, communications, or extracted data within the SOAR platform by - highlighting typographical errors. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Input | String | No | The raw text that will be analyzed for spelling errors. - If left empty, the action will process an empty string. | - - - ### Flow Description - - 1. **Text Retrieval**: The action retrieves the string provided in the `Input` - parameter. - - 2. **Sanitization**: It cleans the input text using regular expressions to remove - special characters while preserving letters, spaces, and specific symbols like - '@' (to identify emails). - - 3. **Filtering**: The logic splits the text into individual words and filters - out potential false positives such as email addresses and URLs (containing 'http'). - - 4. **Misspelling Identification**: It utilizes a spell-checking manager (augmented - with a custom allowlist of technical terms like 'siemplify' and 'playbook') to - identify words not found in its dictionary. - - 5. **Suggestion Generation**: For every misspelled word found, the action generates - a list of candidate corrections. - - 6. **Output Generation**: The results are formatted into a JSON object and a data - table titled 'Found spelling mistakes' which is attached to the action output - in the SOAR case. - - - ### Additional Notes - - This action performs local text processing and does not require connectivity to - external web services or APIs. It does not interact with or filter entities within - the case scope. + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action performs a local spell check on a string input. It does not interact + with external systems, fetch threat intelligence, or modify alerts/entities. + It does not fit any of the defined product categories. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: "This action performs a spell check on a provided input string to\ + \ identify misspelled words and suggest corrections. \n\n### Parameters\n| Parameter\ + \ | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| Input |\ + \ string | No | The text that will be checked by the Spell Checker. |\n\n### Flow\n\ + 1. Retrieve the `Input` parameter from the action configuration.\n2. Clean the\ + \ input text using regex to remove special characters and irrelevant symbols.\n\ + 3. Use the `SpellCheckerManager` to identify unknown words (misspellings) in the\ + \ cleaned text.\n4. Generate correction candidates for each identified misspelled\ + \ word.\n5. Return the results as a JSON object and a data table containing the\ + \ original words and their recommended corrections.\n\n### Additional Notes\n\ + This action performs local text processing and does not interact with external\ + \ systems or modify SOAR case data." capabilities: can_create_case_comments: false can_create_insight: false @@ -113,8 +137,17 @@ Spelling Check: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs local text processing using the `pyspellchecker` library. + It does not interact with external APIs, modify external systems, or update + internal SOAR data (entities, insights, or alerts). It simply returns the results + of the spell check as a JSON object and a data table. categories: enrichment: false + reasoning: >- + The action does not fetch data from an external source, nor does it enrich entities + or alerts. It is a utility action for text processing. Therefore, it is not + an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -130,3 +163,6 @@ Spelling Check: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with `siemplify.target_entities`. It processes + a raw string input provided via parameters. diff --git a/content/response_integrations/third_party/community/spell_checker/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/spell_checker/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..534cfcb2a --- /dev/null +++ b/content/response_integrations/third_party/community/spell_checker/resources/ai/integration_ai_description.yaml @@ -0,0 +1,21 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: false + reasoning: >- + The 'spell_checker' integration provides utility functions for text processing + (spell checking) and connectivity verification. It does not interact with security + infrastructure, threat intelligence feeds, identity providers, cloud environments, + or ticketing systems. It does not perform any of the functions defined for the + listed product categories (SIEM, EDR, Network Security, Threat Intelligence, Email + Security, IAM, Cloud Security, ITSM, Vulnerability Management, Asset Inventory, + or Collaboration). Therefore, it does not align with any of the defined security + product categories. + siem: false + threat_intelligence: false + vulnerability_management: false diff --git a/content/response_integrations/third_party/community/superna_zero_trust/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/superna_zero_trust/resources/ai/actions_ai_description.yaml index 6d22f2797..ce0dfd90b 100644 --- a/content/response_integrations/third_party/community/superna_zero_trust/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/superna_zero_trust/resources/ai/actions_ai_description.yaml @@ -1,24 +1,71 @@ Ping: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action performs a health check (Ping) on an external system. It does not + match any of the defined product categories (Enrichment, Containment, Ticket + management, etc.). + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description: Tests the connectivity and health of the Superna Zero - Trust (Eyeglass) API. This action is primarily used to verify that the integration - is correctly configured and can successfully communicate with the target server. - ### Parameters Description: | Parameter | Type | Mandatory | Description | | :--- - | :--- | :--- | :--- | | api_token | String | Yes | (Configuration) The API key - used for authentication with the Superna Zero Trust service. | | eyeglass_ip | - String | Yes | (Configuration) The IP address or hostname of the Superna Eyeglass - server. | | Verify SSL | Boolean | No | (Configuration) Determines whether to - verify the SSL certificate of the server. Defaults to False. | ### Additional - Notes: This action does not require any input entities and relies solely on the - integration's configuration parameters. It is categorized as a connectivity test. - ### Flow Description: 1. **Configuration Extraction**: Retrieves the api_token, - eyeglass_ip, and Verify SSL settings from the integration configuration. 2. **URL - Construction**: Builds the full API URL using the provided IP and the /sera/v1/healthcheck - endpoint. 3. **API Request**: Sends a GET request to the health check endpoint - with the API key included in the headers. 4. **Error Handling**: Catches timeouts, - connection errors, and HTTP errors, logging the specific failure reason for troubleshooting. - 5. **Result Reporting**: Returns a success message if the API responds correctly, - or a failure message with details if an error occurs. + ### General Description + + This action performs a health check on the Superna Zero Trust system by sending + a GET request to the `/sera/v1/healthcheck` endpoint. It verifies connectivity + to the Eyeglass instance. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | `api_token` | String | Yes | The API token used for authentication with the + Superna Zero Trust API. | + + | `eyeglass_ip` | String | Yes | The IP address or hostname of the Eyeglass instance. + | + + | `Verify SSL` | Boolean | No | Determines whether to verify SSL certificates + during the API request. Defaults to `False`. | + + + ### Flow Description + + 1. Extract configuration parameters (`api_token`, `eyeglass_ip`, `Verify SSL`). + + 2. Construct the API URL using the provided IP and the health check route (`/sera/v1/healthcheck`). + + 3. Send a GET request to the constructed URL with the API token in the headers. + + 4. Handle potential exceptions (Timeout, ConnectionError, HTTPError, RequestException). + + 5. Return the execution status and response text using `siemplify.end`. capabilities: can_create_case_comments: false can_create_insight: false @@ -27,10 +74,16 @@ Ping: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null - fetches_data: true + fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to an external API to verify connectivity + (health check). It does not modify external or internal data. categories: enrichment: false + reasoning: >- + The action is named 'Ping' and performs a health check. According to the rules, + 'Ping' actions are not enrichment actions. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -46,58 +99,82 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code does not interact with `siemplify.target_entities`. It is a global + action. Superna Snapshot Critical NAS Data: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action triggers a snapshot via an external API. It does not match any of + the predefined categories (Enrichment, Containment, Ticketing, etc.). + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - Triggers a snapshot of critical NAS (Network Attached Storage) data via the Superna - Eyeglass Zero Trust API. This action is designed to initiate a protective snapshot - of critical data paths, typically as a response to detected ransomware activity - or as a proactive security measure within a Zero Trust framework. + Triggers a snapshot of critical NAS data using the Superna Zero Trust API. This + action initiates a snapshot process on the target NAS system to ensure data integrity + and security. ### Parameters Description - | Parameter Name | Type | Mandatory | Description | + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | api_token | String | Yes | The API key used for authentication with the Superna - Eyeglass server. This is retrieved from the integration configuration. | + | `api_token` | String | Yes | The API key for authentication with the Superna + Zero Trust API. | - | eyeglass_ip | String | Yes | The IP address or hostname of the Superna Eyeglass - instance. This is retrieved from the integration configuration. | + | `eyeglass_ip` | String | Yes | The IP address of the Eyeglass instance. | - | Verify SSL | Boolean | No | Determines whether to verify the SSL certificate - of the Superna Eyeglass server. Defaults to `False`. | + | `Verify SSL` | Boolean | No | Whether to verify SSL certificates (default: False). + | - ### Additional Notes - - * This action does not operate on specific entities (like IPs or Hostnames) within - a case. Instead, it performs a global operation on the configured Superna Eyeglass - environment. + ### Flow Description - * The action uses a POST request to the `/sera/v2/ransomware/criticalpaths` endpoint, - which triggers the snapshot process on the external system. + 1. Extracts configuration parameters (`api_token`, `eyeglass_ip`, `Verify SSL`) + from the integration settings. + 2. Constructs the API request URL and headers. - ### Flow Description + 3. Sends a POST request to the Superna Zero Trust API endpoint (`/sera/v2/ransomware/criticalpaths`) + to initiate the snapshot process. - 1. **Configuration Extraction**: Retrieves the `api_token`, `eyeglass_ip`, and - `Verify SSL` settings from the integration configuration. + 4. Handles potential errors (timeout, connection, HTTP errors). - 2. **URL Construction**: Builds the target API endpoint using the provided Eyeglass - IP and the predefined critical paths route. + 5. Returns the API response as the action result. - 3. **API Request**: Executes an authenticated HTTP POST request to the Superna - Eyeglass API to trigger the snapshot. - 4. **Error Handling**: Implements comprehensive error handling for timeouts, connection - issues, and HTTP errors (e.g., 4xx or 5xx responses). + ### Additional Notes - 5. **Result Reporting**: Returns the raw API response text as the action result - and sets the execution status based on the success of the API call. + The action does not require any entities to run. capabilities: can_create_case_comments: false can_create_insight: false @@ -106,12 +183,18 @@ Superna Snapshot Critical NAS Data: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Triggers the creation of a data snapshot for critical NAS paths within the Superna - Eyeglass platform. - fetches_data: true + Triggers a snapshot of critical NAS data on the Superna Zero Trust system. + fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a POST request to the Superna Zero Trust API to trigger + a snapshot of critical NAS data. It does not fetch data for enrichment or modify + internal SOAR data. categories: enrichment: false + reasoning: >- + The action performs a POST request to trigger a snapshot, which is a mutation + of external state, not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -127,15 +210,48 @@ Superna Snapshot Critical NAS Data: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code does not reference `siemplify.target_entities` or any entity-specific + logic. Superna Zero Trust User Lockout: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: true + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action performs a lockout of a user account on an external system (Superna + NAS). This aligns with 'Disable Identity' as it revokes access to the NAS storage. + It does not perform enrichment, ticket creation, or host containment. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - The **Superna Zero Trust User Lockout** action is designed to immediately revoke - a user's access to all Superna-protected Network Attached Storage (NAS). By communicating - with the Superna Eyeglass API, it resolves existing user permissions and applies - a 'deny read' permission to SMB shares, effectively containing a suspected compromised - account. + This action locks out a specified user from Superna protected NAS storage by interacting + with the Eyeglass Zero Trust API. It applies a deny read permission to SMB shares + for the target user. ### Parameters Description @@ -144,30 +260,28 @@ Superna Zero Trust User Lockout: | :--- | :--- | :--- | :--- | - | **UserName** | String | Yes | The identifier of the user to be locked out. Should - be provided in `domain\username` or `user@domain` format. | + | UserName | string | Yes | The user to be locked out of NAS storage in format + domain\username or user@domain name. | ### Flow Description - 1. **Initialization**: The action retrieves the necessary connection details (Eyeglass - IP, API Token) and the target username from the action parameters. + 1. Extracts configuration parameters (API token, Eyeglass IP, SSL verification + setting). + + 2. Extracts the `UserName` parameter. - 2. **Encoding**: The username is URL-encoded to ensure compatibility with the - API endpoint structure. + 3. Constructs the API endpoint URL by appending the URL-encoded username to the + base path. - 3. **API Request**: A POST request is sent to the Superna Eyeglass lockout endpoint - (`/sera/v2/ransomware/lockout/{user}`). + 4. Sends a POST request to the Superna Eyeglass API to initiate the user lockout. - 4. **Outcome Handling**: The action monitors the HTTP response. If successful, - it confirms the lockout; otherwise, it logs specific error types (Timeout, Connection, - or HTTP errors) and fails the action. + 5. Logs the outcome and terminates the action with the appropriate status. ### Additional Notes - This action does not process entities from the case context; it relies solely - on the provided `UserName` parameter. + Requires valid `api_token` and `eyeglass_ip` configured in the integration settings. capabilities: can_create_case_comments: false can_create_insight: false @@ -176,12 +290,21 @@ Superna Zero Trust User Lockout: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Triggers a lockout on the Superna Eyeglass platform, which modifies user permissions - and SMB share access on protected NAS storage. + The action sends a POST request to the Superna Eyeglass API to apply a deny + read permission to SMB shares for the specified user, effectively locking them + out of NAS storage. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a POST request to an external API to change the state of + a user's access (lockout). It does not fetch data, nor does it modify internal + SecOps data or entities. categories: enrichment: false + reasoning: >- + The action performs a mutation on an external system (locking out a user) and + does not fetch data for enrichment purposes, therefore it is not an enrichment + action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -197,51 +320,77 @@ Superna Zero Trust User Lockout: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over `siemplify.target_entities`. It uses a provided + `UserName` parameter to perform the lockout, meaning it does not operate on + SecOps entities. Superna Zero Trust User Un Lock: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: true + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action unlocks a user account, which directly restores authentication capabilities + and system access. This matches the 'Enable Identity' category. It does not + perform enrichment, ticket creation, or other listed actions. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - This action unlocks a user account that was previously locked out from Superna-protected - NAS storage. It communicates with the Superna Eyeglass Zero Trust API to restore - access for the specified user. + This action unlocks a user account that was previously locked out from Superna + protected NAS storage using the Superna Eyeglass Zero Trust API. It performs a + POST request to the external system to restore access for the specified user. - ### Parameters Description + ### Parameters | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | UserName | String | Yes | The identifier of the user to be unlocked. The expected - format is `domain\username` or `username@domain`. | - - - ### Additional Notes - - * The action requires the `api_token` and `eyeglass_ip` to be correctly configured - in the integration settings. - - * The `Verify SSL` configuration parameter determines whether the action validates - the SSL certificate of the Eyeglass server. + | UserName | string | Yes | The name of the user to unlock, in the format `domain\username` + or `username@domain`. | ### Flow Description - 1. **Configuration Retrieval**: The action extracts the API token, Eyeglass IP - address, and SSL verification settings from the integration configuration. + 1. **Configuration Extraction**: Retrieves the API token, Eyeglass IP address, + and SSL verification settings from the integration configuration. - 2. **Input Processing**: The `UserName` provided in the action parameters is retrieved - and URL-encoded to ensure compatibility with the API endpoint. + 2. **Parameter Extraction**: Retrieves the `UserName` parameter provided by the + user. - 3. **API Request Construction**: A POST request URL is constructed using the Eyeglass - IP and the encoded username (e.g., `https://{eyeglass_ip}/sera/v2/ransomware/unlock/{user}`). + 3. **API Request Construction**: Builds the API endpoint URL using the Eyeglass + IP and the user identifier. - 4. **External Execution**: The action sends a POST request to the Superna Eyeglass - API using the provided API key for authentication. + 4. **Execution**: Sends a POST request to the Superna Eyeglass API to unlock the + user. - 5. **Response Handling**: The action processes the API response, handling various - error states such as timeouts, connection failures, and HTTP errors, and returns - the final status and response text to Google SecOps. + 5. **Result Handling**: Processes the API response and terminates the action with + a success or failure status. capabilities: can_create_case_comments: false can_create_insight: false @@ -250,13 +399,18 @@ Superna Zero Trust User Un Lock: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - The action sends a POST request to the Superna Eyeglass API to unlock a user - account, which changes the user's access state on the protected NAS storage - systems. + Unlocks a user account on the external Superna Eyeglass system. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a POST request to an external API (Superna Eyeglass) to + unlock a user account. It does not fetch data for enrichment, nor does it modify + internal SOAR case data or entities. categories: enrichment: false + reasoning: >- + The action is a mutation action (unlocking a user) and does not perform data + retrieval for enrichment purposes. Therefore, it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -272,3 +426,6 @@ Superna Zero Trust User Un Lock: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over or utilize `siemplify.target_entities`. It + relies solely on the `UserName` input parameter. diff --git a/content/response_integrations/third_party/community/superna_zero_trust/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/superna_zero_trust/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..0dc17be29 --- /dev/null +++ b/content/response_integrations/third_party/community/superna_zero_trust/resources/ai/integration_ai_description.yaml @@ -0,0 +1,22 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: true + itsm: false + network_security: false + reasoning: >- + The integration provides automation for Superna Zero Trust, focusing on NAS storage + security. The 'Superna Zero Trust User Lockout' action allows for the suspension + of user access to NAS storage by applying deny read permissions to SMB shares, + which directly aligns with the 'IAM & Identity Management' category's goal of + managing identity and suspending accounts. The 'Superna Snapshot Critical NAS + Data' action performs a data protection task (snapshotting), and the 'Ping' action + performs a health check; neither of these actions fits into the provided categories + (SIEM, EDR, Network Security, etc.). Therefore, the integration is classified + under IAM & Identity Management. + siem: false + threat_intelligence: false + vulnerability_management: false diff --git a/content/response_integrations/third_party/community/team_cymru_scout/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/team_cymru_scout/resources/ai/actions_ai_description.yaml index 81e708fca..2a2efc05b 100644 --- a/content/response_integrations/third_party/community/team_cymru_scout/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/team_cymru_scout/resources/ai/actions_ai_description.yaml @@ -1,48 +1,69 @@ Account Usage: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves account usage statistics. It does not match any of the + provided categories, which are focused on IOC enrichment, asset management, + ticketing, or containment. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - The **Account Usage** action retrieves real-time metrics regarding the query consumption - and quota limits for the Team Cymru Scout API. It provides security analysts with - visibility into their remaining API balance, ensuring that automated workflows - or manual investigations do not exceed subscription limits. The action fetches - data for both standard queries and foundation API usage. + The Account Usage action retrieves the current account usage metrics for the Team + Cymru Scout API. This action provides visibility into the API's query limits, + used queries, and remaining queries, allowing administrators to monitor their + subscription usage directly from the SOAR platform. ### Parameters Description - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | N/A | N/A | N/A | This action does not require any input parameters. | - - - ### Additional Notes - - - This action is a utility task used for monitoring integration health and quota - status. - - - It does not interact with or require any entities (IPs, Domains, etc.) to execute. + There are no parameters required for this action. It utilizes the integration + configuration settings (Authentication Type, API Key, Username, Password, Verify + SSL) to authenticate and communicate with the Team Cymru Scout service. ### Flow Description - 1. **Authentication**: The action retrieves the configured authentication credentials - (either API Key or Username/Password) from the Team Cymru Scout integration settings. + 1. The action initializes the `SiemplifyAction` and retrieves the integration + configuration parameters. + + 2. An `ApiManager` instance is created using the retrieved credentials. - 2. **API Connection**: It initializes a connection to the Team Cymru Scout service - via the `ApiManager`. + 3. The action calls the `/usage` endpoint of the Team Cymru Scout API. - 3. **Data Retrieval**: A GET request is dispatched to the `/usage` endpoint to - fetch current account statistics. + 4. If the API call is successful, the raw JSON response is added to the action + results. - 4. **Metric Extraction**: The logic parses the response to identify key metrics: - `used_queries`, `remaining_queries`, `query_limit`, and specific foundation API - usage details. + 5. The usage data is transformed into a readable table format and rendered in + the action output. - 5. **Output Generation**: The action returns the raw JSON response and renders - a formatted data table titled "Account Usage" within the Google SecOps case wall. + 6. If an error occurs during the API call, the action logs the error and fails + the execution. capabilities: can_create_case_comments: false can_create_insight: false @@ -53,8 +74,17 @@ Account Usage: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to retrieve account usage metrics from an + external API (fetches_data=true). It does not modify any external system state + (can_mutate_external_data=false). It does not update entities, create insights, + or modify alert data within the SOAR platform (can_mutate_internal_data=false). categories: enrichment: false + reasoning: >- + The action fetches account usage metrics for the integration itself, not supplemental + context about specific alerts or entities. Therefore, it does not meet the criteria + for an Enrichment Action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -70,69 +100,65 @@ Account Usage: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with target entities; it performs a global check + on the integration's account usage. Advanced Query: - ai_description: >- - ### General Description - - The **Advanced Query** action executes a search using the Team Cymru Scout query - language to retrieve comprehensive summary information about network indicators. - It allows for flexible filtering by date ranges or relative day offsets and returns - detailed intelligence across multiple categories, including PDNS, open ports, - top peers, and SSL certificates. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | **Query** | String | Yes | A simple or advanced query following the Scout query - language (e.g., `comms.ip="1.1.1.1"`). | - - | **Start Date** | String | No | The latest date for results (YYYY-MM-DD). Defaults - to 29 days ago if not provided. | - - | **End Date** | String | No | The earliest date for results (YYYY-MM-DD). Defaults - to today. | - - | **Days** | String | No | Relative offset in days from current time. If provided, - this takes priority over Start/End dates. | - - | **Size** | String | No | The number of records to return (Maximum: 5000). | - - - ### Flow Description - - 1. **Parameter Extraction:** The action retrieves the query string and optional - time/size filters from the user input. - - 2. **Validation:** It validates the date formats and ensures the requested range - does not exceed platform limits (e.g., a 30-day window). - - 3. **API Request:** The action sends a GET request to the Team Cymru Scout `/search` - endpoint. - - 4. **Data Processing:** The response is parsed to extract various intelligence - categories, including PDNS, open ports, top peers, service counts, fingerprints, - and SSL certificates. - - 5. **Output Generation:** The action populates multiple data tables in the SOAR - interface and provides the raw JSON response for further downstream processing. - - 6. **Usage Tracking:** It also retrieves and displays the current API account - usage to monitor query quotas. - - - ### Additional Notes - - - This action is standalone and does not automatically iterate over entities in - the SOAR case; the user must provide the specific query. - - - The **Days** parameter takes precedence over **Start Date** and **End Date** - if all are provided. - - - The maximum result size is capped at 5000 records. + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action fetches threat intelligence and summary information for indicators + (Enrich IOC) and performs a search against historical telemetry data (Search + Events). It does not perform any containment, ticket management, or alert modification. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: true + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: "Performs an advanced search query against the Team Cymru Scout\ + \ platform to retrieve summary information based on the Scout query language.\ + \ This action allows users to query historical telemetry data and retrieve detailed\ + \ threat intelligence summaries.\n\n### Flow Description\n1. **Parameter Extraction**:\ + \ The action extracts the mandatory `Query` string and optional parameters (`Start\ + \ Date`, `End Date`, `Days`, `Size`) from the action configuration.\n2. **Authentication**:\ + \ It authenticates with the Team Cymru Scout API using the configured credentials.\n\ + 3. **Data Retrieval**: It executes the search query against the Team Cymru Scout\ + \ API.\n4. **Data Processing**: The action processes the API response to generate\ + \ multiple data tables, including Summary Information, PDNS, Open Ports, Peers,\ + \ Service Counts, Fingerprints, and Certificates.\n5. **Result Generation**: It\ + \ adds the raw JSON response to the action results and renders the generated data\ + \ tables and an API usage report in the SOAR case.\n\n### Parameters\n| Parameter\ + \ | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| Query |\ + \ string | Yes | A simple or advanced query as described by the Scout query language.\ + \ |\n| Start Date | string | No | The latest date for results (YYYY-MM-DD). Defaults\ + \ to 29 days prior to today. |\n| End Date | string | No | The earliest date for\ + \ results (YYYY-MM-DD). Defaults to today's date. |\n| Days | string | No | Relative\ + \ offset in days from current time. Takes priority over Start/End Date if provided.\ + \ |\n| Size | string | No | Size, in records, of the search results (Max 5000).\ + \ |\n\n### Additional Notes\n- The action does not operate on specific entities;\ + \ it runs based on the provided query string. \n- If `Days` is provided, it takes\ + \ precedence over `Start Date` and `End Date`." capabilities: can_create_case_comments: false can_create_insight: false @@ -143,8 +169,19 @@ Advanced Query: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the Team Cymru Scout API to fetch search + results based on a query string. It does not modify any external systems (no + POST/PUT/DELETE). It does not modify internal SOAR case data (like entity attributes + or alert status), but rather adds result tables to the action output, which + is standard for enrichment actions. categories: - enrichment: false + enrichment: true + reasoning: >- + The action is designed to fetch supplemental context (threat intelligence and + historical telemetry) from an external source (Team Cymru Scout) based on a + query. It does not mutate external state and does not perform forbidden internal + mutations. Therefore, it qualifies as an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -160,51 +197,73 @@ Advanced Query: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over `target_entities`. It relies entirely on the + `Query` parameter provided by the user to perform its search. Enrich IPs: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves threat intelligence (reputation, tags) for IP addresses + and updates the entity profile. This directly matches the 'Enrich IOC' category. + It does not perform any other operations like ticket creation, host containment, + or alert modification. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description - - Enriches IP Address entities using threat intelligence from the Team Cymru Scout - platform. This action retrieves reputation ratings, tags, and last enrichment - timestamps to provide context for security investigations. + Enriches IP Address entities using the Team Cymru Scout platform. This action + retrieves threat intelligence, including reputation ratings and tags, for specified + IP addresses. It evaluates the risk of the IP and updates the entity's status + within the SOAR platform. - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | None | N/A | N/A | This action does not take any input parameters. | - - - ### Additional Notes - - The action uses a 24-hour caching mechanism based on the 'TCS_last_enriched' property - to prevent redundant API calls. Enrichment data added to entities is prefixed - with 'TCS'. + ### Flow Description + 1. **Identify Entities**: The action retrieves all IP Address entities from the + current case. - ### Flow Description + 2. **Filter**: It checks if the entity has already been enriched in the last 24 + hours using the `TCS_last_enriched` property. If so, it skips the entity. - 1. **Entity Filtering**: The action identifies all `ADDRESS` entities in the current - context. + 3. **Fetch Data**: It queries the Team Cymru Scout API to retrieve summary information + for the valid IP addresses. - 2. **Cache Validation**: It checks the `TCS_last_enriched` property of each entity. - If the entity was enriched within the last 24 hours, it is skipped. + 4. **Update Entities**: For each IP, it updates the entity's `is_suspicious` status + based on the rating (malicious/suspicious) and adds enrichment data (tags, rating, + last enriched timestamp) to the entity's `additional_properties`. - 3. **Data Retrieval**: The action calls the Team Cymru Scout Foundation API to - retrieve summary information for the remaining IP addresses. + 5. **Finalize**: It updates the entities in the SOAR platform and adds the API + result to the action output. - 4. **Reputation Analysis**: It evaluates the 'rating' provided by the API. If - the rating is 'malicious' or 'suspicious', the entity's `is_suspicious` flag is - set to true. - 5. **Entity Enrichment**: The action updates the entity's `additional_properties` - with the retrieved data (prefixed with 'TCS') and sets the `is_enriched` flag. + ### Parameters - 6. **Platform Update**: Finally, it updates the entities in Google SecOps and - returns the raw summary data as a JSON result. + There are no input parameters for this action. It operates on the `target_entities` + provided in the case context. capabilities: can_create_case_comments: false can_create_insight: false @@ -215,10 +274,19 @@ Enrich IPs: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates entity fields including 'is_suspicious', 'is_enriched', and populates - 'additional_properties' with enrichment data. + Updates entity properties (is_suspicious, is_enriched, and additional_properties) + within the SOAR platform. + reasoning: >- + The action fetches threat intelligence data from the Team Cymru Scout API (fetches_data=true). + It updates entity properties (is_suspicious, is_enriched, and additional_properties) + within the SOAR platform (can_mutate_internal_data=true, can_update_entities=true). + It does not perform any mutations on external systems (can_mutate_external_data=false). categories: enrichment: true + reasoning: >- + The action is designed to fetch contextual data (threat intelligence) for IP + entities and update them within the SOAR platform. It does not mutate external + systems and adheres to the constraints of an enrichment action. entity_usage: entity_types: - ADDRESS @@ -235,48 +303,82 @@ Enrich IPs: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action iterates over `siemplify.target_entities` and explicitly filters + for entities where `entity.entity_type == EntityTypes.ADDRESS`. It also checks + the `additional_properties` attribute to determine if an entity has already + been enriched within the last 24 hours. Extract Tags: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves threat intelligence (tags) for an IP address, which aligns + with the 'Enrich IOC' category. It does not perform any other actions like ticketing, + containment, or alert updates. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - This action extracts tags from a specified IP address and its communicating peers - using the Team Cymru Scout service. It allows users to search for specific tags - within the retrieved data to identify potentially malicious or noteworthy associations. - This is useful for identifying if an IP or its immediate network neighborhood - is associated with known threats like malware or phishing. + This action extracts tags from a specified IP address and its associated peers + using the Team Cymru Scout API. It allows analysts to search for specific tags + within the IP's context to identify potential threats or relevant indicators. + The action retrieves detailed IP information, processes the tags, and returns + a list of IPs that match the specified search criteria. - ### Parameters Description + ### Parameters - | Parameter | Description | Type | Mandatory | + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | IP Address | The IP address for which tags and peer information will be retrieved. - | String | Yes | + | IP Address | string | Yes | The IP address whose tags and peer tags need to + be extracted. | - | Tags to Search | A comma-separated list of tags (e.g., 'malware, phishing') - to look for in the results. | String | Yes | + | Tags to Search | string | Yes | A comma-separated string of tags to search for + within the tags associated with the IP and its peers. | ### Flow Description - 1. **Validation**: The action validates the format of the provided IP address - to ensure it is a valid IPv4 or IPv6 address. + 1. **Input Validation**: Validates the provided IP address format. - 2. **Data Retrieval**: It calls the Team Cymru Scout API's `get_ip_details` endpoint - to fetch comprehensive details for the IP, including its metadata and a list of - peer IPs it has communicated with. + 2. **Data Retrieval**: Queries the Team Cymru Scout API to fetch details for the + provided IP address. - 3. **Tag Extraction**: The logic processes the API response to compile a map of - IPs (the target and its peers) to their respective tags. + 3. **Processing**: Parses the API response to extract tags for the target IP and + its peers. - 4. **Tag Matching**: It performs an intersection between the tags found in the - response and the tags provided in the 'Tags to Search' parameter. + 4. **Matching**: Compares the extracted tags against the user-provided 'Tags to + Search' list. - 5. **Reporting**: If matches are found, it returns the matching IPs and tags in - JSON format and provides a summary message. It also renders a data table showing - the current API account usage statistics. + 5. **Output**: Returns a JSON result containing the matching IPs and their associated + tags, and renders a data table showing API usage statistics. capabilities: can_create_case_comments: false can_create_insight: false @@ -287,8 +389,17 @@ Extract Tags: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action fetches IP details from an external API (Team Cymru Scout). It does + not mutate external systems or modify internal SOAR data (entities, insights, + etc.). It simply processes the retrieved data and returns the results via the + action result and output message. categories: - enrichment: false + enrichment: true + reasoning: >- + The action fetches data from an external source (Team Cymru Scout) to provide + context (tags) for an IP address. It does not mutate external or internal data. + It fits the definition of an enrichment action as it gathers supplemental context. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -304,16 +415,49 @@ Extract Tags: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action takes an IP address as a parameter ('IP Address') rather than iterating + over 'siemplify.target_entities'. Therefore, it does not run on entities. Get Communications Info: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves communications information (reputation/context) for IP + addresses, which aligns with the 'Enrich IOC' category. It does not perform + any other actions like ticketing, blocking, or alert management. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - The **Get Communications Info** action retrieves detailed network communication - and peer information for a specified list of IP addresses from the Team Cymru - Scout platform. This action is designed to provide visibility into the communication - patterns of an IP, including protocol details, client/server relationships, geographic - locations, and associated autonomous system (AS) information. It is primarily - used for network forensics and threat infrastructure mapping. + This action retrieves detailed communications information for specified IP addresses + from the Team Cymru Scout service. It allows analysts to query historical data + regarding network peers, services, and other communication patterns associated + with the provided IP addresses. ### Parameters Description @@ -322,58 +466,43 @@ Get Communications Info: | :--- | :--- | :--- | :--- | - | **IP Addresses** | String | Yes | A comma-separated list of IPv4 or IPv6 addresses - to fetch detailed communication information for. | - - | **Limit** | String | Yes | The maximum number of valid IP addresses to process - in a single execution. Default is 10. | - - | **Start Date** | String | No | The earliest date for results in the range (formatted - YYYY-MM-DD in UTC). If not provided, defaults to 29 days prior to today. | - - | **End Date** | String | No | The latest date for results in the range (formatted - YYYY-MM-DD in UTC). If not provided, defaults to the current date. | + | IP Addresses | string | Yes | A comma-separated list of IPv4 or IPv6 addresses + to fetch information for. | - | **Days** | String | No | A relative offset in days from the current time. If - provided, this integer value takes priority over the Start and End date parameters. + | Limit | string | Yes | The maximum number of valid IP addresses to be processed. | - | **Size** | String | No | The number of records to return per IP address (maximum - allowed is 1000). | - - - ### Additional Notes + | Start Date | string | No | The earliest date for results, formatted YYYY-MM-DD + in UTC. Defaults to 29 days prior to today. | - - **Date Constraints**: The `Start Date` cannot be older than 90 days from the - current time, and the total window between `Start Date` and `End Date` cannot - exceed 30 days. + | End Date | string | No | The latest date for results, formatted YYYY-MM-DD in + UTC. Defaults to today's date. | - - **Priority Logic**: The `Days` parameter, if provided, will override any values - entered in the `Start Date` and `End Date` fields. + | Days | string | No | Relative offset in days from the current time in UTC. This + takes priority over Start Date and End Date if provided. | - - **IP Validation**: The action automatically filters out duplicate and invalid - IP formats before making API requests. + | Size | string | No | The size, in records, of the search results. Maximum allowed + is 1000. | ### Flow Description - 1. **Initialization**: The action extracts the provided IP addresses, limits, - and time-range parameters from the environment. + 1. **Initialization**: The action initializes the `SiemplifyAction` and retrieves + integration configuration (API credentials, SSL verification settings). - 2. **Validation**: It validates the IP address formats and ensures the requested - date range complies with Team Cymru Scout's API limitations (e.g., the 30-day - window and 90-day history limit). + 2. **Input Validation**: It extracts and validates the provided IP addresses, + ensuring they are correctly formatted and handling duplicates or invalid entries. + It also validates optional date and size parameters. - 3. **API Interaction**: For each valid IP address (up to the specified limit), - the action performs a GET request to the Team Cymru Scout `/details` endpoint, - specifically requesting the `comms` (communications) section. + 3. **Data Retrieval**: It queries the Team Cymru Scout API (`/ip/{ip}/details`) + to fetch communications data for the valid IP addresses. - 4. **Data Processing**: The retrieved data is parsed to extract peer connection - details, including protocols, country codes, top services, and AS names. + 4. **Result Processing**: The action processes the API response, generating structured + data tables (e.g., Peers, Account Usage) and adding them to the action result + using `add_data_table`. - 5. **Output Generation**: The action produces a raw JSON result for further automation - and renders a detailed "Peers" data table in the Google SecOps interface. It also - provides an "Account Usage" table to track API quota consumption. + 5. **Completion**: The action logs the status and returns the final result to + the SOAR platform. capabilities: can_create_case_comments: false can_create_insight: false @@ -384,8 +513,17 @@ Get Communications Info: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the Team Cymru Scout API to retrieve communications + information for IP addresses. It does not modify any external or internal system + state. It adds data tables to the action result for display purposes, which + is standard for enrichment actions and does not constitute internal data mutation. categories: - enrichment: false + enrichment: true + reasoning: >- + The action fetches data from an external source (Team Cymru Scout) and does + not mutate any external or internal state. It adds data tables to the result, + which is permitted for enrichment actions. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -401,70 +539,85 @@ Get Communications Info: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action extracts IP addresses directly from the action parameter 'IP Addresses' + rather than iterating over 'siemplify.target_entities'. Therefore, it does not + run on entities. Get Fingerprints Info: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves detailed fingerprint information for IP addresses, which + provides threat intelligence and context for the indicators. This aligns with + the 'Enrich IOC' category. It does not perform any other actions like ticketing, + blocking, or alert management. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description - - Retrieves detailed Fingerprints information for specified IP addresses from Team - Cymru Scout. This action allows security analysts to gather technical fingerprinting - data (such as SSL/TLS or SSH signatures) associated with network indicators to - assist in threat profiling and infrastructure analysis. + Retrieves detailed fingerprint information for specified IP addresses from Team + Cymru Scout. This action provides contextual intelligence regarding the fingerprints + associated with the provided indicators. - ### Parameters Description + ### Parameters | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | **IP Addresses** | String | Yes | Comma-separated list of IPv4 or IPv6 addresses - to investigate. Default is "1.1.1.1". | - - | **Limit** | String | Yes | The maximum number of valid IP addresses to process - in a single execution. Default is "10". | - - | **Start Date** | String | No | The latest date for results (YYYY-MM-DD in UTC). - Defaults to 29 days prior to today if not provided. | - - | **End Date** | String | No | The earliest date for results (YYYY-MM-DD in UTC). - Defaults to today's date if not provided. | - - | **Days** | String | No | Relative offset in days (integer) from current time - in UTC. This takes priority over Start and End dates if all are provided. | - - | **Size** | String | No | The number of records to retrieve per search (Maximum - 1000). | + | IP Addresses | String | Yes | Comma-separated list of IPv4 or IPv6 addresses + to fetch information for. | + | Limit | String | Yes | The maximum number of valid IP addresses to be processed. + | - ### Additional Notes + | Start Date | String | No | The latest date for results (YYYY-MM-DD). Defaults + to 29 days prior to today. | - - The action performs validation on the IP formats and date ranges before making - API calls. + | End Date | String | No | The earliest date for results (YYYY-MM-DD). Defaults + to today's date. | - - If the number of valid IPs provided exceeds the **Limit**, the additional IPs - are skipped and noted in the output message. + | Days | String | No | Relative offset in days from current time. Takes priority + over Start/End Date if provided. | - - The **Days** parameter, if provided, will override any values provided in the - **Start Date** and **End Date** parameters. + | Size | String | No | Size of the search results (max 1000). | - ### Flow Description + ### Flow - 1. **Input Validation**: The action parses the `IP Addresses` parameter, removes - duplicates, and validates the format of each IP. It also validates date and size - parameters. + 1. Extracts integration configuration and action parameters. - 2. **API Connection**: Establishes a connection to the Team Cymru Scout API using - the configured authentication method (API Key or Username/Password). + 2. Validates the provided IP addresses and optional date/size parameters. - 3. **Data Fetching**: Iterates through the valid IPs (up to the `Limit`) and requests - detailed fingerprint information for each from the Team Cymru Scout service. + 3. Queries the Team Cymru Scout API for fingerprint details for each valid IP. - 4. **Result Compilation**: Aggregates the API responses into a JSON object and - formats the data into "Fingerprints" and "Account Usage" data tables. + 4. Processes the API response to generate data tables (Fingerprints, Account Usage). - 5. **Action Completion**: Returns a success or failure status along with a detailed - output message summarizing the results for each IP. + 5. Renders the data tables and adds the raw JSON response to the action results. capabilities: can_create_case_comments: false can_create_insight: false @@ -475,8 +628,18 @@ Get Fingerprints Info: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the Team Cymru Scout API to retrieve fingerprint + information for provided IP addresses. It does not modify any external systems + or internal SOAR data (entities, alerts, or cases). It only renders data tables + and adds result JSON to the action output. categories: - enrichment: false + enrichment: true + reasoning: >- + The action fetches threat intelligence data (fingerprints) for IP addresses + from an external source. It does not mutate any external or internal state, + and it does not perform any forbidden actions like pinging or downloading files. + Therefore, it qualifies as an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -492,54 +655,115 @@ Get Fingerprints Info: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action extracts IP addresses directly from the action parameter 'IP Addresses' + rather than iterating over the 'target_entities' list provided by the SOAR platform. + Therefore, it does not operate on entities. Get IP Details: - ai_description: "### General Description\nRetrieves comprehensive threat intelligence\ - \ for specific IP addresses from Team Cymru Scout. This action provides deep visibility\ - \ into IP-related data, including WHOIS information, Passive DNS (PDNS) records,\ - \ open ports, SSL/TLS certificates, and peer communication patterns. It is designed\ - \ to assist analysts in investigating the reputation and historical behavior of\ - \ network indicators.\n\n### Parameters Description\n| Parameter | Type | Mandatory\ - \ | Description |\n| :--- | :--- | :--- | :--- |\n| **IP Addresses** | String\ - \ | Yes | A comma-separated list of IPv4 or IPv6 addresses to investigate. |\n\ - | **Limit** | String | Yes | The maximum number of valid IP addresses to process\ - \ in a single execution (default is 10). |\n| **Start Date** | String | No | The\ - \ earliest date for results (YYYY-MM-DD). Defaults to 29 days prior to today if\ - \ not specified. |\n| **End Date** | String | No | The latest date for results\ - \ (YYYY-MM-DD). Defaults to today's date. |\n| **Days** | String | No | A relative\ - \ offset in days from the current time. **Note:** This parameter takes priority\ - \ over Start Date and End Date if all three are provided. |\n| **Size** | String\ - \ | No | The number of records to return for specific search results (e.g., PDNS\ - \ or Ports). Maximum allowed value is 1000. |\n\n### Flow Description\n1. **Validation:**\ - \ The action parses the input IP addresses, removes duplicates, and validates\ - \ the format (IPv4/IPv6). It also validates date formats and the 'Days' offset.\n\ - 2. **Authentication:** Connects to the Team Cymru Scout API using either API Key\ - \ or Username/Password credentials.\n3. **Data Retrieval:** For each valid IP\ - \ address (up to the specified limit), the action performs a GET request to the\ - \ Scout API to fetch detailed intelligence.\n4. **Data Processing:** Aggregates\ - \ the API response, which includes sections for WHOIS, PDNS, communications, open\ - \ ports, fingerprints, and X.509 certificates.\n5. **Output Generation:** \n \ - \ * Adds the raw JSON response to the action results.\n * Generates and\ - \ attaches multiple data tables to the Google SecOps case (Summary, Insights,\ - \ PDNS, Peers, Ports, Fingerprints, and Certificates).\n * Creates an 'Account\ - \ Usage' table to track API quota consumption.\n\n### Additional Notes\n- The\ - \ action handles API rate limiting (429) and server errors (500+) with a built-in\ - \ retry mechanism and backoff factor.\n- If the number of valid IPs exceeds the\ - \ 'Limit' parameter, the extra IPs are skipped and noted in the output message." + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves reputation, prevalence, and threat intelligence (PDNS, + open ports, etc.) for IP indicators. This directly matches the 'Enrich IOC' + category. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: >- + ### General Description + + The 'Get IP Details' action retrieves comprehensive threat intelligence and contextual + information for specified IP addresses using the Team Cymru Scout service. This + action allows analysts to query historical data, including PDNS, open ports, peer + communications, and WHOIS information, to assist in incident investigation and + threat hunting. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | IP Addresses | String | Yes | A comma-separated list of IPv4 or IPv6 addresses + to fetch information for. | + + | Limit | String | Yes | The maximum number of valid IP addresses to process. + | + + | Start Date | String | No | The start date for the query in YYYY-MM-DD format. + Defaults to 29 days prior to today. | + + | End Date | String | No | The end date for the query in YYYY-MM-DD format. Defaults + to today's date. | + + | Days | String | No | Relative offset in days from the current time. Takes priority + over Start/End Date if provided. | + + | Size | String | No | The number of records to return (max 1000). | + + + ### Flow Description + + 1. **Initialization**: The action extracts configuration parameters (API credentials) + and action inputs (IPs, dates, limits). + + 2. **Validation**: It validates the provided IP addresses, ensuring they are correctly + formatted and removing duplicates. It also validates date ranges and optional + parameters. + + 3. **Data Retrieval**: The action iterates through the valid IP addresses and + performs API calls to the Team Cymru Scout service to fetch detailed information. + + 4. **Data Processing**: The retrieved data is processed and organized into structured + tables (e.g., Summary, PDNS, Open Ports, Peers, Fingerprints, Certificates). + + 5. **Output**: The action renders the data tables in the SOAR case and adds the + raw JSON response to the action results. capabilities: can_create_case_comments: false can_create_insight: false can_modify_alert_data: false can_mutate_external_data: false - can_mutate_internal_data: true + can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null fetches_data: true - internal_data_mutation_explanation: >- - Adds multiple data tables to the Google SecOps case, including Summary Information, - Insights, Top PDNS, Top Peers, Top Open Ports, Top Fingerprints, Top Certificates, - and Account Usage. + internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the Team Cymru Scout API to retrieve IP + intelligence. It does not modify any external systems (no POST/PUT/DELETE). + It does not modify internal SOAR data (no entity updates, no insight creation, + no case comments). It simply renders data tables for the analyst to review. categories: - enrichment: false + enrichment: true + reasoning: >- + The action is an enrichment action because it fetches contextual data about + indicators (IPs) from an external source and displays it without modifying any + external or internal state. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -555,91 +779,122 @@ Get IP Details: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action extracts IP addresses directly from the action parameters ('IP Addresses') + rather than iterating over the 'target_entities' list provided by the SOAR platform. + Therefore, it does not run on entities. Get PDNS Info: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves PDNS information for IP addresses, which provides threat + intelligence and context for an indicator. This aligns with the 'Enrich IOC' + category. It does not perform any other actions like ticket creation, host containment, + or alert modification. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description + Retrieves detailed Passive DNS (PDNS) information for specified IP addresses using + the Team Cymru Scout service. This action allows analysts to query historical + DNS data associated with IP addresses to aid in threat investigation and infrastructure + analysis. - The **Get PDNS Info** action retrieves detailed Passive DNS (PDNS) information - for a specified list of IP addresses from the Team Cymru Scout platform. This - action is used to uncover historical domain associations, providing visibility - into which domains have resolved to the target IPs over time. It is particularly - useful for threat hunting and incident investigation to identify potentially malicious - infrastructure or related domains. + ### Flow Description - ### Parameters Description + 1. **Input Extraction**: The action extracts the provided IP addresses, limit, + and optional date/size parameters from the action configuration. - | Parameter | Description | Type | Mandatory | + 2. **Validation**: It validates the format of the IP addresses and optional date/size + parameters (e.g., ensuring dates are in YYYY-MM-DD format and within allowed ranges). - | :--- | :--- | :--- | :--- | + 3. **API Interaction**: It initializes the API manager and performs a GET request + to the Team Cymru Scout API to fetch PDNS details for the valid IP addresses. - | **IP Addresses** | A comma-separated list of IPv4 or IPv6 addresses to fetch - PDNS information for. | String | Yes | + 4. **Data Processing**: The action processes the API response, extracting relevant + PDNS records. - | **Limit** | The maximum number of valid IP addresses to process in a single - execution. Default is 10. | String | Yes | + 5. **Result Generation**: It generates data tables (PDNS Information, Account + Usage) and adds the raw JSON response to the action results for the analyst to + review. - | **Start Date** | The latest date for results, formatted as YYYY-MM-DD in UTC. - If omitted, it defaults to 29 days prior to the current date. | String | No | + 6. **Completion**: The action concludes by providing a summary message indicating + the success or failure of the operation. - | **End Date** | The earliest date for results, formatted as YYYY-MM-DD in UTC. - If omitted, it defaults to the current date. | String | No | - | **Days** | An integer representing a relative offset in days from the current - time. This parameter takes priority over Start Date and End Date if all are provided. - | String | No | + ### Parameters - | **Size** | The number of records to return in the search results (maximum 1000). - | String | No | + | Parameter | Type | Mandatory | Description | + | :--- | :--- | :--- | :--- | - ### Flow Description + | IP Addresses | String | Yes | Comma-separated list of IPv4 or IPv6 addresses + to fetch information for. | - 1. **Initialization:** The action extracts the provided IP addresses and configuration - parameters from the SOAR environment. + | Limit | String | Yes | The maximum number of valid IP addresses to be allowed. + | - 2. **Validation:** It validates the IP address formats and ensures date/day parameters - are within valid ranges (e.g., Start Date must be within the last 90 days, and - the range cannot exceed 30 days). + | Start Date | String | No | The earliest date for results, formatted YYYY-MM-DD + in UTC time. | - 3. **API Request:** For each valid IP address (up to the defined limit), the action - sends a GET request to the Team Cymru Scout API's IP details endpoint, specifically - requesting the 'pdns' section. + | End Date | String | No | The latest date for results, formatted YYYY-MM-DD in + UTC time. | - 4. **Data Processing:** The action parses the API response to extract domain names, - event counts, and first/last seen timestamps for each IP. + | Days | String | No | Relative offset in days (integer) from current time in + UTC. Takes priority over Start/End Date if provided. | - 5. **Reporting:** It generates a JSON result containing the raw data and renders - two data tables: "PDNS" (containing the extracted records) and "Account Usage" - (showing API quota information). + | Size | String | No | Size, in records, of the search results (Max 1000). | ### Additional Notes - - The action supports both IPv4 and IPv6 addresses. - - - If the number of valid IPs exceeds the `Limit`, the extra IPs are skipped and - a warning is logged. - - - The `Days` parameter is the preferred way to define the search window and will - override specific date inputs if both are provided. - - - This action does not run on existing SecOps entities but rather on the list - of IPs provided in the parameters. + - The action does not modify any external or internal systems; it is strictly + for information retrieval. capabilities: can_create_case_comments: false can_create_insight: false can_modify_alert_data: false can_mutate_external_data: false - can_mutate_internal_data: true + can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null fetches_data: true - internal_data_mutation_explanation: >- - The action adds data tables for PDNS Information and Account Usage to the Google - SecOps case. + internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the Team Cymru Scout API to retrieve PDNS + information for provided IP addresses. It does not modify any external systems + (no POST/PUT/DELETE) nor does it modify internal SOAR case data (entities, insights, + or comments). It only renders data tables in the action results. categories: - enrichment: false + enrichment: true + reasoning: >- + The action is designed to fetch contextual threat intelligence (PDNS data) for + IP addresses. It does not mutate external systems, nor does it perform any restricted + internal mutations. It fits the definition of an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -655,88 +910,92 @@ Get PDNS Info: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action extracts IP addresses directly from the action parameters ('IP Addresses') + rather than iterating over the 'target_entities' list provided by the SOAR platform. + Therefore, it does not run on entities. Get Ports Info: - ai_description: >- - ### General Description - - Retrieves detailed open port information for specified IP addresses from Team - Cymru Scout. This action allows users to input a list of IPv4 or IPv6 addresses - to fetch historical and current port data, including service names, port numbers, - protocols, and first/last seen timestamps. The results are presented as a JSON - object and formatted into 'Open Ports' and 'Account Usage' data tables within - the Google SecOps case. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | IP Addresses | String | Yes | Comma-separated list of IPv4 or IPv6 addresses - to fetch information for. | - - | Limit | String | Yes | The maximum number of valid IP addresses to be allowed - for processing. Default is 10. | - - | Start Date | String | No | The latest date for results, formatted YYYY-MM-DD - in UTC. If not provided, defaults to 29 days prior to today. | - - | End Date | String | No | The earliest date for results, formatted YYYY-MM-DD - in UTC. If not provided, defaults to today's date. | - - | Days | String | No | Relative offset in days (integer) from current time in - UTC. This takes priority over Start Date and End Date if all three are provided. - | - - | Size | String | No | Size, in records, of the search results per IP. The maximum - allowed size is 1000. | - - - ### Flow Description - - 1. **Parameter Extraction:** The action retrieves the list of IP addresses, processing - limits, and date filters from the user input. - - 2. **IP Validation:** It validates each IP address format, filters out duplicates, - and ensures the number of IPs processed does not exceed the specified `Limit`. - - 3. **Date Validation:** It validates the date range or relative day offset to - ensure they fall within the supported 90-day window and 30-day range limit. - - 4. **API Request:** It sends a GET request to the Team Cymru Scout API for each - valid IP, specifically targeting the 'open_ports' section. - - 5. **Data Processing:** The action parses the returned JSON to extract service - names, port numbers, protocols, and observation dates. - - 6. **Result Reporting:** It attaches the raw JSON response to the action, generates - an 'Open Ports' data table for the case, and provides an 'Account Usage' table - showing remaining API quota. - - - ### Additional Notes - - - The `Days` parameter, if provided, overrides the `Start Date` and `End Date` - parameters. - - - The maximum allowed `Size` for records is 1000. - - - This action does not automatically iterate over entities in the case; it processes - the specific IPs provided in the `IP Addresses` parameter. + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action fetches threat intelligence (open ports information) for an IP address. + This matches the 'Enrich IOC' category as it provides contextual intelligence + for an indicator. It does not perform any other actions like ticketing, blocking, + or alert management. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: "### General Description\nThe **Get Ports Info** action retrieves\ + \ detailed open ports information for specified IP addresses from the Team Cymru\ + \ Scout service. This action allows analysts to gather threat intelligence regarding\ + \ network services and open ports associated with an IP, which is critical for\ + \ identifying potential attack vectors or unauthorized services.\n\n### Parameters\ + \ Description\n| Parameter | Type | Mandatory | Description |\n| :--- | :--- |\ + \ :--- | :--- |\n| IP Addresses | string | Yes | A comma-separated list of IP\ + \ addresses (IPv4 or IPv6) to fetch information for. |\n| Limit | string | Yes\ + \ | The maximum number of valid IP addresses to process. |\n| Start Date | string\ + \ | No | The latest date for results (YYYY-MM-DD). Defaults to 29 days prior to\ + \ today. |\n| End Date | string | No | The earliest date for results (YYYY-MM-DD).\ + \ Defaults to today's date. |\n| Days | string | No | Relative offset in days\ + \ from current time. Takes priority over Start/End Date if provided. |\n| Size\ + \ | string | No | The size, in records, of the search results (max 1000). |\n\n\ + ### Additional Notes\n- The action validates the provided IP addresses and dates.\ + \ \n- If `Days` is provided, it takes priority over `Start Date` and `End Date`.\n\ + - The action renders multiple data tables in the SOAR case, including Open Ports\ + \ information and Account Usage statistics.\n\n### Flow Description\n1. **Initialization**:\ + \ The action initializes the `SiemplifyAction` and retrieves integration parameters\ + \ (API credentials).\n2. **Validation**: It validates the input IP addresses and\ + \ optional date/size parameters.\n3. **API Interaction**: It connects to the Team\ + \ Cymru Scout API using the `ApiManager` to fetch detailed port information for\ + \ the valid IPs.\n4. **Data Processing**: It processes the API response, handling\ + \ any errors or invalid IPs.\n5. **Output**: It adds the raw JSON response to\ + \ the action result and renders data tables (e.g., Open Ports, Account Usage)\ + \ for the analyst to review." capabilities: can_create_case_comments: false can_create_insight: false can_modify_alert_data: false can_mutate_external_data: false - can_mutate_internal_data: true + can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null fetches_data: true - internal_data_mutation_explanation: >- - Adds 'Open Ports' and 'Account Usage' data tables to the Google SecOps case. + internal_data_mutation_explanation: null + reasoning: >- + The action fetches data from the Team Cymru Scout API based on user-provided + IP addresses. It does not mutate any external systems (no POST/PUT/DELETE). + It does not mutate internal SOAR data (it does not update entities, create insights, + or add case comments). It only adds result JSON and renders data tables for + reporting purposes. categories: enrichment: false + reasoning: >- + The action fetches data, but it does not run on entities (it uses an input parameter) + and does not update entity, case, or alert data. Therefore, it does not meet + the criteria for an Enrichment Action in the context of SOAR entity enrichment. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -752,15 +1011,51 @@ Get Ports Info: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action extracts IP addresses from the 'IP Addresses' action parameter, not + from the `target_entities` list. Therefore, it does not run on entities. Get Proto Info: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves protocol information for IP addresses, which provides threat + intelligence and context. This aligns with the 'Enrich IOC' category. It does + not perform any other actions like updating tickets, blocking IPs, or modifying + alerts. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - Retrieves detailed protocol information for a list of IP addresses from Team Cymru - Scout. This action is designed to provide visibility into the types of network - protocols associated with specific IPs, aiding in network traffic analysis and - security investigations. It allows users to query protocol data over a specific - time window or a relative number of days. + The **Get Proto Info** action retrieves detailed protocol information for specified + IP addresses from the Team Cymru Scout service. This action allows analysts to + query historical protocol data, providing visibility into network communications + associated with specific IP addresses. The results are presented in structured + data tables within the action output, facilitating quick analysis of network behavior. ### Parameters Description @@ -769,53 +1064,53 @@ Get Proto Info: | :--- | :--- | :--- | :--- | - | IP Addresses | String | Yes | A comma-separated list of IPv4 or IPv6 addresses - to be queried. | + | IP Addresses | string | Yes | A comma-separated list of IP addresses (IPv4 or + IPv6) to fetch information for. | - | Limit | String | Yes | The maximum number of valid IP addresses to process from - the input list. Default is 10. | + | Limit | string | Yes | The maximum number of valid IP addresses to be processed. + | - | Start Date | String | No | The latest date for results in YYYY-MM-DD format - (UTC). Defaults to 29 days prior to today. | + | Start Date | string | No | The latest date for results, formatted YYYY-MM-DD + in UTC. Defaults to 29 days prior to today. | - | End Date | String | No | The earliest date for results in YYYY-MM-DD format - (UTC). Defaults to today. | + | End Date | string | No | The earliest date for results, formatted YYYY-MM-DD + in UTC. Defaults to today's date. | - | Days | String | No | Relative offset in days from the current time. If provided, - this value takes precedence over Start Date and End Date. | + | Days | string | No | Relative offset in days from the current time. This takes + priority over Start Date and End Date if provided. | - | Size | String | No | The number of records to return per IP address (maximum + | Size | string | No | The number of records to return in the search results (max 1000). | ### Additional Notes - - The action performs validation on the provided IP addresses, filtering out invalid - formats and removing duplicates. + - The action validates the provided IP addresses and date formats before making + API calls. - - The time difference between the start and end dates must not exceed 30 days. + - If both `Start Date` and `End Date` are provided, they must be within a 30-day + range. - - The action provides information on API usage, including remaining query counts, - via an 'Account Usage' table. + - The `Days` parameter, if provided, overrides the `Start Date` and `End Date` + parameters. ### Flow Description - 1. **Parameter Extraction**: The action retrieves the IP addresses, limit, and - date-related parameters from the user input. + 1. **Initialization**: The action initializes the `SiemplifyAction` and retrieves + integration configuration parameters (API credentials). - 2. **Validation**: It validates the IP addresses and date ranges, ensuring they - meet the integration's requirements (e.g., date range < 30 days). + 2. **Validation**: It validates the input IP addresses and optional parameters + (Start Date, End Date, Days, Size) using internal validation logic. - 3. **API Interaction**: For each valid IP address (up to the defined limit), the - action sends a GET request to the Team Cymru Scout API's protocol information - endpoint (`proto_by_ip`). + 3. **API Interaction**: It calls the Team Cymru Scout API to fetch protocol information + for the valid IP addresses. - 4. **Data Processing**: The retrieved protocol data is processed and formatted - into a structured JSON response. + 4. **Data Processing**: The API response is processed, and relevant data tables + (e.g., Proto By IP) are generated. - 5. **Reporting**: The action generates a 'Proto By IP' data table and an 'Account - Usage' table, which are attached to the Google SecOps case for review. + 5. **Output**: The action renders the data tables in the action result and adds + the raw JSON response to the result object. capabilities: can_create_case_comments: false can_create_insight: false @@ -826,8 +1121,18 @@ Get Proto Info: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action fetches protocol information from an external API (Team Cymru Scout) + and renders it into data tables. It does not mutate external systems, update + entities, create insights, or modify alert data. It is a read-only enrichment + action. categories: - enrichment: false + enrichment: true + reasoning: >- + The action fetches contextual data (protocol information) about IP addresses + from an external source and displays it to the user. It does not mutate external + systems or internal SOAR data (entities, insights, etc.). It meets the criteria + for an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -843,72 +1148,90 @@ Get Proto Info: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action takes IP addresses as a string input parameter (`IP Addresses`) rather + than operating on `siemplify.target_entities`. Therefore, it does not run on + specific entity types. Get Whois Info: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves Whois information for IP addresses, which provides context + and threat intelligence. This aligns with the 'Enrich IOC' category. It does + not perform any other actions like ticketing, blocking, or alert management. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description - - The **Get Whois Info** action retrieves detailed Whois information for a list - of provided IP addresses from the Team Cymru Scout platform. This action is designed - to provide security analysts with ownership and registration context, including - Autonomous System Numbers (ASN), AS names, BGP information, network names, and - organizational contact details (admin, tech, and abuse). - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | + Retrieves detailed Whois information for specified IP addresses from the Team + Cymru Scout service. This action provides contextual intelligence regarding the + ownership and network details of the provided indicators. - | :--- | :--- | :--- | :--- | - | **IP Addresses** | String | Yes | A comma-separated list of IPv4 or IPv6 addresses - to fetch Whois information for. | + ### Flow Description - | **Limit** | String | Yes | The maximum number of valid IP addresses to process - from the input list (default is 10). | + 1. **Input Extraction**: The action extracts the provided IP addresses, limit, + and optional date/size parameters from the action configuration. - | **Start Date** | String | No | The latest date for results (YYYY-MM-DD). If - not provided, defaults to 29 days prior to today. | + 2. **Validation**: It validates the format of the IP addresses and the provided + date ranges. - | **End Date** | String | No | The earliest date for results (YYYY-MM-DD). If - not provided, defaults to today's date. | + 3. **API Interaction**: It performs a GET request to the Team Cymru Scout API + to fetch Whois details for the valid IP addresses. - | **Days** | String | No | Relative offset in days (integer) from current time. - If provided, this takes priority over Start Date and End Date. | + 4. **Result Processing**: The raw API response is added to the action's JSON results. - | **Size** | String | No | The number of records to return in the search results - (maximum allowed is 1000). | + 5. **Data Presentation**: The action generates and renders a data table containing + the retrieved Whois information (e.g., ASN, Org Name, Contact IDs) for the analyst + to review. - ### Flow Description + ### Parameters - 1. **Initialization**: The action extracts the provided IP addresses and configuration - parameters (Limit, Dates, Size). + | Parameter | Type | Mandatory | Description | - 2. **Validation**: It validates the format of the IP addresses and ensures the - date parameters (Start Date, End Date, Days) are within acceptable ranges (e.g., - Start Date not older than 90 days and date range not exceeding 30 days). + | :--- | :--- | :--- | :--- | - 3. **Data Retrieval**: For each valid IP address (up to the specified limit), - the action performs a GET request to the Team Cymru Scout API to fetch detailed - IP information. + | IP Addresses | string | Yes | The IP address(es) to fetch detailed information + for. Supports IPv4 and IPv6. | - 4. **Processing**: The action specifically extracts the "Whois" section from the - API response for each IP. + | Limit | string | Yes | The maximum number of valid IP addresses to be allowed. + | - 5. **Output Generation**: - * Adds the raw API response as a JSON result. - * Generates a data table named "Whois" containing ASN, Org Name, and contact - IDs. - * Generates a data table named "Account Usage" showing remaining API query - limits. + | Start Date | string | No | The latest date for results, formatted YYYY-MM-DD + in UTC time. Defaults to 29 days prior to today. | - ### Additional Notes + | End Date | string | No | The earliest date for results, formatted YYYY-MM-DD + in UTC time. Defaults to today's date. | - * If the number of valid IPs exceeds the **Limit**, the extra IPs are skipped - and a warning is logged. + | Days | string | No | Relative offset in days from current time in UTC. Takes + priority over Start/End Date if provided. | - * The **Days** parameter, if provided, overrides the **Start Date** and **End - Date** parameters. + | Size | string | No | Size, in records, of the search results. Maximum allowed + size is 1000. | capabilities: can_create_case_comments: false can_create_insight: false @@ -919,8 +1242,16 @@ Get Whois Info: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to retrieve Whois information for IP addresses. + It does not modify external systems or internal case data (other than adding + result tables, which is standard reporting). categories: enrichment: true + reasoning: >- + The action fetches data (Whois info) and presents it in tables. It does not + mutate external systems or modify internal case data. It fits the definition + of an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -936,78 +1267,96 @@ Get Whois Info: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action takes IP addresses as a string input parameter rather than operating + on `siemplify.target_entities`. Therefore, it does not run on specific entity + types. Get X509 Info: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves contextual metadata (X509 certificate information) for + IP addresses, which are indicators of compromise (IOCs). This aligns with the + 'Enrich IOC' category as it provides threat intelligence context for the indicator. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description - - Retrieves detailed X509 certificate information for specified IP addresses using - the Team Cymru Scout threat intelligence platform. This action allows analysts - to investigate SSL/TLS certificates associated with an IP, providing visibility - into certificate subjects, issuers, validity periods, and fingerprints. This data - is crucial for identifying malicious infrastructure, verifying host identities, - or detecting certificate-related anomalies during an investigation. + Retrieves detailed X509 certificate information for specified IP addresses from + the Team Cymru Scout service. This action allows analysts to query historical + X509 data associated with IP addresses to support threat investigation and infrastructure + analysis. - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | + ### Flow Description - | IP Addresses | String | Yes | A comma-separated list of IPv4 or IPv6 addresses - to fetch certificate information for. | + 1. **Parameter Extraction**: The action extracts the required IP addresses, limit, + and optional date/size parameters from the action configuration. - | Limit | String | Yes | The maximum number of valid IP addresses to process in - a single execution. Must be a positive integer. | + 2. **Validation**: It validates the provided IP addresses and optional date/size + parameters to ensure they meet the required formats and constraints. - | Start Date | String | No | The latest date for results in YYYY-MM-DD format - (UTC). If not provided, defaults to 29 days prior to today. | + 3. **API Interaction**: It queries the Team Cymru Scout API to fetch X509 certificate + details for the valid IP addresses. - | End Date | String | No | The earliest date for results in YYYY-MM-DD format - (UTC). If not provided, defaults to today's date. | + 4. **Data Processing**: The retrieved data is processed and formatted into readable + tables. - | Days | String | No | An integer representing a relative offset in days from - the current time in UTC. If provided, this parameter takes priority over Start - Date and End Date. | + 5. **Result Generation**: The action renders the data tables in the SOAR platform + and adds the raw JSON response to the action results for further analysis. - | Size | String | No | The number of records to return in the search results. - The maximum allowed size is 1000. | + ### Parameters - ### Additional Notes - - - The action performs validation on all input IP addresses, filtering out duplicates - and invalid formats before processing. + | Parameter | Type | Mandatory | Description | - - If the number of valid IP addresses provided exceeds the specified 'Limit', - the additional IPs will be skipped. + | :--- | :--- | :--- | :--- | - - The 'Days' parameter acts as a priority filter, overriding any values provided - in the 'Start Date' or 'End Date' parameters. + | IP Addresses | string | Yes | Comma-separated list of IPv4 or IPv6 addresses + to fetch information for. | + | Limit | string | Yes | The maximum number of valid IP addresses to be processed. + | - ### Flow Description + | Start Date | string | No | The latest date for results (YYYY-MM-DD). Defaults + to 29 days prior to today. | - 1. **Initialization**: The action initializes the Siemplify environment and retrieves - integration configuration parameters such as API keys or credentials. + | End Date | string | No | The earliest date for results (YYYY-MM-DD). Defaults + to today's date. | - 2. **Parameter Extraction**: It extracts the target IP addresses and search filters - (dates, limit, size) from the action parameters. + | Days | string | No | Relative offset in days from current time. Takes priority + over Start/End Date if provided. | - 3. **Validation**: The script validates the IP address formats and ensures that - date ranges and size limits are within the allowed thresholds defined by the Team - Cymru Scout API. + | Size | string | No | Size of the search results (max 1000). | - 4. **API Request**: For each valid IP address (up to the defined limit), the action - sends a GET request to the Team Cymru Scout API endpoint, specifically requesting - the 'x509' data section. - 5. **Data Parsing**: The received JSON response is parsed to extract certificate - details, including Subject, Issuer, Validity Period, and Fingerprints. + ### Additional Notes - 6. **Output Generation**: The action generates a 'Certificates' data table and - an 'Account Usage' table for the SOAR case wall. It also attaches the raw JSON - response to the action results for use in subsequent playbook steps. + This action does not modify any internal SOAR data or external systems. It is + strictly a data retrieval and visualization action. capabilities: can_create_case_comments: false can_create_insight: false @@ -1018,8 +1367,18 @@ Get X509 Info: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the Team Cymru Scout API to retrieve X509 + information. It does not perform any POST/PUT/DELETE operations on external + systems (can_mutate_external_data=false). It does not update entities, create + insights, or modify alert data within the SOAR platform (can_mutate_internal_data=false). + It simply renders data tables for the analyst to view. categories: enrichment: false + reasoning: >- + While the action fetches data, it does not meet the strict criteria for an 'Enrichment + Action' because it does not update entity fields, create insights, or add case + comments. It is purely a data retrieval and display action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1035,59 +1394,76 @@ Get X509 Info: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action takes IP addresses as a direct input parameter from the user and + does not iterate over or process the `target_entities` list from the SOAR case. + Therefore, it does not run on entities. List IP Summary: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves threat intelligence and summary information for IP addresses, + which aligns with the 'Enrich IOC' category. It does not perform any other actions + like ticketing, blocking, or alert management. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description - - The **List IP Summary** action retrieves comprehensive summary information for - a user-provided list of IP addresses from the Team Cymru Scout platform. It is - designed to provide quick visibility into the reputation, geographic location, - and associated threat intelligence for multiple IPs simultaneously, without requiring - existing entities in the Google SecOps context. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | **IP Addresses** | String | Yes | A comma-separated list of IP addresses to - be queried (e.g., "1.1.1.1, 8.8.8.8"). | - - | **Limit** | String | Yes | The maximum number of valid IP addresses to process - from the provided list. This helps manage API usage and performance. | + Fetches summary information for a list of IP addresses from Team Cymru Scout. + This action retrieves threat intelligence, including geo-location, ASN, and insights, + and renders the results as data tables within the action output. ### Flow Description - 1. **Parameter Extraction:** The action retrieves the list of IP addresses and - the processing limit from the user input. + 1. The action extracts the provided list of IP addresses and the processing limit + from the action parameters. - 2. **Validation:** It validates the format of each IP address, identifies duplicates, - and filters out invalid entries. + 2. It validates the IP addresses to ensure they are in the correct format. - 3. **Batching:** The valid IP addresses are grouped into batches (up to 10 per - batch) to optimize API communication. + 3. It calls the Team Cymru Scout API to retrieve summary information for the valid + IP addresses. - 4. **API Interaction:** The action sends GET requests to the Team Cymru Scout - `/ip/foundation` endpoint for each batch. + 4. The action processes the API response, handling any errors or batching requirements. - 5. **Data Aggregation:** Results from all batches are aggregated into a single - dataset. + 5. It renders the retrieved data as tables (Summary Information, Insights) in + the action result. - 6. **Output Generation:** The action populates the action results with a JSON - summary and creates multiple data tables, including "Summary Information for IPs", - "Insights", and "Account Usage". + ### Parameters Description - ### Additional Notes + | Parameter | Type | Mandatory | Description | - - This action does not automatically process entities from the Google SecOps context; - it relies entirely on the manually provided "IP Addresses" parameter. + | :--- | :--- | :--- | :--- | - - If the number of valid IPs exceeds the specified "Limit", the extra IPs are - skipped, and a warning is logged. + | IP Addresses | string | Yes | A comma-separated list of IP addresses to be fetched. + | + + | Limit | string | Yes | The maximum number of valid IP addresses to be processed. + | capabilities: can_create_case_comments: false can_create_insight: false @@ -1098,8 +1474,16 @@ List IP Summary: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action fetches IP summary data from the Team Cymru Scout API (fetches_data=true). + It does not perform any mutations on external systems or internal SecOps data + (no entity updates, insights, or comments). categories: - enrichment: false + enrichment: true + reasoning: >- + The action fetches data from an external source (Team Cymru Scout) and does + not mutate any external or internal systems. It provides contextual information + about IPs, fitting the enrichment category. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1115,28 +1499,63 @@ List IP Summary: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action takes a string of IP addresses as an input parameter. It does not + operate on `siemplify.target_entities`. Ping: - ai_description: "### General Description\nThe **Ping** action is a diagnostic utility\ - \ designed to verify the connectivity and authentication configuration between\ - \ Google SecOps and the Team Cymru Scout platform. Its primary purpose is to ensure\ - \ that the integration parameters (such as API keys or credentials) are correct\ - \ and that the Team Cymru Scout API is reachable.\n\n### Parameters Description\n\ - This action does not require any input parameters. It utilizes the global integration\ - \ configuration settings (Authentication Type, API Key, Username, Password, and\ - \ Verify SSL) to perform the connectivity test.\n\n### Flow Description\n1. **Initialization**:\ - \ The action initializes the Siemplify environment and retrieves the integration's\ - \ configuration parameters.\n2. **API Manager Setup**: An `ApiManager` instance\ - \ is created using the provided authentication details (either Token-based or\ - \ Basic Auth).\n3. **Connectivity Test**: The action calls the `api_usage` method,\ - \ which sends a GET request to the Team Cymru Scout `/usage` endpoint.\n4. **Result\ - \ Evaluation**: \n * If the API returns a successful response (HTTP 200), the\ - \ action concludes with a success message indicating a valid connection.\n \ - \ * If an exception occurs or the API returns an error (e.g., 401 Unauthorized),\ - \ the action captures the error details and reports a failure.\n5. **Finalization**:\ - \ The action ends by returning the execution status and a descriptive output message\ - \ to the SOAR interface.\n\n### Additional Notes\n* This action is strictly for\ - \ testing purposes and does not process any entities or modify data in either\ - \ Google SecOps or Team Cymru Scout." + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action is a connectivity test and does not perform any of the defined product + category operations such as enrichment, containment, ticketing, or alert management. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: >- + Tests the connectivity and configuration of the Team Cymru Scout integration. + This action performs a GET request to the integration's API usage endpoint to + verify that the provided credentials are valid and that the service is reachable. + It does not perform any data enrichment or modifications to external or internal + systems. + + + ### Parameters + + There are no parameters for this action. + + + ### Flow Description + + 1. Retrieves integration configuration parameters (API Key/Credentials). + + 2. Initializes the API Manager with the provided credentials. + + 3. Executes a connectivity test by calling the API usage endpoint. + + 4. Returns a success or failure message based on the API response. capabilities: can_create_case_comments: false can_create_insight: false @@ -1147,8 +1566,15 @@ Ping: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the Team Cymru Scout API to verify connectivity + and check account usage. It does not modify any external or internal data, nor + does it interact with entities or create insights. categories: enrichment: false + reasoning: >- + The action is named 'Ping' and is used to test connectivity. Per the instructions, + actions named 'Ping' must not be categorized as enrichment actions. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1164,3 +1590,5 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with any entities. diff --git a/content/response_integrations/third_party/community/team_cymru_scout/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/team_cymru_scout/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..bd8327983 --- /dev/null +++ b/content/response_integrations/third_party/community/team_cymru_scout/resources/ai/integration_ai_description.yaml @@ -0,0 +1,26 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: false + reasoning: >- + The Team Cymru Scout integration provides threat intelligence data, including + reputation, tags, historical telemetry, PDNS, WHOIS, and X509 information for + IP addresses and domains. Threat Intelligence: The integration is a primary source + of enrichment for external indicators (IPs, domains), providing reputation, risk + scores, and historical context, which directly matches the Threat Intelligence + category. SIEM: The integration provides access to historical telemetry and netflow + data, enabling analysts to investigate if an IOC has been seen globally and identify + the source of suspicious activity, aligning with the SIEM category. Other Categories: + The integration does not perform EDR (no host/process-level activity), Network + Security (no firewall/WAF log retrieval or blocking), Email Security, IAM, Cloud + Security, ITSM, Vulnerability Management, Asset Inventory, or Collaboration, as + it focuses exclusively on external threat intelligence and historical telemetry + retrieval. + siem: true + threat_intelligence: true + vulnerability_management: false diff --git a/content/response_integrations/third_party/community/telegram/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/telegram/resources/ai/actions_ai_description.yaml index 51cdb5996..baef2854e 100644 --- a/content/response_integrations/third_party/community/telegram/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/telegram/resources/ai/actions_ai_description.yaml @@ -1,37 +1,71 @@ Get Bot Details: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves bot configuration details from the Telegram API. It does + not match any of the defined categories such as Enrich IOC, Enrich Asset, or + Alert management, as it is a utility action for verifying integration settings. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - Retrieves the configuration details of the Telegram bot associated with the provided - API token. This action is used to verify the bot's identity and connectivity status - by fetching its metadata from the Telegram API. + This action retrieves the configuration details of the configured Telegram bot. + It is primarily used to verify the connectivity and validity of the Telegram API + token provided in the integration settings. - ### Parameters + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | - There are no action-specific parameters for this action. It relies on the 'API - Token' configured at the integration level. + | API Token | String | Yes | The API token used to authenticate with the Telegram + Bot API. | ### Flow Description - 1. **Configuration Extraction**: The action retrieves the 'API Token' from the - Telegram integration settings. + 1. The action initializes the `TelegramManager` using the provided API token. - 2. **API Interaction**: It utilizes the `TelegramManager` to call the Telegram - `getMe` endpoint. + 2. It executes a `GET` request to the Telegram API's `/getMe` endpoint. - 3. **Data Retrieval**: The action fetches bot-specific information, including - the bot's unique ID, name, and username. + 3. The response, containing the bot's details, is captured and returned as a JSON + result. - 4. **Output**: The retrieved bot details are added to the action's JSON results - for visibility. + 4. The action concludes by logging the status and returning the result to the + SOAR platform. ### Additional Notes - This action does not process entities and is primarily diagnostic or informational - in nature. + This action is a utility operation and does not perform any modifications to external + systems or internal SOAR data. capabilities: can_create_case_comments: false can_create_insight: false @@ -42,8 +76,17 @@ Get Bot Details: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the Telegram API to retrieve bot information. + It does not modify external systems, update entities, or create insights. It + is a read-only operation used for configuration verification. categories: enrichment: false + reasoning: >- + While the action fetches data, it does not gather supplemental context about + alerts or entities. It is a utility action for verifying integration connectivity + and configuration. Therefore, it does not meet the criteria for an Enrichment + action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -59,46 +102,58 @@ Get Bot Details: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with any entities. It is a global utility action + that operates independently of the case or alert entities. Get Chat Details: - ai_description: >- - ### General Description - - Retrieves detailed information about a specific Telegram chat (group, channel, - or private chat) using its unique ID or username. This action is primarily used - to gather metadata about a chat, such as its title, type, and invite link, which - can be useful for investigation or automated reporting. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Chat ID | String | Yes | The unique identifier or username of the target Telegram - chat (e.g., '123456' or '@my_channel'). | - - - ### Flow Description - - 1. **Parameter Extraction**: The action retrieves the Telegram Bot API Token from - the integration configuration and the Chat ID from the action parameters. - - 2. **API Interaction**: It initializes the Telegram Manager and calls the `/getChat` - endpoint of the Telegram Bot API using a GET request. - - 3. **Data Processing**: Upon a successful response, the action extracts the chat's - invite link from the result payload. - - 4. **Result Reporting**: The action adds the invite link as a clickable resource - in the SOAR interface and attaches the full JSON response containing all chat - details to the action result. - - - ### Additional Notes - - This action does not run on entities; it requires a manual input of the Chat ID - parameter. + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves chat details from Telegram. It does not match any of the + defined categories such as 'Enrich IOC', 'Enrich Asset', 'Create Ticket', or + 'Get Alert Information' (as it retrieves chat info, not alert info). + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: "### General Description\nThis action retrieves detailed information\ + \ about a specific Telegram chat using the Telegram Bot API. It is designed to\ + \ fetch metadata, such as the invite link, for a given chat identifier. This action\ + \ is useful for gathering context about communication channels within the Telegram\ + \ platform.\n\n### Parameters Description\n| Parameter | Type | Mandatory | Description\ + \ |\n| :--- | :--- | :--- | :--- |\n| Chat ID | string | Yes | The unique identifier\ + \ or username of the Telegram chat to retrieve details for. |\n\n### Flow Description\n\ + 1. **Initialization**: The action extracts the `API Token` from the integration\ + \ configuration and the `Chat ID` from the action parameters.\n2. **Data Retrieval**:\ + \ It initializes the `TelegramManager` and calls the `get_chat_details` method,\ + \ which performs a GET request to the Telegram API (`/getChat`).\n3. **Result\ + \ Processing**: \n * If successful, it extracts the `invite_link` from the\ + \ response.\n * It adds the invite link to the action results using `add_link`.\n\ + \ * It adds the full JSON response to the action results using `add_result_json`.\n\ + 4. **Completion**: The action concludes by setting the execution status to completed\ + \ or failed based on the API response." capabilities: can_create_case_comments: false can_create_insight: false @@ -109,8 +164,18 @@ Get Chat Details: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the Telegram API to retrieve chat details. + It does not modify any external systems (no POST/PUT/DELETE). It does not update + internal SOAR entities, create insights, or modify case data. It only returns + the retrieved data to the action results. categories: - enrichment: true + enrichment: false + reasoning: >- + While the action fetches data, it does not operate on entities or alerts to + provide supplemental context (enrichment). It is a standalone utility action + for retrieving information from an external service. Therefore, it does not + meet the criteria for an Enrichment Action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -126,52 +191,81 @@ Get Chat Details: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over or utilize `siemplify.target_entities`. It + relies solely on the 'Chat ID' parameter provided by the user. Get Messages: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves historical messages from a chat service, which aligns with + the 'Search Events' category as it returns a collection of logs/telemetry data. + It does not perform enrichment on specific IOCs or assets, nor does it perform + any containment or ticket management actions. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: true + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description + Retrieves messages from a Telegram chat using the Telegram Bot API. This action + allows users to pull historical messages from a chat, optionally filtering by + message type or starting from a specific message ID. - The **Get Messages** action retrieves updates and messages from the Telegram Bot - API. It allows a bot to pull incoming messages, channel posts, and other update - types from chats where the bot is a member. This action is essential for monitoring - chat activity or ingesting external communications into a workflow. + ### Flow Description - ### Parameters Description - - | Parameter | Type | Mandatory | Description | + 1. **Configuration Extraction**: The action retrieves the `API Token` from the + integration configuration. - | :--- | :--- | :--- | :--- | + 2. **Parameter Extraction**: It extracts the `Last Message ID` and `Message Types` + from the action parameters. - | **Last Message ID** | String | No | Corresponds to the `offset` parameter in - the Telegram API. It specifies the identifier of the first update to be returned. - Updates with an identifier smaller than this value will be ignored. | + 3. **API Interaction**: The action initializes the `TelegramManager` and calls + the Telegram `getUpdates` endpoint using the provided parameters. - | **Message Types** | Content (List) | No | A JSON list of update types to retrieve - (e.g., `["message", "channel_post", "poll_answer"]`). If left empty, all update - types are retrieved. | + 4. **Result Handling**: The retrieved messages are returned as a JSON result to + the SOAR platform. - ### Flow Description + ### Parameters - 1. **Initialization**: The action initializes the Telegram Manager using the API - Token provided in the integration configuration. + | Parameter | Type | Mandatory | Description | - 2. **Parameter Extraction**: It extracts the `Last Message ID` and `Message Types` - from the action parameters. + | :--- | :--- | :--- | :--- | - 3. **API Interaction**: The action calls the Telegram `/getUpdates` endpoint via - a GET request, passing the offset and allowed update types as parameters. + | Last Message ID | string | No | The ID of the last message from which to start + pulling messages. | - 4. **Output**: The raw JSON response containing the list of updates/messages is - attached to the action results for use in the playbook. + | Message Types | content | No | A list of message types to retrieve (e.g., ['channel_post', + 'poll_answer']). | ### Additional Notes - - The bot must be a member of the chat/channel to retrieve messages. - - - This action does not operate on specific SOAR entities (like IPs or Hostnames) - but rather fetches global updates for the bot. + This action does not interact with specific SOAR entities. It performs a read-only + operation against the Telegram API to fetch message history. capabilities: can_create_case_comments: false can_create_insight: false @@ -182,8 +276,16 @@ Get Messages: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the Telegram API to retrieve messages. + It does not modify any external system state (no POST/PUT/DELETE) and does not + modify any internal SOAR data (entities, insights, or case comments). categories: - enrichment: false + enrichment: true + reasoning: >- + The action fetches data from an external source (Telegram) and does not mutate + any external or internal systems. It meets the criteria for an enrichment action + as defined in the system instructions. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -199,51 +301,75 @@ Get Messages: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over or utilize any SOAR entities. It operates on + global parameters to fetch messages from a Telegram chat. Ping: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action is a connectivity test ('Ping') and does not perform any of the defined + product category operations such as enrichment, containment, ticketing, or alert + management. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - The **Ping** action is a diagnostic utility designed to verify the connectivity - between Google SecOps and the Telegram Bot API. Its primary purpose is to ensure - that the integration is correctly configured and that the provided Bot API Token - is valid and authorized to communicate with Telegram's servers. + This action tests the connectivity between the Google SecOps SOAR platform and + the Telegram API. It verifies that the provided API Token is valid and that the + SOAR platform can successfully communicate with the Telegram service. - ### Parameters Description + ### Parameters | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | **API Token** | String | Yes | This is a configuration-level parameter (not - an action parameter). It is the unique authentication token for the Telegram bot, - used to authorize requests to the Telegram API. | - - - ### Additional Notes - - This action does not take any user-provided input parameters at runtime. It relies - solely on the credentials provided in the integration's configuration settings. - As a 'Ping' action, it does not interact with entities or modify any data within - the SOAR or external systems. + | API Token | String | Yes | The Telegram Bot API token used to authenticate requests + to the Telegram service. | ### Flow Description - 1. **Configuration Retrieval**: The action extracts the `API Token` from the Telegram - integration settings. + 1. The action initializes the `SiemplifyAction` and extracts the `API Token` from + the integration configuration. - 2. **Manager Initialization**: It initializes the `TelegramManager` with the retrieved - token. + 2. It initializes the `TelegramManager` using the provided token. - 3. **Connectivity Check**: The action calls the `test_connectivity` method, which - sends a GET request to the Telegram API's `getMe` endpoint. + 3. The action calls the `test_connectivity` method, which performs a `GET` request + to the Telegram API's `getMe` endpoint. - 4. **Response Validation**: It checks the API response for a successful status - code and an 'ok' boolean in the JSON body. + 4. If the API returns a successful response (`ok: true`), the action completes + with a success status. - 5. **Status Reporting**: If the request is successful, it returns a 'Connected - successfully' message; otherwise, it reports a connection failure. + 5. If the connection fails or the API returns an error, the action completes with + a failure status. capabilities: can_create_case_comments: false can_create_insight: false @@ -252,10 +378,20 @@ Ping: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null - fetches_data: false + fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a connectivity check by sending a GET request to the Telegram + API. It does not modify external systems, update internal SOAR data, or process + entities. While it performs a network request to verify connectivity, it does + not perform any enrichment or mutation operations. categories: enrichment: false + reasoning: >- + The action is named 'Ping' and serves as a connectivity test. According to the + provided instructions, actions named 'Ping' must not be categorized as enrichment + actions. Furthermore, it does not perform any enrichment, mutation, or entity-related + operations. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -271,45 +407,84 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with any entities. It is a standalone connectivity + test. Send Document: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action sends a document to a Telegram chat. This aligns with the 'Send Message' + category, as it is a communication action used to deliver content to a messaging + platform. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: true + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - Sends a document to a specified Telegram chat using a provided URL. This action - allows a Telegram bot to share files (such as reports, logs, or evidence) directly - within a chat or group by providing a publicly accessible link to the file. + This action sends a document from a specified URL to a designated Telegram chat. + It utilizes the Telegram Bot API to deliver the file, facilitating automated communication + and document sharing within Telegram channels or private chats directly from the + SOAR platform. - ### Parameters Description + ### Flow Description - | Parameter | Type | Mandatory | Description | + 1. **Configuration Extraction**: The action retrieves the Telegram API Token from + the integration configuration. - | :--- | :--- | :--- | :--- | + 2. **Parameter Extraction**: The action extracts the `Chat ID` and `Document URL` + provided by the user. - | Document URL | string | Yes | The direct URL of the document to be sent to the - Telegram chat. | + 3. **API Interaction**: The action initializes the `TelegramManager` and invokes + the `send_doc` method, which performs an API request to the Telegram `sendDocument` + endpoint. - | Chat ID | string | Yes | The unique identifier or username of the target Telegram - chat where the document will be sent. | + 4. **Result Handling**: The action captures the response from the Telegram API, + logs the outcome, and returns the result to the SOAR platform. - ### Flow Description + ### Parameters Description - 1. **Configuration Retrieval**: The action retrieves the Telegram Bot API Token - from the integration's global configuration. + | Parameter | Type | Mandatory | Description | - 2. **Parameter Extraction**: It extracts the target Chat ID and the Document URL - from the action's input parameters. + | :--- | :--- | :--- | :--- | - 3. **API Interaction**: The action uses the Telegram Manager to call the `sendDocument` - endpoint of the Telegram Bot API, passing the Chat ID and the Document URL. + | Document URL | string | Yes | The URL of the document to be sent to the chat. + | - 4. **Result Processing**: The action captures the JSON response from Telegram, - which contains metadata about the sent message, and attaches it to the action's - results. + | Chat ID | string | Yes | The unique identifier of the Telegram chat where the + document will be sent. | - 5. **Completion**: The action concludes with a success message if the document - was sent or a failure message if an error occurred during the API call. + + ### Additional Notes + + This action performs an external mutation by sending a document to a Telegram + chat. It does not perform any enrichment or internal data modification. capabilities: can_create_case_comments: false can_create_insight: false @@ -318,12 +493,21 @@ Send Document: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Sends a document to a Telegram chat, which creates a new message and file entry - in the external Telegram platform. + Sends a document to a Telegram chat, which updates the chat history in the external + Telegram system. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action interacts with the Telegram API to send a document to a specific + chat. This constitutes an external mutation (sending a message/document). It + does not fetch data for enrichment purposes, nor does it modify internal SOAR + data, entities, or alerts. categories: enrichment: false + reasoning: >- + The action is not an enrichment action because it does not fetch data to enrich + entities or alerts. It performs an external action (sending a document) and + does not meet the criteria for enrichment. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -339,46 +523,53 @@ Send Document: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not use or iterate over entities. It relies solely on user-provided + parameters (Chat ID and Document URL) to perform its function. Send Location: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action sends a location to a Telegram chat. This aligns with the 'Send Message' + category, which covers sending notifications or content to communication applications. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: true + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description - - Sends a geographic location to a specific Telegram chat using a Telegram bot. - This action allows users to share coordinates (latitude and longitude) directly - into a chat, which is useful for operational coordination or reporting physical - locations associated with an incident. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Chat ID | string | Yes | The unique identifier for the target chat or the username - of the target channel/private chat (e.g., '123456789'). | - - | Latitude | string | Yes | The latitude coordinate of the location to be sent - (e.g., '30.0123213'). | - - | Longitude | string | Yes | The longitude coordinate of the location to be sent - (e.g., '30.456468'). | - - - ### Flow Description - - 1. **Initialization**: The action retrieves the Telegram API Token from the integration - configuration and the Chat ID, Latitude, and Longitude from the action parameters. - - 2. **API Interaction**: It uses the `TelegramManager` to call the Telegram Bot - API's `sendLocation` endpoint with the provided coordinates and chat identifier. - - 3. **Result Processing**: The action captures the response from Telegram, which - includes details of the sent message. - - 4. **Completion**: The response is added to the action's JSON results, and the - action completes with a success message if the location was sent successfully, - or a failure message if an error occurred. + General Description: Sends a geographic location (latitude and longitude) to a + specified Telegram chat. This action allows analysts to share location data directly + from the SOAR platform to a Telegram channel or private chat. Flow Description: + 1. Extracts the Telegram API token from the integration configuration. 2. Retrieves + the Chat ID, Latitude, and Longitude from the action parameters. 3. Initializes + the TelegramManager with the API token. 4. Sends the location data to the specified + Telegram chat using the Telegram API. 5. Returns the API response as a JSON result + to the SOAR platform. Parameters Description: Longitude (string, mandatory): The + longitude coordinate of the location. Latitude (string, mandatory): The latitude + coordinate of the location. Chat ID (string, mandatory): The unique identifier + of the Telegram chat where the location will be sent. Additional Notes: None. capabilities: can_create_case_comments: false can_create_insight: false @@ -387,12 +578,19 @@ Send Location: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Sends a new location message to a Telegram chat, which modifies the chat history - in the external Telegram system. + Sends a location message to a Telegram chat, which modifies the state of the + chat history in the external Telegram system. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action interacts with the Telegram API to send a location message. This + constitutes an external mutation (adding a message to a chat). It does not fetch + data, nor does it modify internal SOAR entities or case data. categories: enrichment: false + reasoning: >- + The action does not fetch data for enrichment, nor does it modify internal SOAR + data. It is a communication action used to send information to an external platform. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -408,49 +606,80 @@ Send Location: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not use or iterate over siemplify.target_entities. It relies + solely on user-provided parameters. Send Message: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action sends a message to a Telegram chat. This directly aligns with the + 'Send Message' category. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: true + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - Sends a message to a specific Telegram chat using a configured bot. This action - allows for automated communication from Google SecOps to Telegram users, groups, - or channels, facilitating notifications or alerts. + This action sends a message to a specific Telegram chat using a configured bot. + It allows analysts to communicate information directly from the SOAR platform + to a Telegram channel or private chat. - ### Parameters Description + ### Flow Description - | Parameter | Type | Mandatory | Default Value | Description | + 1. The action initializes the `SiemplifyAction` and retrieves the `API Token` + from the integration configuration. - | :--- | :--- | :--- | :--- | :--- | + 2. It extracts the `Chat ID` and `Message` content from the action parameters. - | Chat ID | String | Yes | 123456 | The unique identifier for the target chat - or username where the message will be sent. | + 3. A `TelegramManager` instance is created using the provided API token. - | Message | String | Yes | (Empty) | The text content of the message to be delivered - by the bot. | + 4. The action calls the `telegram_bot_sendmessage` method, which sends a request + to the Telegram API to deliver the message to the specified chat. + 5. The result of the API call is added to the action result, and the action completes + with a success or failure status. - ### Flow Description - 1. **Configuration Retrieval**: The action extracts the Telegram Bot API Token - from the integration's configuration settings. + ### Parameters Description - 2. **Parameter Extraction**: It retrieves the target `Chat ID` and the `Message` - content from the action's input parameters. + | Parameter | Type | Mandatory | Description | - 3. **API Interaction**: The action initializes the `TelegramManager` and calls - the `telegram_bot_sendmessage` method, which sends a request to the Telegram Bot - API's `sendMessage` endpoint. + | :--- | :--- | :--- | :--- | + + | Chat ID | string | Yes | The unique identifier or username of the chat where + the message should be sent. | - 4. **Result Processing**: The response from the Telegram API is captured and added - to the action's JSON results. The action then terminates with a success or failure - message based on the API response. + | Message | string | Yes | The content of the message to be sent. | ### Additional Notes - This action does not operate on entities and requires a valid Bot API Token to - be configured at the integration level. + There are no additional notes. capabilities: can_create_case_comments: false can_create_insight: false @@ -459,12 +688,21 @@ Send Message: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Sends a message to a Telegram chat, which creates new message content within - the external Telegram platform. + Sends a message to a Telegram chat, changing the state of the chat by adding + a new message. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action interacts with the Telegram API to send a message, which constitutes + an external mutation (sending data to an external system). It does not fetch + contextual data for enrichment, nor does it modify internal SOAR data such as + entities, insights, or alert data. categories: enrichment: false + reasoning: >- + The action performs an external action (sending a message) and does not retrieve + data for enrichment or modify internal SOAR data. Therefore, it does not meet + the criteria for an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -480,47 +718,74 @@ Send Message: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with or iterate over entities. It uses parameters + provided directly in the action configuration. Send Photo: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action sends a photo to a Telegram chat. This aligns with the 'Send Message' + category, as it dispatches content to a communication platform. It does not + match other categories like 'Enrich IOC', 'Create Ticket', etc. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: true + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description - - Sends a photo to a specific Telegram chat using a provided image URL. This action - allows a Telegram bot to share visual information (PNG, JPEG, JPG, etc.) with - a user, group, or channel based on a unique Chat ID. + Sends a photo to a specified Telegram chat. This action allows users to share + visual content directly from a URL to a Telegram chat, facilitating automated + communication and reporting within the Telegram platform. - ### Parameters Description + ### Parameters | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Photo URL | String | Yes | The HTTP URL of the photo to be sent. The URL should - point directly to an image file (e.g., ending in .png, .jpg). | - - | Chat ID | String | Yes | The unique identifier for the target Telegram chat - where the photo will be delivered. | - - - ### Additional Notes + | Photo URL | string | Yes | The HTTP URL of the photo to be sent. It should point + to a valid image file (e.g., png, jpeg, jpg). | - This action requires a valid Telegram Bot API Token to be configured in the integration - settings. It does not process or filter Google SecOps entities; it operates solely - based on the provided parameters. + | Chat ID | string | Yes | The unique identifier of the chat where the photo will + be sent. | ### Flow Description - 1. **Initialization**: Retrieves the Telegram API Token from the integration configuration. + 1. The action initializes the `TelegramManager` using the API token retrieved + from the integration configuration. - 2. **Parameter Extraction**: Collects the target Chat ID and the Photo URL from - the action inputs. + 2. It extracts the `Chat ID` and `Photo URL` from the provided action parameters. - 3. **API Interaction**: Uses the Telegram Manager to call the `sendPhoto` endpoint - of the Telegram Bot API. + 3. It invokes the `send_photo` method of the `TelegramManager`, which performs + an API request to the Telegram `sendPhoto` endpoint. - 4. **Result Processing**: Captures the API response, adds it to the action's JSON - results, and notifies the user of a successful or failed delivery. + 4. The action processes the response from the Telegram API, logs the outcome, + and returns the result JSON to the SOAR platform, indicating whether the photo + was sent successfully. capabilities: can_create_case_comments: false can_create_insight: false @@ -529,12 +794,19 @@ Send Photo: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Sends a photo to a Telegram chat, which modifies the chat history and state - of the external Telegram platform. + Sends a photo to a Telegram chat, which creates a new message in the external + system. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action interacts with the Telegram API to send a photo to a specific chat. + This constitutes an external mutation (sending a message). It does not fetch + data for enrichment, nor does it modify internal SOAR data or entities. categories: enrichment: false + reasoning: >- + The action is a messaging/notification action, not an enrichment action. It + does not fetch data for analysis, nor does it update entities or insights. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -550,14 +822,47 @@ Send Photo: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not use `target_entities`. It relies solely on user-provided + parameters (`Chat ID` and `Photo URL`). Send Poll: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action sends a poll to a Telegram chat. This aligns with the 'Send Message' + category, as it dispatches a message/poll to a communication application. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: true + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - This action sends a poll with pre-defined answer options to a specific Telegram - chat or channel using a Telegram bot. It is primarily used for interactive communication - or gathering feedback within a chat environment during incident response or operational - workflows. + This action sends a poll with pre-defined answer options to a specified Telegram + chat. It leverages the Telegram Bot API to create and post the poll, allowing + for interactive communication within a Telegram group or channel. ### Parameters Description @@ -566,43 +871,33 @@ Send Poll: | :--- | :--- | :--- | :--- | - | Chat ID | String | Yes | The unique identifier for the target chat or the username - of the target channel (e.g., @channelusername). | + | Chat ID | string | Yes | The unique identifier of the chat where the bot should + send the poll. Note: Non-anonymous polls cannot be sent to channel chats. | - | Question | String | Yes | The question text to be sent in the poll. | - - | Options | Content | Yes | A JSON array of strings representing the answer options - (e.g., ["Yes", "No"]). | - - | Is Anonymous | Boolean | No | Determines if the poll results will be anonymous. - Default is false. Note: Non-anonymous polls cannot be sent to channel chats. | - - - ### Additional Notes + | Question | string | Yes | The question text to be displayed in the poll. | - - The bot must be a member of the target chat or channel with appropriate permissions - to send messages and polls. + | Options | content | Yes | A JSON array of strings representing the answer options + for the poll. | - - If 'Is Anonymous' is set to false, the action will fail if the target is a Telegram - Channel. + | Is Anonymous | boolean | No | Determines if the poll results will be anonymous. + Note: Non-anonymous polls cannot be sent to channel chats. | ### Flow Description - 1. **Initialization**: The action retrieves the Telegram API Token from the integration - configuration and extracts the user-provided parameters (Chat ID, Question, Options, - and Anonymity status). + 1. The action initializes the `TelegramManager` using the configured API token. - 2. **API Interaction**: It utilizes the `TelegramManager` to call the Telegram - Bot API's `sendPoll` endpoint. + 2. It extracts the required parameters (`Chat ID`, `Question`, `Options`, `Is + Anonymous`) from the action settings. - 3. **Execution**: The manager sends a GET request (standard for Telegram Bot API - methods) containing the poll details to the Telegram servers. + 3. It calls the `ask_question` method, which sends a request to the Telegram API + (`/sendPoll`) to create the poll in the specified chat. - 4. **Result Handling**: If successful, the action captures the JSON response representing - the sent poll object, attaches it to the action results, and completes with a - success message. If the API returns an error, the action fails and reports the - error details. + 4. The action captures the response from the Telegram API and adds it to the action + result JSON. + + 5. The action concludes by returning a success status and a message indicating + whether the poll was sent successfully. capabilities: can_create_case_comments: false can_create_insight: false @@ -611,12 +906,21 @@ Send Poll: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates a new poll message in the specified Telegram chat or channel, which - changes the state of the external chat history. + Sends a poll to a Telegram chat, which modifies the state of the external chat + environment. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action interacts with the Telegram API to send a poll, which constitutes + an external mutation (changing the state of the Telegram chat). It does not + fetch contextual data about alerts or entities, nor does it modify any internal + SOAR data, entities, or case information. categories: enrichment: false + reasoning: >- + The action performs an external mutation (sending a poll) and does not fetch + data for enrichment purposes. Therefore, it does not meet the criteria for an + enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -632,15 +936,51 @@ Send Poll: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with or iterate over SOAR entities. It operates + based on parameters provided in the action configuration. Set Default Chat Permissions: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action modifies the configuration of a Telegram chat (permissions). It does + not fit standard IOC/Asset enrichment, ticket/alert management, or host containment + categories. It is a configuration/management action for an external communication + platform. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - Sets the default chat permissions for all new members in a specific Telegram group - or supergroup. This action allows administrators to define what actions new members - are permitted to perform by default, such as sending messages, polls, or inviting - others. Note that the bot must be an administrator in the target group with 'can_restrict_members' - permissions for this action to succeed. + This action updates the default chat permissions for a specified Telegram group + or supergroup. It allows administrators to configure restrictions for new members, + such as the ability to send messages, edit chat information, invite users, pin + messages, or send polls. The action interacts with the Telegram Bot API to apply + these settings. ### Parameters Description @@ -649,48 +989,47 @@ Set Default Chat Permissions: | :--- | :--- | :--- | :--- | - | Chat ID | String | Yes | The unique identifier for the Telegram chat where permissions - will be updated. | - - | Can Send Messages | Boolean | No | If true, allows users to send text messages, - contacts, and locations. Default is true. | + | Chat ID | string | Yes | The unique identifier for the Telegram chat (group + or supergroup) to be configured. | - | Can Send Polls | Boolean | No | If true, allows users to send polls. Default - is true. | + | Can Send Messages | boolean | No | If true, allows users to send text messages. + Default is true. | - | Can Pin Messages | Boolean | No | If true, allows users to pin messages. Note: - This cannot be applied in supergroups. Default is true. | + | Can Edit Info | boolean | No | If true, allows users to edit the chat title, + photo, and other settings. Default is true. Note: Cannot be applied in supergroups. + | - | Can Invite Users | Boolean | No | If true, allows users to invite new users + | Can Invite Users | boolean | No | If true, allows users to invite new members to the chat. Default is true. | - | Can Edit Info | Boolean | No | If true, allows users to edit chat title, photo, - and other settings. Note: This cannot be applied in supergroups. Default is true. - | + | Can Pin Messages | boolean | No | If true, allows users to pin messages. Default + is true. Note: Cannot be applied in supergroups. | + | Can Send Polls | boolean | No | If true, allows users to send polls. Default + is true. | - ### Additional Notes - - The bot must have administrative privileges in the group. + ### Flow Description - - Certain permissions like 'Can Pin Messages' and 'Can Edit Info' are restricted - in supergroups when applied as default permissions. + 1. The action extracts the required configuration (API Token) and the action parameters + (Chat ID and permission settings). + 2. It initializes the `TelegramManager` with the provided API Token. - ### Flow Description + 3. It calls the `set_default_chat_permissions` method, which sends a request to + the Telegram API endpoint `setChatPermissions` with the specified configuration. - 1. **Initialization**: The action initializes the Telegram Manager using the provided - API Token from the integration configuration. + 4. The action returns a success or failure status, along with the JSON response + from the Telegram API, and terminates the execution. - 2. **Parameter Extraction**: It retrieves the target Chat ID and the specific - permission boolean flags from the action parameters. - 3. **API Interaction**: The action calls the Telegram API's `setChatPermissions` - endpoint with the specified parameters. + ### Additional Notes + + - The bot must be an administrator in the target group or supergroup and must + have the `can_restrict_members` permission for this action to succeed. - 4. **Result Processing**: If the API call is successful, it returns a success - message and the resulting JSON data. If it fails (e.g., insufficient bot permissions), - it returns a failure status and the error details. + - Some permissions (e.g., Can Edit Info, Can Pin Messages) may have limitations + depending on the chat type (e.g., supergroups). capabilities: can_create_case_comments: false can_create_insight: false @@ -699,12 +1038,20 @@ Set Default Chat Permissions: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates the default member permissions configuration for a specific Telegram - chat via the Telegram Bot API. + Updates the default chat permissions for a Telegram group or supergroup via + the Telegram Bot API. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a state-changing operation on an external system (Telegram) + by updating chat permissions. It does not fetch data for enrichment, nor does + it modify internal Google SecOps data (cases, alerts, or entities). categories: enrichment: false + reasoning: >- + The action is a configuration/management task that modifies external system + state. It does not retrieve data for enrichment purposes, therefore it is not + an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -720,76 +1067,104 @@ Set Default Chat Permissions: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not operate on Google SecOps entities. It uses a 'Chat ID' parameter + provided by the user to identify the target chat, rather than iterating over + `target_entities`. Set User Permissions: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action modifies user permissions (e.g., promoting/demoting members, changing + capabilities) in a Telegram chat. This aligns with the 'Update Identity' category, + which covers modifying account metadata, permissions, or group memberships. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: true + update_ticket: false ai_description: >- ### General Description - This action modifies user permissions within a Telegram supergroup or channel. - It allows administrators to promote or demote users by toggling specific rights - such as pinning messages, deleting content, or inviting new members. The bot must - have administrative privileges in the target chat to execute these changes. + Updates user permissions within a Telegram supergroup or channel. This action + allows administrators to modify specific capabilities for a user, such as pinning + messages, promoting members, or editing chat information. ### Parameters Description - | Parameter Name | Type | Mandatory | Description | + | Parameter | Type | Mandatory | Description | - | :--- | :--- | :--- | :--- | + | --- | --- | --- | --- | - | Chat ID | string | Yes | The unique identifier or username of the target chat. - | + | Chat ID | string | Yes | The unique identifier or username of the chat. | - | User ID | string | Yes | The unique identifier of the user whose permissions - are being modified. | + | User ID | string | Yes | The unique identifier of the user. | + + | Can Pin Messages | boolean | No | Allows the user to pin messages (relevant + for supergroups). | - | Is Anonymous | boolean | No | If true, the user's presence in the chat is hidden. + | Can Promote Members | boolean | No | Allows the user to add or revoke administrators. | - | Can Edit The Info | boolean | No | Allows the user to change the chat title, - photo, and other settings. | + | Can Restrict Members | boolean | No | Allows the user to restrict, ban, or unban + members. | | Can Post Messages | boolean | No | Allows the user to post messages (relevant for channels). | - | Can Edit Messages | boolean | No | Allows the user to edit messages of other - users. | + | Can Edit The Info | boolean | No | Allows the user to edit chat title, photo, + and other settings. | - | Can Delete Messages | boolean | No | Allows the user to delete messages of other - users. | - - | Can Invite Users | boolean | No | Allows the user to invite new users to the - chat. | + | Is Anonymous | boolean | No | Hides the user's presence in the chat. | - | Can Restrict Members | boolean | No | Allows the user to restrict, ban, or unban - chat members. | + | Can Invite Users | boolean | No | Allows the user to invite new members. | - | Can Promote Members | boolean | No | Allows the user to add or revoke other - administrators. | + | Can Delete Messages | boolean | No | Allows the user to delete messages of other + users. | - | Can Pin Messages | boolean | No | Allows the user to pin messages (relevant - for supergroups). | + | Can Edit Messages | boolean | No | Allows the user to edit messages of other + users. | ### Additional Notes - - The bot must be an administrator in the chat for this action to work. - - - This action uses the Telegram `promoteChatMember` API endpoint. + The bot must be an administrator in the chat for this to work and must have the + appropriate admin permissions. ### Flow Description - 1. **Initialization**: Retrieves the Telegram API Token from the integration configuration. + 1. Extract configuration parameters (API Token) and action parameters (Chat ID, + User ID, and various permission flags). - 2. **Parameter Extraction**: Collects the Chat ID, User ID, and all permission-related - boolean flags from the action input. + 2. Initialize the `TelegramManager` with the provided API token. - 3. **API Execution**: Calls the Telegram Manager to execute the `set_user_permissions` - method, which sends a request to the Telegram API to update the user's status. + 3. Invoke the `promoteChatMember` API endpoint to apply the requested permission + changes to the specified user in the target chat. - 4. **Result Handling**: Captures the API response. If successful, it returns a - success message and the resulting JSON; otherwise, it reports a failure with the - error details. + 4. Return the API response as a JSON result. capabilities: can_create_case_comments: false can_create_insight: false @@ -798,12 +1173,20 @@ Set User Permissions: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates user permissions and administrative rights within a Telegram chat via - the promoteChatMember API. + Updates user permissions (promote/demote) in a Telegram chat via the `promoteChatMember` + API. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a state-changing operation (`promoteChatMember`) on the + Telegram API to update user permissions. It does not fetch contextual data for + enrichment, nor does it modify internal SOAR data or entities. categories: enrichment: false + reasoning: >- + The action is a mutation action that changes external system state (Telegram + permissions). It does not fetch data for enrichment purposes, nor does it meet + the criteria for an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -819,40 +1202,95 @@ Set User Permissions: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not operate on `siemplify.target_entities`. It uses `Chat ID` + and `User ID` provided as action parameters. Wait for poll results: - ai_description: "### General Description\nThe **Wait for poll results** action is\ - \ an asynchronous task designed to monitor a specific Telegram poll and retrieve\ - \ its results. It is primarily used to automate workflows that require user feedback\ - \ or voting via Telegram. The action periodically checks the status of a poll\ - \ until a specific vote threshold is reached or a predefined timeout occurs.\n\ - \n### Parameters Description\n| Parameter | Type | Mandatory | Description |\n\ - | :--- | :--- | :--- | :--- |\n| **Poll ID** | String | Yes | The unique identifier\ - \ of the Telegram poll to monitor. |\n| **Answer Votes Threshold** | String |\ - \ Yes | The number of votes for any single option that will trigger the action\ - \ to complete successfully. |\n| **Waiting Timeframe** | String | Yes | The maximum\ - \ duration (in minutes) the action should wait for the threshold to be met before\ - \ finishing. |\n| **Scan back Limit** | String | Yes | The maximum number of poll\ - \ updates to retrieve and scan from the Telegram bot's history. |\n\n### Flow\ - \ Description\n1. **Initialization**: The action retrieves the Telegram API token\ - \ from the integration configuration and extracts the user-provided parameters\ - \ (Poll ID, Threshold, Timeframe, and Limit).\n2. **State Recovery**: Since the\ - \ action is asynchronous, it checks if it is the first run. If not, it restores\ - \ the execution state (start time and last processed update ID) from the `additional_data`\ - \ parameter.\n3. **Data Fetching**: It interacts with the Telegram API's `getUpdates`\ - \ method to fetch recent poll-related activity.\n4. **Filtering**: The action\ - \ filters the incoming updates to find the specific poll matching the provided\ - \ **Poll ID**.\n5. **Evaluation**: \n - **Threshold Check**: It checks if any\ - \ option in the poll has reached the **Answer Votes Threshold**.\n - **Timeout\ - \ Check**: It calculates the elapsed time since the action started and compares\ - \ it against the **Waiting Timeframe**.\n6. **Outcome**: \n - If the threshold\ - \ is met, the action completes with a success status.\n - If the timeframe\ - \ expires, the action completes, returning whatever results were found.\n -\ - \ If neither condition is met, the action saves its current state and remains\ - \ in an 'In Progress' state for the next polling cycle.\n\n### Additional Notes\n\ - - This action does not operate on Google SecOps entities (e.g., IPs, Hostnames)\ - \ and instead relies entirely on the provided **Poll ID**.\n- It is an asynchronous\ - \ action, meaning it will yield execution back to the SOAR platform between polling\ - \ intervals." + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves poll results from Telegram. It does not match any of the + specific product categories (e.g., Enrich IOC, Enrich Asset, etc.) as it is + a utility action for polling external data, not specifically for enriching IOCs, + assets, or managing alerts/tickets. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: >- + ### General Description + + This action waits for poll results from a Telegram bot. It polls the Telegram + API for updates, filters for a specific poll ID, and checks if the votes for any + option meet a defined threshold. This action is designed to be run asynchronously, + allowing it to wait for poll results over a specified timeframe. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | --- | --- | --- | --- | + + | Scan back Limit | string | Yes | Top amount of polls' answers to be scanned. + | + + | Waiting Timeframe | string | Yes | Time in minutes to wait for votes. | + + | Answer Votes Threshold | string | Yes | Number of votes required to stop waiting. + | + + | Poll ID | string | Yes | The ID of the poll to fetch answers for. | + + + ### Flow Description + + 1. Initialize parameters (Poll ID, Threshold, Timeframe, Limit). + + 2. Check if it's the first run or a subsequent run (using `additional_data` for + state). + + 3. Fetch updates from Telegram using `TelegramManager`. + + 4. Filter updates for the specific `Poll ID`. + + 5. Check if any option in the poll meets the `Answer Votes Threshold`. + + 6. If threshold met, complete the action. + + 7. If threshold not met but timeframe reached, complete the action (with failure/timeout + status). + + 8. If threshold not met and timeframe not reached, continue waiting (return `EXECUTION_STATE_INPROGRESS`). + + + ### Additional Notes + + This action is designed to be run asynchronously. It maintains state across runs + using the `additional_data` parameter to track the start time and the last processed + update ID. capabilities: can_create_case_comments: false can_create_insight: false @@ -863,8 +1301,18 @@ Wait for poll results: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action fetches poll updates from the Telegram API (`get_updates`). It does + not modify any external system state (it only reads). It does not modify any + internal Google SecOps data (no insights, comments, or entity updates). It uses + `siemplify.end` to report the final status and `add_result_json` to return the + poll data, which are standard reporting mechanisms. categories: - enrichment: false + enrichment: true + reasoning: >- + The action fetches data (poll results) from an external source (Telegram) and + does not mutate any external or internal systems. It meets the criteria for + an enrichment action as it is a read-only data retrieval task. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -880,3 +1328,6 @@ Wait for poll results: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with `siemplify.target_entities`. It operates on + a specific `Poll ID` provided as a parameter. diff --git a/content/response_integrations/third_party/community/telegram/resources/ai/connectors_ai_description.yaml b/content/response_integrations/third_party/community/telegram/resources/ai/connectors_ai_description.yaml new file mode 100644 index 000000000..555c0a0e4 --- /dev/null +++ b/content/response_integrations/third_party/community/telegram/resources/ai/connectors_ai_description.yaml @@ -0,0 +1,30 @@ +Telegram Connector: + ai_description: "### General Description\nThe Telegram Connector enables the ingestion\ + \ of messages from Telegram channels, groups, and private chats into Google SecOps.\ + \ By leveraging the Telegram Bot API, this connector monitors for new messages\ + \ and transforms them into actionable alerts within the SOAR platform. \n\n**Important\ + \ Considerations:**\n* For channel monitoring, the bot must be an administrator.\n\ + * For group monitoring, the bot must have access to messages.\n* This connector\ + \ cannot operate simultaneously with an active Telegram Webhook. If a webhook\ + \ is active, it must be disabled using the Telegram API `setWebhook` method before\ + \ running this connector.\n\n### Parameters Description\n| Parameter | Type |\ + \ Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| API Token | Password\ + \ | Yes | The Telegram Bot API token used to authenticate and communicate with\ + \ the Telegram API. |\n| DeviceProductField | String | Yes | The field name used\ + \ to determine the device product in the ingested event. |\n| EventClassId | String\ + \ | Yes | The field name used to determine the event name (sub-type) in the ingested\ + \ event. |\n| PythonProcessTimeout | String | Yes | The timeout limit (in seconds)\ + \ for the Python process running the connector script. |\n\n### Flow Description\n\ + 1. **Initialization**: The connector initializes the `TelegramManager` using the\ + \ provided API Token.\n2. **State Retrieval**: It retrieves the `last_saved_update_id`\ + \ from the connector context to ensure only new messages are processed.\n3. **Data\ + \ Fetching**: It queries the Telegram API (`getUpdates`) starting from the next\ + \ message ID (`last_saved_update_id + 1`).\n4. **Processing**: \n * Iterates\ + \ through the retrieved updates.\n * Identifies the message type (`message`\ + \ for private/group or `channel_post` for channels).\n * Flattens the message\ + \ data and maps it to a standard event format.\n5. **Alert Creation**: Each processed\ + \ event is converted into a SOAR `AlertInfo` object with defined start/end times\ + \ and priority.\n6. **Persistence**: After processing, the latest `update_id`\ + \ is saved back to the connector context to prevent duplicate processing in future\ + \ runs.\n7. **Output**: The collected alerts are returned to the SOAR platform\ + \ for case creation." diff --git a/content/response_integrations/third_party/community/telegram/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/telegram/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..ef8cc945b --- /dev/null +++ b/content/response_integrations/third_party/community/telegram/resources/ai/integration_ai_description.yaml @@ -0,0 +1,22 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: true + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: false + reasoning: >- + The Telegram integration is primarily a Collaboration tool, providing multiple + actions to send messages, documents, photos, locations, and polls to Telegram + chats, which facilitates SOC notifications and human-in-the-loop workflows. Additionally, + the integration includes a connector that ingests messages from Telegram channels, + groups, and private chats into the SOAR platform as alerts, which aligns with + the SIEM category's data ingestion capabilities. It does not meet the criteria + for other categories such as EDR, Network Security, or IAM, as it does not perform + host-level security operations, manage firewall/WAF rules, or manage enterprise-level + user identities. + siem: true + threat_intelligence: false + vulnerability_management: false diff --git a/content/response_integrations/third_party/community/vanilla_forums/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/vanilla_forums/resources/ai/actions_ai_description.yaml index ddf308908..d994fb5e9 100644 --- a/content/response_integrations/third_party/community/vanilla_forums/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/vanilla_forums/resources/ai/actions_ai_description.yaml @@ -1,10 +1,43 @@ Add User: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action creates a new user in an external system (VanillaForums). It does + not match any of the provided categories (e.g., Enrich IOC, Create Ticket, Update + Identity, etc.). + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - This action adds a new user to Vanilla Forums with comprehensive details including - name, email, role, and password. It includes logic to handle username conflicts - by optionally using alternative separators between the first and last names. + This action adds a new user to the VanillaForums platform. It validates the provided + password complexity, checks for existing users with the same name to avoid duplicates + (optionally appending special characters if needed), and registers the new user + with the specified role and details. ### Parameters Description @@ -13,60 +46,51 @@ Add User: | :--- | :--- | :--- | :--- | - | First Name | String | Yes | The first name of the new user. | + | First Name | string | Yes | New user's first name. | - | Last Name | String | Yes | The last name of the new user. | + | Last Name | string | Yes | New user's last name. | - | Email | String | Yes | The email address for the new user account. | + | Email | string | Yes | New user's email address. | - | Role ID | String | Yes | The specific ID of the role to be assigned to the user - in Vanilla Forums. | + | Role ID | string | Yes | The ID of the role to assign to the user. | - | Password | Password | Yes | The account password. Must be at least 6 characters - long and contain both letters and digits. | + | Password | password | Yes | Password for the new user. Must be at least 6 characters + and include both letters and digits. | - | Override Name Duplicity | Boolean | No | If set to 'True', the action will attempt - to create the user even if the name exists by using alternative separators. Default - is 'False'. | + | Override Name Duplicity | boolean | No | If true, allows creating a user even + if another user with the same name exists (by appending special characters). | - | Additional Identifiers | String | No | A comma-separated list of characters - (e.g., '_,~,-') used to replace the space in the username if the primary name - is already taken. | + | Additional Identifiers | string | No | Characters to use as separators if the + username already exists. | - | Email Confirmed | Boolean | No | If 'True', the user's email will be marked - as confirmed upon creation. Default is 'True'. | + | Photo URL | string | No | URL of the new user's picture. | - | Photo URL | String | No | The URL for the user's profile picture. | + | Email Confirmed | boolean | No | Whether the email address is confirmed. | ### Additional Notes - - The action performs a validation check on the password complexity before attempting - to communicate with the API. - - - If `Override Name Duplicity` is enabled but all provided `Additional Identifiers` - result in existing usernames, the action will fail. + This action requires valid API credentials (API Token and URL) configured for + the VanillaForums integration. The action will fail if the password does not meet + the complexity requirements or if a unique username cannot be generated when name + duplicity is not allowed. ### Flow Description - 1. **Validation**: The action first validates that the provided password meets - the complexity requirements (minimum 6 characters, includes letters, and includes - digits). + 1. Extracts integration configuration and action parameters. + + 2. Validates the password complexity. - 2. **Conflict Check**: It searches Vanilla Forums for an existing user with the - name 'First Name Last Name'. + 3. Searches for an existing user in VanillaForums using the provided first and + last name. - 3. **Username Resolution**: If a conflict is found and `Override Name Duplicity` - is enabled, the action iterates through the `Additional Identifiers` list to find - a unique username combination (e.g., 'First_Last'). + 4. If the user exists and name duplicity is allowed, attempts to find a unique + username by appending characters from the 'Additional Identifiers' list. - 4. **User Creation**: Once a unique username is determined (or if no conflict - exists), the action sends a POST request to the Vanilla Forums API to create the - user account with the specified parameters. + 5. Registers the new user in VanillaForums via a POST request. - 5. **Result Handling**: The action returns the user details in a JSON format and - provides a success message upon completion. + 6. Returns the user details in the result JSON. capabilities: can_create_case_comments: false can_create_insight: false @@ -75,11 +99,18 @@ Add User: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates a new user account in the Vanilla Forums platform via a POST request. + Creates a new user in the VanillaForums platform. fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to search for existing users and a POST request + to create a new user in the VanillaForums platform. It does not modify internal + SOAR data (like entities or insights). categories: enrichment: false + reasoning: >- + The action is not an enrichment action because it mutates external data (creates + a new user) and does not meet the criteria for read-only enrichment. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -95,50 +126,51 @@ Add User: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code does not iterate over `siemplify.target_entities` or use any entity-specific + identifiers. It operates on user-provided parameters to create a new user in + the VanillaForums platform. Generate Password: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action generates a random password string locally. It does not perform any + of the listed product category operations (e.g., enrichment, containment, ticket + management). + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description - - Generates a random password that complies with Vanilla Forums' complexity requirements. - This utility action is typically used in workflows involving user creation or - password resets to ensure the generated credentials meet the platform's minimum - security standards (at least one uppercase letter, one lowercase letter, and digits). - - - ### Parameters Description - - | Parameter | Description | Type | Mandatory | Notes | - - | :--- | :--- | :--- | :--- | :--- | - - | Length | The total number of characters for the generated password. | String - | No | Must be an integer of at least 6. Defaults to 6 if not provided. | - - - ### Additional Notes - - - The action performs local string generation and does not communicate with the - Vanilla Forums API to generate the password. - - - If a length less than 6 is provided, the action will fail with an explicit error - message. - - - ### Flow Description - - 1. **Parameter Extraction**: Retrieves the 'Length' parameter from the action - input and converts it to an integer. - - 2. **Validation**: Checks if the requested length is at least 6 characters. If - not, the execution fails. - - 3. **Password Generation**: Uses the `VanillaManager` to construct a string consisting - of: - - One random uppercase letter. - - One random lowercase letter. - - Random digits for the remaining length (Length - 2). - 4. **Result Output**: Returns the generated password string as the action's result - value and provides a success message. + General Description: This action generates a random password string of a specified + length. Flow: 1. Extract the Length parameter from the action configuration. 2. + Validate that the length is at least 6 characters. 3. Generate a random string + containing one uppercase letter, one lowercase letter, and the remaining characters + as digits. 4. Return the generated password as the action result. Parameters: + Length (string, optional, default: 6): The desired length of the password. Must + be at least 6 characters. capabilities: can_create_case_comments: false can_create_insight: false @@ -149,8 +181,14 @@ Generate Password: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a local string generation based on a user-provided length. + It does not interact with any external APIs or modify any internal SOAR data. categories: enrichment: false + reasoning: >- + The action does not fetch data from any external source; it performs a local + calculation. Therefore, it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -166,22 +204,77 @@ Generate Password: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with any entities. Get User Details: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: true + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action fetches detailed user information from the VanillaForums API based + on a provided User ID. This aligns with the 'Enrich Asset' category, as it retrieves + contextual metadata for a user. It does not perform any mutations on external + systems or internal SOAR data, nor does it operate on entities directly. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description: Fetches comprehensive details for a specific user from - VanillaForums using their unique User ID. This action is primarily used to retrieve - profile information, roles, and account status for administrative or investigative - purposes. ### Parameters Description: | Parameter | Type | Mandatory | Description - | | :--- | :--- | :--- | :--- | | User ID | String | Yes | The unique identifier - of the user whose details are to be retrieved. Default is 0. | ### Flow Description: - 1. **Parameter Extraction**: Retrieves the User ID from the action input parameters. - 2. **Manager Initialization**: Establishes a connection to the VanillaForums API - using the configured API Token and Base URL. 3. **Data Retrieval**: Executes a - GET request to the /v2/users/{user_id} endpoint to fetch the user's profile data. - 4. **Result Processing**: Captures the JSON response containing user details and - attaches it to the action results for use in subsequent playbook steps. ### Additional - Notes: This action does not automatically process entities from the SecOps case; - it requires the User ID to be provided manually or mapped from a previous step. + ### General Description + + This action retrieves detailed user information from the VanillaForums platform + by querying the API with a specific User ID. It is designed to fetch profile data + for a given user, which can then be used for further analysis or reporting within + the SOAR platform. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | User ID | string | true | The unique identifier of the user whose details are + to be retrieved. | + + + ### Additional Notes + + None. + + + ### Flow Description + + 1. The action extracts the `User ID` parameter provided by the user. + + 2. It initializes the `VanillaManager` using the configured API token and base + URL. + + 3. It performs a GET request to the VanillaForums API (`/v2/users/{user_id}`) + to fetch the user's profile information. + + 4. The retrieved user details are returned as a JSON object in the action result. capabilities: can_create_case_comments: false can_create_insight: false @@ -192,8 +285,18 @@ Get User Details: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to retrieve user details from the VanillaForums + API (fetches_data=true). It does not modify any external systems (can_mutate_external_data=false) + or internal SOAR data (can_mutate_internal_data=false). It does not update entities, + create insights, or modify alert data. categories: enrichment: false + reasoning: >- + The action fetches data from an external source, but it does not operate on + SOAR entities (it uses a raw User ID parameter). Therefore, it does not meet + the criteria for an Enrichment Action, which requires operating on alerts or + entities. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -209,14 +312,49 @@ Get User Details: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over `siemplify.target_entities` or use entity-specific + identifiers. It takes a raw 'User ID' parameter as input. Therefore, it does + not run on any entity types. Get a Leaderboard Analytics: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action fetches leaderboard analytics from an external system. It does not + match any of the provided categories (e.g., Enrichment, Ticket, Alert, Identity, + etc.). + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - The **Get a Leaderboard Analytics** action retrieves statistical data for specified - leaderboards from a Vanilla Forums instance. It allows users to fetch engagement - metrics, such as top posters or discussion starters, within a defined date range. - This action is primarily used for reporting and monitoring community activity. + Fetches analytics for specified leaderboards from VanillaForums within a defined + date range. This action retrieves leaderboard data, such as top posters or discussion + starters, and returns the results as a JSON object for further analysis. ### Parameters Description @@ -225,43 +363,39 @@ Get a Leaderboard Analytics: | :--- | :--- | :--- | :--- | - | **Leaderboards** | String | Yes | A comma-separated list of leaderboard identifiers - to query (e.g., `top-posters, top-discussion-starters`). | + | Leaderboards | string | Yes | Comma-separated list of leaderboards to fetch + (e.g., "top-posters, top-discussion-starters"). | - | **From** | String | Yes | The start date for the analytics report in `yyyy-mm-dd` - format. | + | To | string | Yes | End date of the time frame in yyyy-mm-dd format. | - | **To** | String | Yes | The end date for the analytics report in `yyyy-mm-dd` - format. | + | Amount Limit | string | Yes | The maximum number of rows to return for each + leaderboard. | - | **Amount Limit** | String | Yes | The maximum number of rows (positions) to - return for each requested leaderboard. | + | From | string | Yes | Start date of the time frame in yyyy-mm-dd format. | - ### Flow Description + ### Additional Notes - 1. **Initialization**: The action initializes the Siemplify context and retrieves - the API Token and Base URL from the integration configuration. + This action does not operate on entities and does not modify any internal or external + data. It is a read-only operation that retrieves analytics data from the VanillaForums + API. - 2. **Parameter Extraction**: It extracts the user-provided date range, row limit, - and the list of leaderboards to be queried. - 3. **Data Retrieval**: The action iterates through the list of leaderboards. For - each board, it calls the Vanilla Forums API via a GET request to the `/analytics/leaderboard` - endpoint, passing the specified time frame and limit. + ### Flow Description - 4. **Result Processing**: The retrieved analytics data for each leaderboard is - aggregated into a JSON structure. + 1. Extract the action parameters: `Leaderboards`, `Amount Limit`, `From`, and + `To`. - 5. **Completion**: The action returns the aggregated JSON data and provides a - summary message indicating which leaderboards were successfully fetched. + 2. Initialize the `VanillaManager` with the API token and base URL. + 3. Split the `Leaderboards` parameter into a list of individual boards. - ### Additional Notes + 4. Iterate through each board and call the `get_leaderboard_analytics` method + to fetch the analytics data. - - This action does not interact with or process entities (such as IPs, Hosts, - or Users) found within a Google SecOps case. It operates purely on the provided - string parameters to fetch global forum data. + 5. Append the results to a JSON list. + + 6. Return the final JSON result using `siemplify.result.add_result_json`. capabilities: can_create_case_comments: false can_create_insight: false @@ -272,8 +406,15 @@ Get a Leaderboard Analytics: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to fetch analytics data (fetches_data=true). + It does not mutate external systems, update entities, create insights, or modify + alert data. categories: enrichment: false + reasoning: >- + The action fetches data but does not operate on entities or alerts, therefore + it does not meet the criteria for an Enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -289,42 +430,68 @@ Get a Leaderboard Analytics: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with `siemplify.target_entities`. It processes + parameters provided directly to the action configuration. Ping: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action is a connectivity test ('Ping'). It does not perform any of the defined + functional outcomes such as enriching IOCs, updating tickets, or blocking hosts. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description - - The **Ping** action is designed to verify the connectivity between Google SecOps - and the VanillaForums platform. It serves as a diagnostic tool to ensure that - the integration configuration, including the API Token and Base URL, is valid - and that the external service is reachable. + Verifies connectivity to the VanillaForums instance. This action ensures that + the SOAR platform can successfully communicate with the VanillaForums API. - ### Parameters Description + ### Parameters There are no parameters for this action. ### Additional Notes - This action is primarily used for health checks and troubleshooting integration - setup. It does not interact with any entities or modify any data. + This action is a connectivity test (Ping) and does not perform any functional + operations on entities or alerts. ### Flow Description - 1. **Configuration Retrieval**: The action retrieves the integration's global - configuration, specifically the **API Token** and **URL**. + 1. Retrieves the API Token and Base URL from the integration configuration. - 2. **Manager Initialization**: It initializes the `VanillaManager` with the provided - credentials. + 2. Initializes the `VanillaManager` with the provided credentials. - 3. **Connectivity Check**: The action calls the `test_connectivity` method, which - performs a `GET` request to the `/v2/categories` endpoint of the VanillaForums - API with minimal depth and limit to minimize resource usage. + 3. Attempts to connect to the VanillaForums API by sending a `GET` request to + the `/v2/categories` endpoint. - 4. **Final Status**: If the API call is successful, the action returns a success - message. If an exception occurs (e.g., 401 Unauthorized or 404 Not Found), it - captures the error and reports a connection failure. + 4. Returns a success status if the connection is established, or a failure status + if an error occurs. capabilities: can_create_case_comments: false can_create_insight: false @@ -335,8 +502,15 @@ Ping: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to verify connectivity to the VanillaForums + API. It does not modify external or internal data, nor does it update entities, + create insights, or modify alert data. categories: enrichment: false + reasoning: >- + The action is a 'Ping' action. Per the instructions, 'Actions named Ping must + not be categorized as enrichment actions.' entity_usage: entity_types: [] filters_by_additional_properties: false @@ -352,50 +526,78 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with `target_entities`. Search User By Email and Name: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: true + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action searches for a user in the VanillaForums platform and returns contextual + metadata (existence, details). This matches the 'Enrich Asset' category (returning + contextual metadata for a user) and the 'Search Asset' category (searching for + the asset within the product). + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: true + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - This action searches for a user within the Vanilla Forums platform using both - an email address and a username. It is designed to verify the existence of a user - account and retrieve associated details. The action performs two separate lookups - and returns a consolidated result indicating whether each identifier was found. + This action searches for a user within the VanillaForums platform using their + email address and username. It retrieves information from the platform to confirm + the existence of the user and provides their details if found. - ### Parameters Description + ### Parameters - | Parameter Name | Type | Mandatory | Description | + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | User Email | string | Yes | The email address of the user to search for. The - search is case-insensitive. | + | User Email | string | Yes | The email address of the user to search for. | - | User Name | string | Yes | The full name or username of the user to search for. - | + | User Name | string | Yes | The full name of the user to search for. | ### Flow Description - 1. **Parameter Extraction**: The action retrieves the `User Email` and `User Name` - from the input parameters, performing basic sanitization (stripping whitespace - and converting email to lowercase). + 1. The action extracts the `User Email` and `User Name` from the provided action + parameters. - 2. **Manager Initialization**: It initializes the `VanillaManager` using the integration's - API Token and Base URL. + 2. It initializes the `VanillaManager` using the configured API token and base + URL. - 3. **Email Search**: The action calls the `search_user_by_email` method, which - paginates through the Vanilla Forums user list to find a matching email. + 3. It performs a search in the VanillaForums API for the user by email address. - 4. **Username Search**: The action calls the `search_user_by_name` method to check - for the existence of the provided username. + 4. It performs a search in the VanillaForums API for the user by username. - 5. **Result Compilation**: It constructs a JSON result containing boolean flags - for `Email` and `UserName` existence. If the email is found, the full user details - are included in the `UserDetails` field. + 5. It compiles the findings into a result JSON, indicating whether the user was + found by email, by username, or both, and includes the user details if available. - 6. **Final Output**: The action concludes by providing an output message summarizing - the findings and setting the execution status to completed. + 6. The action concludes by returning the result JSON and a status message to the + SOAR platform. capabilities: can_create_case_comments: false can_create_insight: false @@ -406,8 +608,16 @@ Search User By Email and Name: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs GET requests to the VanillaForums API to retrieve user information. + It does not modify any external or internal data, nor does it update entities + or create insights. categories: - enrichment: false + enrichment: true + reasoning: >- + The action fetches data from an external system (VanillaForums) to provide context + about a user. It does not mutate any external or internal data. This qualifies + as an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -423,50 +633,54 @@ Search User By Email and Name: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action uses action parameters ('User Email', 'User Name') to perform the + search, rather than iterating over 'target_entities'. Therefore, it does not + run on any specific entity types. Update Badge: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action performs a state-changing operation (assigning a badge) on an external + system (VanillaForums). It does not match any of the provided categories (Enrich + IOC, Contain Host, Update Identity, etc.) as it is a specific administrative + task for a forum platform. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description - - The **Update Badge** action allows administrators to award a specific badge to - a user within the Vanilla Forums platform. This is a management action used to - reward or categorize users based on their activity or status. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | **User ID** | String | Yes | The unique identifier of the user in Vanilla Forums - who will receive the badge. | - - | **Badge ID** | String | Yes | The unique identifier of the badge to be awarded - to the user. | - - - ### Flow Description - - 1. **Parameter Extraction**: The action retrieves the `User ID` and `Badge ID` - from the input parameters. - - 2. **API Connection**: It establishes a connection to the Vanilla Forums instance - using the configured API Token and Base URL. - - 3. **Badge Assignment**: The action calls the `give_user_badge` method in the - manager, which sends a POST request to the `/v2/badges/{badge_id}/users` endpoint. - - 4. **Result Processing**: The response from the API, containing the details of - the assignment, is captured and added to the action's JSON results. - - 5. **Completion**: The action concludes by providing an output message indicating - whether the badge was successfully awarded. - - - ### Additional Notes - - - This action does not interact with entities present in the Google SecOps case. - It operates solely on the IDs provided in the parameters. + ### General Description: This action assigns a specific badge to a user within + the VanillaForums platform. ### Parameters Description: User ID (string, mandatory): + The ID of the user to be awarded the badge. Badge ID (string, mandatory): The + ID of the badge to be awarded to the user. ### Flow Description: 1. Extracts User + ID and Badge ID from the action parameters. 2. Initializes the VanillaManager + using the integration configuration (API Token, URL). 3. Executes the give_user_badge + method, which sends a POST request to the VanillaForums API to assign the specified + badge to the user. 4. Logs the outcome and adds the resulting JSON response to + the action results. ### Additional Notes: There are no additional notes. capabilities: can_create_case_comments: false can_create_insight: false @@ -475,12 +689,18 @@ Update Badge: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Awards a badge to a user in Vanilla Forums by sending a POST request to the - badges endpoint. + Assigns a badge to a user in the VanillaForums platform via a POST request. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a POST request to an external API to assign a badge to a + user. It does not fetch contextual data for entities, nor does it modify internal + SOAR data (entities, insights, comments). categories: enrichment: false + reasoning: >- + The action is a mutation action (assigning a badge) and does not fetch data + for enrichment purposes. Therefore, it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -496,43 +716,74 @@ Update Badge: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not use siemplify.target_entities. It relies on user-provided + parameters (User ID and Badge ID) to perform the operation. Update Rank: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action updates a user's rank in the VanillaForums platform. This aligns + with the 'Update Identity' category, which involves modifying account metadata, + permissions, or roles. It does not match other categories like 'Enrich IOC' + or 'Contain Host'. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: true + update_ticket: false ai_description: >- ### General Description - The **Update Rank** action is designed to modify the rank of a specific user within - the Vanilla Forums platform. This action is primarily used for administrative - management, allowing security teams or administrators to programmatically adjust - user status or permissions based on external triggers or manual intervention. + This action updates the rank of a user within the VanillaForums platform. It allows + administrators to modify a user's rank by providing the corresponding Rank ID + and User ID. - ### Parameters Description + ### Parameters | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | **Rank ID** | String | Yes | The unique identifier of the rank to be assigned - to the user. | + | Rank ID | string | Yes | The ID of the rank to assign to the user. | - | **User ID** | String | Yes | The unique identifier of the user whose rank is - being updated. | + | User ID | string | Yes | The ID of the user whose rank is being updated. | ### Flow Description - 1. **Initialization**: The action extracts the `Rank ID` and `User ID` from the - input parameters and retrieves the integration configuration (API Token and URL). + 1. The action extracts the `Rank ID` and `User ID` from the provided parameters. - 2. **API Interaction**: It utilizes the `VanillaManager` to call the `change_user_rank` - method. + 2. It initializes the `VanillaManager` using the configured API token and base + URL. - 3. **External Mutation**: The manager performs a `PUT` request to the Vanilla - Forums endpoint `/v2/users/{user_id}/rank` with the new rank details. + 3. It calls the `change_user_rank` method, which sends a `PUT` request to the + VanillaForums API to update the user's rank. - 4. **Outcome Reporting**: The action captures the API response, adds it as a JSON - result to the case, and provides a success or failure message based on the execution - outcome. + 4. The action concludes by returning the operation result and updating the execution + status. capabilities: can_create_case_comments: false can_create_insight: false @@ -541,12 +792,18 @@ Update Rank: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates the rank of a user in the Vanilla Forums platform by performing a PUT - request to the user's rank endpoint. + Updates the user's rank in the VanillaForums platform via a PUT request. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a `PUT` request to the VanillaForums API to change a user's + rank. This is an external mutation. It does not fetch data for enrichment, nor + does it modify internal SOAR entities or case data. categories: enrichment: false + reasoning: >- + The action is a mutation action (updates external system state) and does not + fetch data for enrichment purposes. Therefore, it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -562,51 +819,52 @@ Update Rank: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action takes `User ID` as a direct input parameter and does not interact + with the `siemplify.target_entities` list. Therefore, it does not run on entities. Update User Role: - ai_description: >- - ### General Description - - The **Update User Role** action allows for the modification of a user's assigned - role within the Vanilla Forums platform. This action is primarily used for administrative - tasks such as promoting users, changing permissions, or managing access levels - programmatically based on security workflows. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | **UserID** | String | Yes | The unique identifier of the user in Vanilla Forums - whose role is to be changed. | - - | **RoleID** | String | Yes | The unique identifier of the role to be assigned - to the user. | - - - ### Additional Notes - - This action performs a partial update (PATCH) on the user object in Vanilla Forums. - It expects a single Role ID which will be passed as an array to the external API. - - - ### Flow Description - - 1. **Initialization**: The action initializes the Vanilla Forums manager using - the provided API Token and Base URL from the integration configuration. - - 2. **Parameter Extraction**: It extracts the `UserID` and `RoleID` from the action - parameters. - - 3. **API Request**: The action calls the `give_user_role` method in the manager, - which sends a `PATCH` request to the `/v2/users/{user_id}` endpoint with the new - `roleID` in the payload. - - 4. **Validation**: The action checks the response for errors or invalid role IDs. - - 5. **Completion**: It returns the updated user details as a JSON result and provides - a success message if the update was successful. + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action updates the role of a user in an external system (VanillaForums). + This matches the 'Update Identity' category. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: true + update_ticket: false + ai_description: "This action updates the role of a specific user within the VanillaForums\ + \ platform. \n\n### Flow Description\n1. The action extracts the `UserID` and\ + \ `RoleID` from the provided action parameters.\n2. It initializes the `VanillaManager`\ + \ using the integration configuration (API token and base URL).\n3. The action\ + \ calls the `give_user_role` method, which sends a `PATCH` request to the VanillaForums\ + \ API to update the user's role.\n4. The updated user details are returned as\ + \ a JSON result, and the action completes with a success or failure status.\n\n\ + ### Parameters Description\n| Parameter | Type | Mandatory | Description |\n|\ + \ :--- | :--- | :--- | :--- |\n| UserID | string | Yes | The ID of the user whose\ + \ role is to be changed. |\n| RoleID | string | Yes | The ID of the role to be\ + \ assigned to the user. |" capabilities: can_create_case_comments: false can_create_insight: false @@ -615,12 +873,17 @@ Update User Role: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates the 'roleID' attribute of a user profile in Vanilla Forums via a PATCH - request to the /v2/users/{user_id} endpoint. + Updates the user's role in the VanillaForums platform via a PATCH request. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a PATCH request to the VanillaForums API to update a user's + role, which is an external mutation. It does not perform any internal SOAR data + mutations (like updating entities or creating insights). categories: enrichment: false + reasoning: >- + The action is a mutation action (updates user role), not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -636,3 +899,6 @@ Update User Role: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not use `siemplify.target_entities`. It uses action parameters + `UserID` and `RoleID` directly. diff --git a/content/response_integrations/third_party/community/vanilla_forums/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/vanilla_forums/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..fe999d7be --- /dev/null +++ b/content/response_integrations/third_party/community/vanilla_forums/resources/ai/integration_ai_description.yaml @@ -0,0 +1,23 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: true + itsm: false + network_security: false + reasoning: >- + The vanilla_forums integration provides administrative actions to manage users + within the VanillaForums platform, including Add User, Update Rank, and Update + User Role. These actions allow for the creation of users and the modification + of user privileges and roles, which aligns with the IAM & Identity Management + category. The integration does not perform SIEM, EDR, Network Security, Threat + Intelligence, Email Security, Cloud Security, ITSM, Vulnerability Management, + Asset Inventory, or Collaboration functions as defined in the provided criteria. + While the integration includes search and retrieval actions, these do not map + to the specific definitions of the other categories (e.g., they are not for IT + assets or IOCs). + siem: false + threat_intelligence: false + vulnerability_management: false diff --git a/content/response_integrations/third_party/community/vectra_qux/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/vectra_qux/resources/ai/actions_ai_description.yaml index 1059c2dc3..482a3a87f 100644 --- a/content/response_integrations/third_party/community/vectra_qux/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/vectra_qux/resources/ai/actions_ai_description.yaml @@ -1,10 +1,42 @@ Add Note: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action adds a note to an external entity in VectraQUX. It does not match + any of the provided categories (e.g., it is not an alert comment, ticket update, + or IOC blocklist action). + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - Adds a note to a specific entity (Account, Host, or Detection) within the Vectra - platform. This action allows analysts to document findings or provide context - directly on the Vectra entity record from within Google SecOps. + Adds a note to a specific entity (Account, Host, or Detection) within the VectraQUX + platform. This action allows analysts to append contextual information or updates + directly to an entity record in the external system. ### Parameters Description @@ -13,35 +45,29 @@ Add Note: | :--- | :--- | :--- | :--- | - | Note | String | Yes | The text content of the note to be added to the entity. - | + | Note | string | Yes | The text content of the note to be added. | - | Entity ID | String | Yes | The unique numerical identifier of the entity in - Vectra. | + | Entity ID | string | Yes | The unique identifier of the entity in VectraQUX. + | - | Entity Type | DDL | Yes | The category of the entity. Supported values: `Account`, - `Host`, `Detection`. | + | Entity Type | ddl | Yes | The category of the entity. Options: Account, Host, + Detection. | ### Flow Description - 1. **Parameter Extraction:** Retrieves the note content, entity ID, and entity - type from the action inputs. + 1. The action extracts configuration parameters (API Root, API Token, Verify SSL) + and action parameters (Note, Entity ID, Entity Type). - 2. **Validation:** Validates that the provided Entity ID is a valid integer. + 2. The VectraQUX manager is initialized with the provided credentials. - 3. **API Interaction:** Sends a POST request to the Vectra API endpoint corresponding - to the entity type and ID. + 3. The Entity ID is validated to ensure it is an integer. - 4. **Result Processing:** Parses the response from Vectra, which includes the - new note's ID and creation details, and displays it in a data table and JSON result. + 4. A POST request is sent to the VectraQUX API endpoint `/{entity_type}s/{entity_id}/notes` + to create the note. - - ### Additional Notes - - This action does not automatically process entities from the current case scope; - it requires the specific Entity ID to be provided manually or via a previous playbook - step. + 5. The response is processed and added to the action results as a data table and + JSON object. capabilities: can_create_case_comments: false can_create_insight: false @@ -50,12 +76,17 @@ Add Note: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates a new note record associated with a specific entity in the Vectra platform - via a POST request. + Adds a note to the specified entity in the VectraQUX platform. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a POST request to add a note to an external system (VectraQUX). + It does not fetch data, nor does it modify internal SecOps data or entities. categories: enrichment: false + reasoning: >- + The action is a mutation action (adding a note to an external system) and does + not fetch data for enrichment purposes. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -71,28 +102,52 @@ Add Note: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over `siemplify.target_entities`. It takes `Entity + ID` and `Entity Type` as direct input parameters. Add Outcome: - ai_description: "### General Description\nThe **Add Outcome** action allows users\ - \ to define and create a new outcome within the Vectra system. Outcomes are used\ - \ to categorize the resolution of assignments, providing structured feedback on\ - \ whether a detection was a true positive (malicious or benign) or a false positive.\ - \ This action is primarily used for administrative setup or to dynamically add\ - \ custom resolution categories to the Vectra platform.\n\n### Parameters Description\n\ - | Parameter | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n\ - | **Title** | String | Yes | The unique name/title for the new outcome (e.g.,\ - \ 'Confirmed Phishing'). |\n| **Category** | DDL | Yes | The broad classification\ - \ for the outcome. Supported values: `malicious_true_positive`, `benign_true_positive`,\ - \ `false_positive`. |\n\n### Flow Description\n1. **Parameter Extraction:** The\ - \ action retrieves the API configuration (Root, Token, SSL) and the user-provided\ - \ `Title` and `Category`.\n2. **Manager Initialization:** It initializes the `VectraQUXManager`\ - \ to handle communication with the Vectra API.\n3. **API Interaction:** The action\ - \ sends a `POST` request to the `/assignment_outcomes` endpoint with the specified\ - \ title and category.\n4. **Result Processing:** \n * If successful, it parses\ - \ the created outcome object.\n * It generates a data table displaying the\ - \ new Outcome ID, Title, and Category.\n * It attaches the full JSON response\ - \ to the action results for further use in playbooks.\n5. **Completion:** The\ - \ action concludes by providing a success message containing the unique ID of\ - \ the newly created outcome." + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action creates a new outcome in the Vectra platform. This does not match + any of the provided product categories, such as ticket creation, IOC management, + or alert modification. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: >- + General description: Adds a new outcome to the Vectra QUX platform. Flow description: + 1. Extracts configuration parameters (API Root, API Token, Verify SSL) and action + parameters (Title, Category). 2. Initializes the VectraQUXManager with the provided + credentials. 3. Executes the add_outcome method, which sends a POST request to + the Vectra API to create the outcome. 4. Adds the resulting outcome details to + the action result as a data table and JSON. Parameters description: Title (string, + mandatory): The unique title of the outcome. Category (ddl, mandatory): The category + of the outcome. Options: malicious_true_positive, benign_true_positive, false_positive. + Additional notes: None. capabilities: can_create_case_comments: false can_create_insight: false @@ -101,12 +156,17 @@ Add Outcome: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates a new outcome definition in the Vectra system via a POST request to - the assignment outcomes endpoint. + Creates a new outcome record in the Vectra QUX platform. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a POST request to the Vectra API to create a new outcome. + It does not fetch data, nor does it modify internal SOAR entities or alerts. categories: enrichment: false + reasoning: >- + The action performs a POST request to create an outcome in an external system. + It does not fetch data, so it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -122,50 +182,90 @@ Add Outcome: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over target_entities or use entity identifiers. + It operates independently of any specific entity. Add Tags: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action updates entity metadata (tags) in the VectraQUX platform. This aligns + with the 'Update Identity' category, as it modifies account metadata. It does + not fit other categories like enrichment, containment, or alert management. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: true + update_ticket: false ai_description: >- - This action adds tags to specific entities (Accounts, Hosts, or Detections) within - the Vectra platform using their unique Vectra IDs. It is designed to update the - metadata of these entities to assist in categorization and tracking. + Adds tags to specified entities (Account, Host, or Detection) within the VectraQUX + platform. This action retrieves the current tags for the provided entity IDs, + merges them with the new tags, and updates the entity metadata in the external + system. - ### Parameters Description + ### Flow Description + 1. **Initialization**: Extracts configuration parameters (API Root, API Token, + SSL verification) and action parameters (Tags, Entity IDs, Entity Type). - | Parameter | Type | Mandatory | Description | + 2. **Parsing**: Processes the comma-separated strings for Tags and Entity IDs + into lists, removing duplicates. - | :--- | :--- | :--- | :--- | + 3. **Iteration**: Loops through each provided Entity ID. - | Tags | string | Yes | A comma-separated list of tags to be added to the specified - entities. | + 4. **Fetch**: Retrieves the existing tags for the current entity from the VectraQUX + platform. - | Entity IDs | string | Yes | A comma-separated list of the unique Vectra identifiers - for the entities to be tagged. | + 5. **Update**: Merges the existing tags with the new tags and performs a PATCH + request to update the entity's tags in VectraQUX. - | Entity Type | ddl | Yes | The type of Vectra entity being targeted. Options - are 'Account', 'Host', or 'Detection'. | + 6. **Reporting**: Logs the success or failure of each update and generates a result + table and JSON output for the SOAR action. - ### Flow Description + ### Parameters Description + | Parameter | Type | Mandatory | Description | - 1. **Parameter Extraction:** The action retrieves the API configuration and the - user-provided tags, entity IDs, and entity type. + | :--- | :--- | :--- | :--- | + + | Tags | String | Yes | A comma-separated list of tags to be added to the entities. + | - 2. **Validation:** It cleans the tag list and validates that the provided Entity - IDs are valid integers. + | Entity IDs | String | Yes | A comma-separated list of Entity IDs to which the + tags will be added. | - 3. **Tag Retrieval:** For each provided Entity ID, the action first fetches the - existing tags from the Vectra API to ensure no data is overwritten. + | Entity Type | DDL | Yes | The type of entity (Account, Host, or Detection) to + update. | - 4. **Tag Merging:** It merges the new tags with the existing ones, removing any - duplicates. - 5. **External Update:** The action sends a PATCH request to the Vectra API to - update the entity's tag list with the combined set. + ### Additional Notes - 6. **Result Reporting:** It compiles a status report for each ID, providing a - summary table and JSON result indicating which updates succeeded or failed. + This action performs a mutation on the external VectraQUX platform. It does not + modify internal SOAR case data, but it does output results to the action's result + object. capabilities: can_create_case_comments: false can_create_insight: false @@ -174,12 +274,21 @@ Add Tags: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - The action performs a PATCH request to the Vectra API to update the 'tags' field - of the specified Account, Host, or Detection entities. + Updates the tag list for the specified entity (Account, Host, or Detection) + in the VectraQUX platform. fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action fetches existing tags from the VectraQUX API (fetches_data=true) + and performs a PATCH request to update the entity's tags (can_mutate_external_data=true). + It does not modify internal SOAR case data (entities, insights, or case comments), + only providing standard result outputs. categories: enrichment: false + reasoning: >- + The action is not an enrichment action because it mutates external data (updates + tags on the VectraQUX platform). Enrichment actions must be read-only regarding + external systems. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -195,14 +304,50 @@ Add Tags: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over `siemplify.target_entities`. Instead, it accepts + a list of Entity IDs as an action parameter. Therefore, it does not run on SOAR + entities directly. Assign Entity: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action creates an assignment between an entity and a user in the Vectra + platform. This does not match any of the provided categories (Enrichment, Ticket, + Alert, Blocklist, Identity, Host, Email, etc.). + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - Assigns a specific entity (either a Host or an Account) to a user within the Vectra - platform. This action is used to establish ownership and accountability for specific - entities during an investigation by creating an assignment record in the external - Vectra system. + This action assigns a specific entity (Host or Account) to a user within the Vectra + QUX platform. It facilitates the management of entity assignments by linking a + target entity to a designated user ID, enabling better tracking and ownership + of security entities. ### Parameters Description @@ -211,40 +356,39 @@ Assign Entity: | :--- | :--- | :--- | :--- | - | Entity ID | String | Yes | The unique identifier of the entity in Vectra. This - must be a valid integer string. | + | Entity ID | string | Yes | The unique identifier of the entity (Account or Host) + to be assigned. | - | Entity Type | DDL | Yes | The type of entity being assigned. Options are 'Account' - or 'Host'. | + | Entity Type | ddl | Yes | The type of the entity. Must be either 'Account' or + 'Host'. | - | User ID | String | Yes | The unique identifier of the user to whom the entity - will be assigned. This must be a valid integer string. | + | User ID | string | Yes | The unique identifier of the user to whom the entity + will be assigned. | - ### Additional Notes + ### Flow Description - - Both 'Entity ID' and 'User ID' are validated as integers before the API call - is made. If they are not numeric, the action will fail. + 1. **Initialization**: The action extracts configuration parameters (API Root, + API Token, SSL verification) and action parameters (Entity ID, Entity Type, User + ID). - - This action does not run on SecOps entities automatically; it requires manual - input of IDs. + 2. **Validation**: It validates that both the `Entity ID` and `User ID` are valid + integers. + 3. **Execution**: It initializes the `VectraQUXManager` and sends a POST request + to the Vectra API to create the assignment between the specified entity and the + user. - ### Flow Description + 4. **Result Handling**: Upon success, it adds the assignment details to the action + results as a data table and a JSON object containing the raw assignment data. - 1. **Parameter Extraction**: The action retrieves the API configuration (Root, - Token, SSL) and the action parameters (User ID, Entity ID, Entity Type). - 2. **Validation**: It validates that the provided 'Entity ID' and 'User ID' are - valid non-negative integers. + ### Additional Notes - 3. **API Interaction**: It initializes the VectraQUXManager and calls the `assign_entity` - method, which sends a POST request to the Vectra API endpoint `/api/v2.5/assignments` - with the assignment details. + - Both `Entity ID` and `User ID` must be provided as valid integer strings for + the action to succeed. - 4. **Result Processing**: Upon success, it parses the returned assignment data, - creates a data table for the case wall, and attaches the raw JSON response to - the action results. + - This action performs a state change in the external Vectra QUX system. capabilities: can_create_case_comments: false can_create_insight: false @@ -253,12 +397,18 @@ Assign Entity: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates a new assignment record in the Vectra platform, linking a specific Host - or Account entity to a designated User ID. + Creates an assignment between an entity and a user in the Vectra QUX system. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a POST request to the Vectra API to create an assignment + between an entity and a user. It does not fetch data, update SOAR entities, + or create insights/comments. categories: enrichment: false + reasoning: >- + The action performs a mutation on an external system (Vectra) to create an assignment. + It does not fetch data, so it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -274,100 +424,102 @@ Assign Entity: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action takes 'Entity ID' and 'Entity Type' as input parameters rather than + operating on 'siemplify.target_entities'. Therefore, it does not use SOAR entities. Assign Group: - ai_description: "### General Description\nThis action adds members to a specific\ - \ group within the Vectra AI platform using its unique Group ID. It is designed\ - \ to manage group memberships dynamically by appending a list of provided identifiers\ - \ (such as hostnames, IPs, account UIDs, or domains) to an existing group. The\ - \ action validates the input, performs the update via the Vectra API, and provides\ - \ a detailed summary of which members were successfully assigned and which were\ - \ not.\n\n### Parameters Description\n| Parameter | Description | Type | Mandatory\ - \ |\n| :--- | :--- | :--- | :--- |\n| Group ID | The unique integer identifier\ - \ of the specific group in Vectra AI to which members will be added. | String\ - \ | Yes |\n| Members | A comma-separated list of member identifiers to assign\ - \ to the group. The type of identifier required depends on the group's configuration\ - \ in Vectra (e.g., IP addresses for an IP group, hostnames for a host group).\ - \ | String | Yes |\n\n### Additional Notes\n- The action uses the 'append' membership\ - \ action, meaning existing members in the group are preserved.\n- The success\ - \ of the assignment depends on whether the provided member identifiers exist and\ - \ match the group's type (Host, IP, Account, or Domain).\n- The Group ID must\ - \ be a valid positive integer.\n\n### Flow Description\n1. **Initialization**:\ - \ Retrieves configuration parameters (API Root, Token, SSL verification) and action\ - \ parameters (Group ID, Members).\n2. **Validation**: Validates that the Group\ - \ ID is a valid integer and processes the Members string into a clean list of\ - \ unique identifiers.\n3. **API Interaction**: Calls the Vectra AI API using a\ - \ PATCH request to the group's endpoint to append the new members.\n4. **Result\ - \ Processing**: Compares the requested members against the updated group membership\ - \ returned by the API to identify successful assignments and any failures.\n5.\ - \ **Output Generation**: \n - Generates a descriptive output message summarizing\ - \ the results.\n - Renders an HTML table showing the group's updated properties\ - \ and member list.\n - Returns the full group object as a JSON result for downstream\ - \ use." + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action updates group membership in an external system (Vectra QUX). It does + not match any of the predefined categories (Enrich IOC, Contain Host, etc.). + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: >- + ### General Description + + This action assigns members to a specific group in the Vectra QUX system. It allows + analysts to manage group memberships by adding a list of members to a target group. + + + ### Flow Description + + 1. Extract configuration parameters (API Root, API Token, Verify SSL). + + 2. Extract action parameters (Group ID, Members). + + 3. Call the Vectra QUX API to append the specified members to the group. + + 4. Process the API response to identify which members were successfully assigned + and which were not. + + 5. Generate an HTML view of the updated group details and add it to the action + results. + + 6. Add the full API response as JSON to the action results. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Group ID | string | Yes | The ID of the specific group to update. | + + | Members | string | Yes | A comma-separated list of members to assign to the + group. | + + + ### Additional Notes + + None. capabilities: can_create_case_comments: false can_create_insight: false can_modify_alert_data: false can_mutate_external_data: true - can_mutate_internal_data: false + can_mutate_internal_data: true can_update_entities: false external_data_mutation_explanation: >- - Updates group membership in the Vectra AI platform by appending new members - to a specified group via a PATCH request to the /groups/{group_id} endpoint. - fetches_data: true - internal_data_mutation_explanation: null - categories: - enrichment: false - entity_usage: - entity_types: [] - filters_by_additional_properties: false - filters_by_alert_identifier: false - filters_by_case_identifier: false - filters_by_creation_time: false - filters_by_entity_type: false - filters_by_identifier: false - filters_by_is_artifact: false - filters_by_is_enriched: false - filters_by_is_internal: false - filters_by_is_pivot: false - filters_by_is_suspicious: false - filters_by_is_vulnerable: false - filters_by_modification_time: false -Describe Assignment: - ai_description: "### General Description\nThe **Describe Assignment** action retrieves\ - \ comprehensive details for a specific assignment from Vectra QUX using its unique\ - \ ID. This action is primarily used for investigative purposes to understand who\ - \ is assigned to a specific task, the current status of the assignment, and any\ - \ associated outcomes or notes recorded in the Vectra platform.\n\n### Parameters\ - \ Description\n| Parameter | Type | Mandatory | Description |\n| :--- | :--- |\ - \ :--- | :--- |\n| **Assignment ID** | String | Yes | The unique identifier of\ - \ the assignment in Vectra QUX. Although provided as a string, the action validates\ - \ that this value is a positive integer before processing. |\n\n### Flow Description\n\ - 1. **Parameter Extraction:** The action retrieves the API configuration (Root,\ - \ Token, SSL) and the mandatory `Assignment ID` from the user input.\n2. **Validation:**\ - \ It validates that the `Assignment ID` is a valid non-negative integer.\n3. **API\ - \ Interaction:** The action initializes the VectraQUX manager and performs a GET\ - \ request to the `/assignments/{assignment_id}` endpoint.\n4. **Data Processing:**\ - \ The raw JSON response is parsed into an internal data model. If the assignment\ - \ is not found, an error is raised.\n5. **Result Output:** \n * The full\ - \ raw JSON response is added to the action results.\n * A formatted data\ - \ table titled 'Describe Assignment' is created, containing key fields such as\ - \ Assigned User, Resolved By User, Outcome Title, and the associated Entity ID/Type.\n\ - \n### Additional Notes\n* This action does not operate on SecOps entities (IPs,\ - \ Hosts, etc.) directly; it requires a specific Vectra Assignment ID as input.\n\ - * If the ID does not exist in the Vectra system, the action will return a 'Failed'\ - \ status with a 'Not Found' message." - capabilities: - can_create_case_comments: false - can_create_insight: false - can_modify_alert_data: false - can_mutate_external_data: false - can_mutate_internal_data: false - can_update_entities: false - external_data_mutation_explanation: null - fetches_data: true - internal_data_mutation_explanation: null + Updates group membership in the external Vectra QUX system. + fetches_data: false + internal_data_mutation_explanation: >- + Adds an HTML view and result JSON to the action's output. + reasoning: >- + The action performs a PATCH request to update group members in the external + Vectra QUX system (can_mutate_external_data=true). It also adds an HTML view + and result JSON to the SOAR action (can_mutate_internal_data=true). It does + not fetch data for enrichment, update entities, or modify alerts. categories: enrichment: false + reasoning: >- + The action is a mutation action (updating group members) and does not perform + enrichment or data retrieval. Therefore, it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -383,51 +535,81 @@ Describe Assignment: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not use `target_entities`. It uses action parameters `Group + ID` and `Members` to perform its task. Describe Assignment: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: true + reasoning: >- + The action fetches assignment details from the VectraQUX API. This information + is related to detections and alerts, which aligns with the 'Get Alert Information' + category. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description + Retrieves detailed information about a specific assignment from the VectraQUX + platform. This action fetches the assignment data using its unique ID, parses + the response, and presents the details in both a JSON format and a structured + data table within the SOAR case. - The **Describe Assignment** action retrieves comprehensive details for a specific - assignment within the Vectra QUX platform using its unique Assignment ID. This - action is designed to provide analysts with full context regarding an assignment's - lifecycle, including ownership, resolution status, and associated entities. + ### Flow - ### Parameters Description + 1. Extract configuration parameters (API Root, API Token, Verify SSL). - | Parameter | Type | Mandatory | Description | + 2. Extract the mandatory `Assignment ID` parameter. - | :--- | :--- | :--- | :--- | + 3. Validate the `Assignment ID` as an integer. - | **Assignment ID** | String | Yes | The unique identifier of the assignment to - retrieve details for. The action validates this input to ensure it is a valid - non-negative integer. | + 4. Initialize the `VectraQUXManager` to interact with the Vectra API. + 5. Perform a GET request to retrieve assignment details. - ### Flow Description + 6. Add the raw JSON response to the action results. - 1. **Input Validation**: The action first validates the provided `Assignment ID` - to ensure it is a valid integer. + 7. Construct and add a data table containing the assignment details to the SOAR + case. - 2. **API Request**: It performs a GET request to the Vectra QUX API endpoint for - assignments (`/api/v2.5/assignments/{assignment_id}`). - 3. **Data Parsing**: The manager parses the JSON response into an internal data - model, extracting details such as the assigned user, the user who resolved the - assignment, the outcome title, and the linked entity (Host or Account). + ### Parameters - 4. **Result Generation**: The action populates the result JSON with the full API - response and constructs a data table for the case wall containing the summarized - assignment information. + | Parameter | Type | Mandatory | Description | + | :--- | :--- | :--- | :--- | + + | Assignment ID | string | Yes | The unique identifier of the assignment to retrieve. + | - ### Additional Notes - - This action does not process entities from the case scope; it relies entirely - on the provided `Assignment ID` parameter. + ### Additional Notes - - If the ID does not exist in Vectra QUX, the action will return a 'not found' - error. + - The action requires a valid `Assignment ID` to function correctly. If the ID + is invalid or not found, the action will fail and return an error message. capabilities: can_create_case_comments: false can_create_insight: false @@ -438,8 +620,19 @@ Describe Assignment: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the VectraQUX API to fetch assignment details + (fetches_data=true). It does not mutate any external systems (can_mutate_external_data=false). + It does not modify any internal SOAR data (like entities, insights, or case + comments), it only outputs the retrieved information as a result JSON and a + data table (can_mutate_internal_data=false). categories: - enrichment: true + enrichment: false + reasoning: >- + The action fetches data from an external source but does not meet the strict + criteria for an enrichment action, as it does not enrich entities or alerts + directly, nor does it create insights or add comments. It is a data retrieval + action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -455,29 +648,79 @@ Describe Assignment: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over `siemplify.target_entities`. It takes an `Assignment + ID` as an input parameter to perform its task. Describe Detection: - ai_description: "### General Description\nThe **Describe Detection** action retrieves\ - \ comprehensive details for a specific detection from the Vectra AI platform using\ - \ its unique Detection ID. This action is designed to provide security analysts\ - \ with deep-dive context into a specific threat event, including its state, category,\ - \ and associated source entities.\n\n### Parameters Description\n| Parameter |\ - \ Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| **Detection\ - \ ID** | String | Yes | The unique numerical identifier of the detection to be\ - \ retrieved. This value must be a valid integer. |\n\n### Flow Description\n1.\ - \ **Initialization:** The action extracts the API configuration (Root URL, Token,\ - \ and SSL verification) and the mandatory **Detection ID** parameter.\n2. **Validation:**\ - \ The provided Detection ID is validated to ensure it is a non-negative integer.\n\ - 3. **Data Retrieval:** The action makes a GET request to the Vectra AI API endpoint\ - \ `/api/v2.5/detections/{detection_id}`.\n4. **Parsing:** The response is parsed\ - \ into a structured Detection data model, which includes attributes like detection\ - \ type, state, category, and source entity information.\n5. **Output:** \n \ - \ * A **Data Table** named 'Describe Detection' is created, summarizing key\ - \ fields (ID, Type, State, Category, Source Entity ID/Name).\n * The full\ - \ raw JSON response is attached as **JsonResult** for use in subsequent playbook\ - \ steps.\n\n### Additional Notes\n- This action does not process entities from\ - \ the case scope; it operates strictly on the provided **Detection ID** parameter.\n\ - - If the specified Detection ID does not exist in the Vectra system, the action\ - \ will return a 'Detection not found' error." + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: true + reasoning: >- + The action fetches detailed information about a specific detection from the + VectraQUX platform. This aligns directly with the 'Get Alert Information' category, + as it retrieves context about a security event/detection. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: >- + Retrieves detailed information for a specific detection from the VectraQUX platform. + This action allows analysts to fetch comprehensive data regarding a detection + by its unique ID, which is then presented as a data table and raw JSON for further + investigation. + + + ### Flow Description + + 1. **Parameter Extraction**: The action retrieves the required API credentials + (API Root, API Token) and the mandatory `Detection ID` from the action parameters. + + 2. **Manager Initialization**: It initializes the `VectraQUXManager` using the + provided credentials to establish a connection to the VectraQUX API. + + 3. **Data Retrieval**: The action calls the `describe_detection` method to fetch + the full details of the specified detection. + + 4. **Result Presentation**: The retrieved detection data is formatted into a readable + table and the raw JSON response is added to the action results for the analyst + to review. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Detection ID | string | Yes | The unique identifier of the detection to retrieve + from VectraQUX. | + + + ### Additional Notes + + This action is a read-only operation and does not modify any data within the VectraQUX + platform or the Google SecOps case. capabilities: can_create_case_comments: false can_create_insight: false @@ -488,8 +731,17 @@ Describe Detection: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to retrieve detection details from the VectraQUX + API. It does not perform any write operations (POST/PUT/DELETE) on external + systems, nor does it modify any internal Google SecOps data (entities, insights, + or case comments). It simply outputs the retrieved data to the action result. categories: - enrichment: true + enrichment: false + reasoning: >- + While the action fetches data, it does not meet the criteria for an Enrichment + Action because it does not update entities, create insights, or add case comments. + It is strictly a data retrieval action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -505,52 +757,81 @@ Describe Detection: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with `siemplify.target_entities`. It operates based + on a provided `Detection ID` parameter. Describe Entity: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: true + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves detailed metadata about an entity (Account or Host) from + Vectra QUX. This aligns with the 'Enrich Asset' category, as it provides contextual + information about a resource. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - The **Describe Entity** action retrieves comprehensive details for a specific - entity (either a Host or an Account) from the Vectra AI platform using its unique - identifier. This action is designed to provide deep-dive visibility into a specific - asset's state, threat scores, and associated detections within the Vectra environment. + Retrieves detailed information about a specific entity (Account or Host) from + the Vectra QUX platform. This action fetches entity metadata, including threat + scores, tags, and detection sets, and presents the information in a structured + format. ### Parameters Description | Parameter | Type | Mandatory | Description | - | :--- | :--- | :--- | :--- | + |---|---|---|---| - | Entity ID | String | Yes | The unique numerical identifier for the Account or - Host in Vectra. | + | Entity ID | string | Yes | Unique identifier for the Account or Host. | - | Entity Type | DDL | Yes | The category of the entity to retrieve. Must be either - 'Account' or 'Host'. | + | Entity Type | ddl | Yes | Type of entity to describe (Account or Host). | - ### Flow Description + ### Additional Notes - 1. **Initialization:** The action extracts the API configuration (Root URL, Token) - and the user-provided parameters (Entity ID and Type). + The action requires both `Entity ID` and `Entity Type` to be provided to successfully + query the Vectra QUX API. If the entity is not found, the action will fail. - 2. **Validation:** The Entity ID is validated to ensure it is a non-negative integer. - 3. **API Interaction:** The action performs a GET request to the Vectra API v2.5 - endpoint specific to the entity type (e.g., `/api/v2.5/hosts/{id}` or `/api/v2.5/accounts/{id}`). + ### Flow Description - 4. **Data Parsing:** The raw JSON response is parsed into a structured Entity - object, extracting fields such as Name, State, Threat Score, Severity, and Tags. + 1. Initialize `SiemplifyAction`. - 5. **Output Generation:** The action generates a data table titled 'Describe Entity' - containing a summary of the asset and attaches the full raw JSON response to the - action results for further inspection. + 2. Extract configuration parameters (API Root, Token, SSL). + 3. Extract action parameters (Entity ID, Entity Type). - ### Additional Notes + 4. Validate Entity ID. - This action does not automatically iterate over entities present in the Google - SecOps case. It requires the user to manually provide the specific Vectra Entity - ID. If the ID is not found, the action will return a failure status. + 5. Call `VectraQUXManager.describe_entity` to fetch data from the Vectra API. + + 6. Add the retrieved entity details to the action result as a data table and JSON. capabilities: can_create_case_comments: false can_create_insight: false @@ -561,8 +842,17 @@ Describe Entity: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to retrieve entity details from the Vectra + QUX API. It does not perform any mutations on external systems or internal SOAR + data (entities, insights, comments). It only outputs the retrieved data to the + action results. categories: - enrichment: false + enrichment: true + reasoning: >- + The action fetches data from an external system (Vectra QUX) and displays it + in the result. It does not mutate external systems or internal SOAR data (entities, + insights, comments). It meets the criteria for an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -578,25 +868,76 @@ Describe Entity: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action takes `Entity ID` and `Entity Type` as input parameters. It does + not operate on the `target_entities` list provided by the SOAR platform. Therefore, + it does not run on entities in the context of the SOAR entity model. Download PCAP: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: true + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action downloads a PCAP file from the Vectra QUX platform. This matches + the 'Download File' category. It does not perform any other actions like enrichment, + ticketing, or containment. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description Downloads a Packet Capture (PCAP) file from Vectra QUX - for a specific detection ID. This action allows analysts to retrieve raw network - traffic data associated with a security event for further forensic investigation. - ### Parameters Description | Parameter | Type | Mandatory | Description | | :--- - | :--- | :--- | :--- | | **Detection ID** | String | Yes | The unique identifier - of the detection to retrieve the PCAP file for. Although provided as a string, - the action validates that it is a valid integer. | ### Flow Description 1. **Initialization**: - The action initializes the Vectra QUX manager using the provided API Root and - Token. 2. **Validation**: The input Detection ID is validated to ensure it is - a non-negative integer. 3. **Data Retrieval**: The action sends a GET request - to the Vectra QUX API to download the PCAP file content associated with the detection. - 4. **File Processing**: It extracts the filename from the response headers and - saves the file locally. 5. **Result**: The PCAP file is attached to the action - result in Google SecOps, and a success message is returned. ### Additional Notes - - This action does not operate on entities; it requires a manual input of a Detection - ID. - Per Google SecOps categorization rules, actions that download files are - not classified as enrichment actions. + Downloads a PCAP file from the Vectra QUX platform for a specific detection ID. + This action retrieves the PCAP file associated with a given detection and attaches + it to the SOAR action result for further analysis. + + + ### Flow Description + + 1. Extracts configuration parameters (API Root, API Token, Verify SSL) and the + mandatory Detection ID. + + 2. Initializes the `VectraQUXManager` to interact with the Vectra API. + + 3. Validates the provided Detection ID as an integer. + + 4. Requests the PCAP file from the Vectra API using the detection ID. + + 5. Saves the file locally and attaches it to the SOAR action result. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Detection ID | string | Yes | The unique identifier of the detection for which + the PCAP file is requested. | + + + ### Additional Notes + + There are no additional notes for this action. capabilities: can_create_case_comments: false can_create_insight: false @@ -607,8 +948,16 @@ Download PCAP: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to retrieve a PCAP file from the Vectra QUX + API. It does not modify external systems or internal SOAR data (entities, insights, + etc.). It adds an attachment to the action result, which is a standard output + mechanism and not considered a mutation of internal case data. categories: enrichment: false + reasoning: >- + The action downloads a file, which is explicitly excluded from the enrichment + category per the provided instructions. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -624,75 +973,70 @@ Download PCAP: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over `siemplify.target_entities`. It operates based + on a `Detection ID` parameter provided by the user. Therefore, it does not run + on any specific entity types. List Assignments: - ai_description: >- - ### General Description - - The **List Assignments** action retrieves a list of assignments from the Vectra - QUX platform based on various filtering criteria. It is primarily used for auditing, - reporting, or identifying specific task assignments related to hosts or accounts - within the Vectra environment. The action supports pagination and allows users - to limit the number of returned records. - - - ### Parameters Description - - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Accounts IDs | String | No | Comma-separated list of account IDs to filter the - assignments. | - - | Hosts IDs | String | No | Comma-separated list of host IDs to filter the assignments. - | - - | Assignees IDs | String | No | Comma-separated list of user IDs (assignees) to - filter the assignments. | - - | Resolution IDs | String | No | Comma-separated list of outcome/resolution IDs - to filter the assignments. | - - | Resolved | DDL | No | Filters assignments by their resolution status. Options: - `None` (no filter), `True` (resolved only), `False` (unresolved only). | - - | Created After | String | No | Filters assignments created after a specific timestamp. - Supports relative formats (e.g., '2 hours', '2 days') or absolute ISO formats. - | - - | Limit | String | No | Specifies the maximum number of assignment records to - fetch. Defaults to the system limit if not provided. | - - - ### Additional Notes - - - This action does not operate on specific entities within the Google SecOps scope; - it performs a global search based on the provided parameters. - - - If no assignments match the criteria, the action will complete successfully - with a message indicating no results were found. - - - ### Flow Description - - 1. **Parameter Initialization:** The action extracts configuration settings (API - Root, Token) and user-provided filters. - - 2. **Validation:** It validates the 'Limit' parameter to ensure it is a non-negative - integer and processes comma-separated ID strings into lists. - - 3. **Query Construction:** A query parameter mapping is built using the provided - filters such as `resolved` status and `created_after` timestamps. - - 4. **API Interaction:** The action calls the Vectra QUX API's assignments endpoint - using a paginated GET request to retrieve the data. - - 5. **Data Processing:** The raw JSON response is parsed into internal assignment - objects. - - 6. **Output Generation:** The results are presented as a structured data table - named 'Assignment Details' and the full raw JSON is attached to the action result. + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves a list of assignments from VectraQUX. It does not match + any of the specific categories like 'Enrich IOC', 'Enrich Asset', 'Update Alert', + etc. It is a general search/list action. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: "### General Description\nThe **List Assignments** action retrieves\ + \ a list of assignments from the VectraQUX platform based on specified filter\ + \ criteria. This action is useful for auditing or reviewing the status of assignments\ + \ within the VectraQUX environment, allowing analysts to filter by accounts, hosts,\ + \ assignees, resolution status, and creation time.\n\n### Parameters Description\n\ + | Parameter | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n\ + | Accounts IDs | string | No | Comma-separated account IDs to filter out accounts.\ + \ |\n| Hosts IDs | string | No | Comma-separated host IDs to filter out accounts.\ + \ |\n| Assignees IDs | string | No | Comma-separated assignment IDs to filter\ + \ out accounts. |\n| Resolution IDs | string | No | Comma-separated outcome IDs\ + \ to filter out accounts. |\n| Resolved | ddl | No | Filter by resolved status\ + \ (True/False). |\n| Created After | string | No | Filter by created after the\ + \ timestamp. Supported formats: 2 minutes, 2 hours, 2 days, 2 weeks, 2 months,\ + \ 2 years, yyyy-mm-dd, yyyy-mm-ddTHH: MM:SSZ. |\n| Limit | string | No | Specify\ + \ the limit for fetching the records. |\n\n### Flow Description\n1. **Initialization**:\ + \ The action initializes the `SiemplifyAction` and extracts configuration parameters\ + \ (API Root, API Token, Verify SSL) and action parameters.\n2. **Validation**:\ + \ It validates the provided parameters, such as the `Limit` and various ID fields,\ + \ ensuring they are in the correct format.\n3. **Manager Setup**: It initializes\ + \ the `VectraQUXManager` with the provided credentials to establish a connection\ + \ to the VectraQUX API.\n4. **Data Retrieval**: It queries the VectraQUX API for\ + \ assignments using the provided filters (Accounts, Hosts, Assignees, Resolution,\ + \ Resolved status, Created After).\n5. **Result Processing**: \n - If assignments\ + \ are found, it constructs a data table titled \"Assignment Details\" and adds\ + \ it to the action results.\n - It adds the raw assignment data as a JSON result.\n\ + 6. **Completion**: The action finishes by logging the status and returning the\ + \ output message." capabilities: can_create_case_comments: false can_create_insight: false @@ -703,8 +1047,19 @@ List Assignments: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to retrieve assignment data from the VectraQUX + API. It does not mutate external systems or internal case data. It simply reports + the retrieved data in a table and JSON format, which are standard output mechanisms + and not considered internal mutations. categories: enrichment: false + reasoning: >- + The action fetches data (assignments) from an external system (VectraQUX). It + does not mutate external data. It does not modify internal SOAR data (entities, + insights, comments). Therefore, it is not an enrichment action (which requires + fetching data about entities/alerts to enrich them, or updating entities/insights). + This action is a list/search action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -720,52 +1075,64 @@ List Assignments: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over `siemplify.target_entities`. It uses action + parameters to filter the API call, and therefore does not run on any specific + entity types. List Entity Detections: - ai_description: >- - ### General Description - - The **List Entity Detections** action retrieves a comprehensive list of security - detections associated with a specific entity (either a Host or an Account) from - the Vectra QUX platform. This action allows analysts to query the Vectra API for - historical or active threat data related to a specific asset identifier, providing - visibility into the types of malicious activity detected for that asset. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | **Entity ID** | String | Yes | The unique identifier for the Host or Account - within Vectra QUX. | - - | **Entity Type** | DDL | Yes | Specifies whether the provided ID belongs to a - `Host` or an `Account`. | - - | **Limit** | String | No | The maximum number of detection records to retrieve. - | - - | **State** | DDL | Yes | Filters the detections by their current status. Supported - values are `Active`, `Inactive`, and `Fixed`. | - - - ### Flow Description - - 1. **Initialization**: The action initializes the Vectra QUX manager using the - provided API Root and Token. - - 2. **Validation**: It validates that the `Entity ID` and `Limit` parameters are - valid integers. - - 3. **API Request**: It constructs a search query for the `/api/v2.5/search/detections` - endpoint, targeting the specific entity ID and filtering by the chosen state. - - 4. **Pagination**: The action utilizes a paginator to fetch results up to the - specified limit. - - 5. **Output**: The retrieved detections are parsed into a JSON result and a formatted - data table titled 'List Entity Detections' for display in the case wall. + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: true + reasoning: >- + The action fetches a list of detections for a specific entity from VectraQUX. + This matches the 'Search Events' category (returns historical logs/telemetry) + and 'Get Alert Information' (fetches information about the entity's detections + from the 3rd party product). + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: true + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: "Lists all detections for a specified entity (Account or Host) from\ + \ the VectraQUX platform. This action retrieves detection data based on the provided\ + \ entity ID, type, and state, and outputs the results as a JSON object and a data\ + \ table.\n\n### Flow Description\n1. **Parameter Extraction**: The action extracts\ + \ configuration parameters (API Root, API Token, Verify SSL) and action parameters\ + \ (Entity ID, Entity Type, Limit, State).\n2. **Validation**: It validates the\ + \ provided parameters, ensuring the Entity ID and Limit are valid integers.\n\ + 3. **API Interaction**: It initializes the `VectraQUXManager` and calls the API\ + \ to retrieve detections for the specified entity, filtering by the provided state.\n\ + 4. **Result Processing**: \n - If detections are found, it adds the JSON representation\ + \ of the detections to the action result and constructs a data table for the action\ + \ output.\n - If no detections are found, it adds the JSON result to the action\ + \ output.\n\n### Parameters Description\n| Parameter | Type | Mandatory | Description\ + \ |\n| :--- | :--- | :--- | :--- |\n| Entity ID | string | Yes | The unique ID\ + \ for the Account or Host. |\n| Entity Type | ddl | Yes | The type of entity.\ + \ Options: Account, Host. |\n| Limit | string | No | The maximum number of records\ + \ to fetch. |\n| State | ddl | Yes | The state to filter detections. Options:\ + \ Active, Inactive, Fixed. |\n\n### Additional Notes\n- The action performs a\ + \ GET request to the VectraQUX API and does not modify any external system state.\ + \ It is a read-only operation regarding external systems." capabilities: can_create_case_comments: false can_create_insight: false @@ -776,8 +1143,20 @@ List Entity Detections: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action fetches detection data from the VectraQUX API (fetches_data=true). + It does not perform any POST/PUT/DELETE operations on external systems (can_mutate_external_data=false). + It adds result JSON and a data table to the SOAR action output, which is not + considered a mutation of existing internal data (can_mutate_internal_data=false). + It does not update entities, create insights, modify alert data, or create case + comments. categories: - enrichment: false + enrichment: true + reasoning: >- + The action fetches detection data from an external system (VectraQUX) to provide + context about an entity. It does not mutate external systems and does not modify + existing internal data (it only adds new output). Therefore, it qualifies as + an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -793,91 +1172,99 @@ List Entity Detections: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action takes 'Entity ID' and 'Entity Type' as input parameters. It does + not iterate over the `siemplify.target_entities` list provided by the SOAR platform. + Therefore, it does not run on entities in the context of the SOAR entity object + model. List Groups: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action lists groups from the VectraQUX platform based on user-provided filters. + It does not enrich IOCs or assets, update alerts, create tickets, or perform + containment actions. It is a search/list operation that does not fit into the + provided specific product categories. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description - - The **List Groups** action retrieves a list of groups from the Vectra QUX platform - based on user-defined filtering criteria. It allows security analysts to search - for specific groups by associated hosts, accounts, domains, IP addresses, or metadata - such as importance and modification history. This action is primarily used for - administrative oversight and identifying group memberships within the Vectra environment. + Lists groups from the VectraQUX platform based on provided filters. This action + allows users to search for groups by various criteria such as host names, account + names, domains, IPs, importance, and type. It retrieves the matching groups from + the VectraQUX API and presents the results in a data table and as a JSON object. - ### Parameters Description + ### Parameters | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | **Host Names** | String | No | Comma-separated list of host names to filter - groups. | - - | **Account Names** | String | No | Comma-separated list of account names to filter - groups. | - - | **Domains** | String | No | Comma-separated list of domains to filter groups. - | - - | **Host Ids** | String | No | Comma-separated list of host IDs to filter groups. - | - - | **Importance** | DDL | No | Filter groups by importance level (low, medium, - high, never_prioritize). | + | Host Names | string | No | Comma separated values of host names. | - | **IPs** | String | No | Comma-separated list of IP addresses to filter groups. - | + | Account Names | string | No | Comma separated values of account names. | - | **Last Modified Timestamp GTE** | String | No | Filter groups modified on or - after this timestamp (Greater Than or Equal). | + | Domains | string | No | Comma separated values of domains. | - | **Last Modified By** | String | No | Filter groups modified by a specific username. - | + | Host Ids | string | No | Comma separated values of host ids. | - | **Name** | String | No | Filter by the specific name of the group. | + | Importance | ddl | No | Importance of group (low, medium, high, never_prioritize, + None). | - | **Type** | DDL | No | Filter by group type (host, account, ip, domain). | + | IPs | string | No | Comma separated values of ips. | - | **Limit** | String | No | The maximum number of group records to retrieve. Defaults - to the system limit if not specified. | + | Last Modified Timestamp GTE | string | No | Last modified timestamp (greater + or equal) of group. | - | **Description** | String | No | Case-insensitive match for the group description. - | + | Last Modified By | string | No | Username who has modified the group. | + | Name | string | No | Name of group. | - ### Additional Notes - - - If no parameters are provided, the action will attempt to list all groups up - to the specified limit. + | Type | ddl | No | Type of group (host, account, ip, domain, None). | - - The `Limit` parameter is validated to ensure it is a non-negative integer; a - value of "0" will result in an error. + | Limit | string | No | Specify limit for fetching records. | - - Comma-separated string parameters (like Host Names or IPs) are automatically - cleaned of whitespace and duplicates before the request is made. + | Description | string | No | Description of group (case insensitive match). | ### Flow Description - 1. **Parameter Extraction:** The action retrieves configuration settings (API - Root, Token) and user-provided filter parameters from the Google SecOps environment. + 1. Extracts configuration parameters (API Root, API Token, Verify SSL). + + 2. Extracts action parameters (filters for the group search). - 2. **Validation:** The `Limit` parameter is validated to ensure it is a proper - integer greater than zero. + 3. Initializes the `VectraQUXManager` to interact with the VectraQUX API. - 3. **API Request:** The `VectraQUXManager` constructs a GET request to the `/api/v2.5/groups` - endpoint, applying the provided filters as query parameters. + 4. Calls the `get_group_list` method to retrieve groups matching the provided + filters. - 4. **Pagination:** The action handles paginated responses from the Vectra API - to collect all relevant group objects up to the defined limit. + 5. If groups are found, adds a data table and a JSON result to the action output. - 5. **Output Generation:** - - A data table named "List Of Groups" is created containing the ID, Name, - Type, and Description of each found group. - - The full raw JSON response is attached to the action results for further - processing. - - A summary message is returned indicating the number of groups successfully - retrieved. + 6. Logs the execution status and handles any potential errors. capabilities: can_create_case_comments: false can_create_insight: false @@ -888,8 +1275,16 @@ List Groups: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action fetches data from the VectraQUX API using a GET request (`get_group_list`). + It does not mutate any external or internal data, nor does it update entities, + create insights, or modify alert data. categories: enrichment: false + reasoning: >- + The action fetches data from an external system (VectraQUX) but does not gather + supplemental context about alerts or entities in the context of enrichment. + It is a search/list operation, not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -905,56 +1300,74 @@ List Groups: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over `siemplify.target_entities` or use entity-specific + identifiers to perform its task. It uses user-provided parameters to filter + the search. List Outcomes: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves a list of assignment outcomes from the VectraQUX API. It + does not perform enrichment on entities or alerts, nor does it modify any external + or internal data. It does not fit into the specific categories provided (e.g., + enrichment, containment, ticketing, or alert information). + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - Lists all assignment outcomes from the Vectra QUX platform. This action retrieves - a collection of outcome objects which define the possible results or resolutions - for assignments (e.g., 'True Positive', 'Benign'). It is primarily used for administrative - discovery or to provide context for other assignment-related actions within the - Vectra QUX ecosystem. + Lists assignment outcomes from the VectraQUX platform. This action retrieves a + list of configured assignment outcomes, allowing analysts to view available options + for resolving assignments within the VectraQUX system. ### Parameters Description - | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Limit | string | No | Specifies the maximum number of outcome records to retrieve. - The value is validated as a positive integer. If not provided, the action fetches - all available records up to the system's default limit. | - - - ### Additional Notes - - - This action does not require any entities to be present in the context to run. - - - The results are presented both as a structured data table ('Outcome Details') - and as a raw JSON object for downstream playbook processing. + | Limit | string | No | Specifies the maximum number of outcomes to return. | ### Flow Description - 1. **Parameter Initialization**: The action extracts the API Root, API Token, - and SSL verification settings from the integration configuration. - - 2. **Input Validation**: The 'Limit' parameter is extracted and validated to ensure - it is a valid non-negative integer. + 1. Initialize the `VectraQUXManager` using the provided API credentials (`API + Root`, `API Token`, `Verify SSL`). - 3. **API Interaction**: The action initializes the VectraQUXManager and calls - the `get_outcome_list` method, which performs a GET request to the `/assignment_outcomes` - endpoint. + 2. Validate the `Limit` parameter to ensure it is a valid non-negative integer. - 4. **Pagination**: If the number of outcomes exceeds the page size, the manager - handles pagination automatically to retrieve the requested number of records. + 3. Call the VectraQUX API to retrieve the list of assignment outcomes. - 5. **Data Processing**: The raw JSON response is parsed into Outcome data models. + 4. If outcomes are retrieved, construct a CSV table of the outcome details and + add it to the action results. - 6. **Output Generation**: The action constructs a CSV-formatted data table for - the case wall and attaches the full JSON response to the action results. + 5. Add the raw outcome data as a JSON result to the action output. capabilities: can_create_case_comments: false can_create_insight: false @@ -965,8 +1378,18 @@ List Outcomes: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the VectraQUX API to retrieve a list of + assignment outcomes. It does not modify any external systems, nor does it update + internal SOAR entities, insights, or alert data. It simply presents the retrieved + data in the action results. categories: - enrichment: true + enrichment: false + reasoning: >- + The action retrieves configuration data (assignment outcomes) from an external + system. It does not gather supplemental context about specific alerts or entities, + nor does it update entity profiles or create insights. Therefore, it does not + meet the criteria for an Enrichment Action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -982,29 +1405,67 @@ List Outcomes: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with `siemplify.target_entities` or any specific + entity objects. It performs a global fetch of configuration data. List Users: - ai_description: >- - ### General Description\nLists users from the Vectra AI platform based on various - filtering criteria. This action allows security analysts to search for user accounts - by role, username, account type, authentication profile, or last login time. The - results are presented as a data table and a raw JSON object for further processing.\n\n### - Parameters Description\n| Parameter | Type | Mandatory | Description |\n| :--- - | :--- | :--- | :--- |\n| Role | String | No | Filter users by their assigned - role. |\n| Authentication Profile | String | No | Filter users by their authentication - profile. |\n| Last Login GTE | String | No | Filter users whose last login timestamp - is greater than or equal to this value. |\n| User Name | String | No | Filter - by a specific username. |\n| Account Type | String | No | Filter by the type of - account. |\n| Limit | String | No | The maximum number of user records to retrieve. - |\n\n### Additional Notes\nThis action does not require any input entities and - operates as a standalone search utility. If no users are found, the action will - complete successfully with an informative message.\n\n### Flow Description\n1. - **Parameter Extraction**: Retrieves API configuration and user-defined filters - from the action parameters.\n2. **Validation**: Validates the 'Limit' parameter - to ensure it is a non-negative integer.\n3. **API Interaction**: Initializes the - VectraQUXManager and calls the user list endpoint with the specified filters.\n4. - **Pagination**: Handles paginated responses from the Vectra AI API to collect - users up to the defined limit.\n5. **Output Generation**: Constructs a data table - 'List Of Users' and attaches the raw JSON results to the action output. + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves a list of users from the VectraQUX platform. It does not + match any of the provided categories (e.g., Enrich IOC, Enrich Asset, Search + Events, etc.) as it is a general list retrieval action rather than an enrichment + or search action targeting specific assets or alerts. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: "### General Description\nLists users from the VectraQUX platform\ + \ based on provided query parameters. This action retrieves user information such\ + \ as ID, username, role, account type, and last login timestamp, and presents\ + \ the results in a data table and a JSON output.\n\n### Flow Description\n1. **Configuration\ + \ Extraction**: The action retrieves the API Root, API Token, and SSL verification\ + \ settings from the integration configuration.\n2. **Parameter Extraction**: It\ + \ extracts optional filters including Role, User Name, Account Type, Authentication\ + \ Profile, Last Login GTE, and Limit.\n3. **Validation**: The 'Limit' parameter\ + \ is validated to ensure it is a non-negative integer.\n4. **API Interaction**:\ + \ The action initializes the `VectraQUXManager` and calls the Vectra API to fetch\ + \ the user list based on the provided filters.\n5. **Result Output**: \n -\ + \ If users are found, it constructs a CSV data table of the user details and adds\ + \ it to the action results.\n - It adds the raw user list as a JSON result.\n\ + \ - If no users are found, it provides an appropriate output message.\n\n###\ + \ Parameters Description\n| Parameter | Type | Mandatory | Description |\n| :---\ + \ | :--- | :--- | :--- |\n| Role | string | No | Filter users by their assigned\ + \ role. |\n| Authentication Profile | string | No | Filter users by their authentication\ + \ profile. |\n| Last Login GTE | string | No | Filter users whose login timestamp\ + \ is greater than or equal to this value. |\n| User Name | string | No | Filter\ + \ users by their username. |\n| Account Type | string | No | Filter users by their\ + \ account type. |\n| Limit | string | No | Specify the maximum number of records\ + \ to fetch. |\n\n### Additional Notes\nThere are no mandatory action parameters.\ + \ If no filters are provided, the action will attempt to list users based on the\ + \ default API behavior." capabilities: can_create_case_comments: false can_create_insight: false @@ -1015,8 +1476,16 @@ List Users: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the VectraQUX API to retrieve a list of + users. It does not modify any external systems or internal SOAR data (entities, + insights, etc.). It only outputs the retrieved data to the action results. categories: enrichment: false + reasoning: >- + The action retrieves a list of users from the VectraQUX platform. It does not + enrich specific entities or alerts within the case, nor does it meet the criteria + for an enrichment action as defined (gathering context about alerts/entities). entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1032,22 +1501,74 @@ List Users: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with `siemplify.target_entities`. It is a standalone + search/list action that does not operate on specific entities. Mark Detection Fixed: - ai_description: "Marks specific detections as 'fixed' within the Vectra QUX platform.\ - \ This action allows analysts to programmatically update the state of one or more\ - \ detections by providing their unique identifiers. \n\n### Parameters\n| Parameter\ - \ | Description | Type | Mandatory | Notes |\n|-----------|-------------|------|-----------|-------|\n\ - | Detection IDs | A comma-separated list of numeric detection IDs to be marked\ - \ as fixed. | String | Yes | Each ID is validated as a positive integer before\ - \ processing. |\n\n### Flow Description\n1. **Initialization**: Retrieves API\ - \ configuration (Root URL, Token, SSL verification) and the 'Detection IDs' action\ - \ parameter.\n2. **Validation**: Splits the input string by commas and validates\ - \ that each provided ID is a valid non-negative integer.\n3. **API Interaction**:\ - \ Uses the `VectraQUXManager` to send a `PATCH` request to the Vectra API endpoint\ - \ (`/api/v2.5/detections`). The request payload includes the list of IDs and sets\ - \ the `mark_as_fixed` attribute to `True`.\n4. **Result Processing**: Captures\ - \ the API response, attaches it as a JSON result to the action, and provides a\ - \ success or failure message based on the outcome." + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action updates the status of detections in the external VectraQUX platform. + It does not match any of the provided categories (e.g., it is not an enrichment, + it does not update a SecOps alert, it does not create a ticket, it does not + contain a host). + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: >- + Marks specified detections as fixed in the VectraQUX platform. This action updates + the status of detections in the external system based on the provided detection + IDs. + + + ### Flow Description + + 1. Extracts configuration (API Root, Token, SSL verification) and action parameters + (Detection IDs). + + 2. Validates the provided Detection IDs. + + 3. Sends a PATCH request to the VectraQUX API to update the status of the specified + detections to "fixed". + + 4. Adds the API response to the action results. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Detection IDs | string | Yes | Comma separated values of IDs. | + + + ### Additional Notes + + None. capabilities: can_create_case_comments: false can_create_insight: false @@ -1056,12 +1577,19 @@ Mark Detection Fixed: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Changes the state of detections in the Vectra QUX platform to 'fixed' via a - PATCH request. + Updates the status of specified detections to 'fixed' in the VectraQUX platform. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a PATCH request to update the status of detections in an + external system (VectraQUX). It does not fetch data, nor does it modify internal + SOAR data or entities. categories: enrichment: false + reasoning: >- + The action performs a PATCH request to update the status of detections in an + external system (VectraQUX). It does not fetch data, nor does it modify internal + SOAR data or entities. Therefore, it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1077,44 +1605,85 @@ Mark Detection Fixed: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over `siemplify.target_entities` or use entity-specific + identifiers to perform its task. It takes a comma-separated string of Detection + IDs as an input parameter. Mark Entity Fixed: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action marks detections as fixed in the Vectra AI platform. This is an external + state change. None of the provided categories (Enrich IOC, Enrich Asset, Update + Alert, etc.) specifically cover "Mark Detection Fixed" or "Update Detection + Status". Therefore, all categories are false. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description - - Marks all detections associated with a specific entity (Host or Account) as 'fixed' - in the Vectra platform. This action is useful for bulk-remediating or closing - out all security events related to a specific asset or user account once an investigation - is complete. + Marks all detections for a specified entity as fixed in the Vectra AI platform. + This action retrieves the entity's details, identifies associated detections, + and updates their status to "fixed" in the external system. - ### Parameters Description + ### Parameters description | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Entity ID | string | Yes | The unique numeric identifier of the entity in Vectra. + | Entity ID | string | Yes | Unique ID for the entity. | + + | Entity Type | string | Yes | Type of Entity, can be either Account or Host. | - | Entity Type | ddl | Yes | The type of entity to target. Must be either 'Account' - or 'Host'. | + ### Additional notes - ### Flow Description + This action requires `Entity ID` and `Entity Type` to be provided as parameters. + It does not operate on existing SOAR entities but rather uses the provided parameters + to perform the operation. + + + ### Flow description - 1. **Parameter Extraction**: Retrieves the API configuration (Root, Token, SSL) - and action parameters (Entity ID, Entity Type). + 1. Initialize `SiemplifyAction` and extract configuration parameters (API Root, + API Token, Verify SSL). - 2. **Validation**: Validates that the provided Entity ID is a valid integer. + 2. Extract action parameters (`Entity ID`, `Entity Type`). - 3. **Entity Retrieval**: Calls the Vectra API to describe the specified entity - and retrieve its current list of associated detection IDs. + 3. Initialize `VectraQUXManager` with the provided credentials. - 4. **Detection Update**: If detections are found, the action sends a PATCH request - to Vectra's detections endpoint to mark all retrieved detection IDs as fixed. + 4. Retrieve entity details using `describe_entity` to get associated detection + IDs. - 5. **Result Reporting**: Outputs a success message indicating the number of detections - updated and provides the raw API response as JSON. + 5. If detections are found, call `mark_detection_as_fixed` to update their status + in the Vectra platform. + + 6. Add the API response to the action result. capabilities: can_create_case_comments: false can_create_insight: false @@ -1123,12 +1692,20 @@ Mark Entity Fixed: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates the state of detections in the Vectra platform by marking them as 'fixed' - via a PATCH request. + Marks detections associated with the entity as fixed in the Vectra AI platform. fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action fetches entity data from the Vectra API (`describe_entity`) and then + performs a PATCH request (`mark_detection_as_fixed`) to update the status of + detections in the external system. It does not modify internal SOAR data, update + entities, create insights, or modify alert data. categories: enrichment: false + reasoning: >- + The action mutates external data (marks detections as fixed) and does not meet + the criteria for an enrichment action, which must be read-only regarding external + systems. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1144,54 +1721,80 @@ Mark Entity Fixed: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action takes `Entity ID` and `Entity Type` as input parameters and does + not iterate over `siemplify.target_entities`. Therefore, it does not run on + entities in the SOAR sense. Ping: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action is a connectivity test ('Ping') and does not perform any of the specific + functional outcomes listed (e.g., enrichment, containment, ticketing). + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description + Tests the connectivity of the Chronicle SOAR server to the Vectra platform. This + action verifies that the integration is correctly configured and can communicate + with the VectraQUX API. - The **Ping** action is a utility designed to verify the connectivity between the - Google SecOps (Chronicle) environment and the Vectra platform. It ensures that - the provided credentials (API Root and API Token) are valid and that the network - path is open. + ### Flow Description - ### Parameters Description + 1. The action initializes the integration and extracts the required configuration + parameters: API Root, API Token, and Verify SSL. - | Parameter | Type | Mandatory | Description | + 2. It instantiates the `VectraQUXManager` using the provided credentials. - | :--- | :--- | :--- | :--- | + 3. The action calls the `test_connectivity` method, which performs a GET request + to the VectraQUX API to verify the connection. - | **API Root** | String | Yes | The base URL of the Vectra API instance. | + 4. If the request is successful, the action completes with a success message. + If the request fails, the action reports the failure and the error details. - | **API Token** | String | Yes | The API token used for authentication with the - Vectra platform. | - | **Verify SSL** | Boolean | Yes | If enabled, the action will verify the SSL - certificate of the Vectra server. Default is `True`. | + ### Parameters + | Parameter | Type | Mandatory | Description | - ### Flow Description + | :--- | :--- | :--- | :--- | - 1. **Initialization**: The action retrieves the configuration parameters (API - Root, API Token, and SSL verification setting). + | API Root | string | Yes | The base URL for the VectraQUX API. | - 2. **Manager Setup**: It initializes the `VectraQUXManager` with the provided - credentials. + | API Token | string | Yes | The authentication token for the VectraQUX API. | - 3. **Connectivity Test**: The manager executes a `test_connectivity` call, which - performs a simple `GET` request to the Vectra `hosts` endpoint to validate the - connection. + | Verify SSL | boolean | Yes | Whether to verify SSL certificates for the connection. + | - 4. **Result Handling**: - - If the request is successful, the action returns a success message and a - `True` result. - - If an exception occurs (e.g., authentication failure, timeout, or invalid - URL), the action catches the error, logs the details, and returns a failure message - with a `False` result. ### Additional Notes - - This action does not interact with any entities or modify any data. It is strictly - for diagnostic purposes. + This action is a connectivity test and does not perform any data enrichment or + system modifications. capabilities: can_create_case_comments: false can_create_insight: false @@ -1200,10 +1803,17 @@ Ping: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null - fetches_data: false + fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to verify connectivity to the VectraQUX API. + It does not mutate external or internal data, nor does it update entities, create + insights, or modify alert data. categories: enrichment: false + reasoning: >- + The action is a 'Ping' action, which is explicitly excluded from being an enrichment + action by the provided instructions. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1219,49 +1829,73 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with or process any entities. Remove Assignment: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action removes an assignment from an entity in Vectra, which modifies the + entity's metadata. This aligns with the 'Update Identity' category, which covers + modifications to account metadata. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: true + update_ticket: false ai_description: >- - Removes an assignment from a specific entity (Host or Account) in Vectra AI. This - action is used to clear the triage or ownership status of an entity within the - Vectra platform by deleting the associated assignment record. + Removes an assignment from a specified entity (Account or Host) in the Vectra + QUX platform. This action retrieves the entity's current assignment details and + then deletes the assignment. ### Parameters - | Parameter Name | Description | Type | Mandatory | Notes | + | Parameter | Type | Mandatory | Description | - | :--- | :--- | :--- | :--- | :--- | + | :--- | :--- | :--- | :--- | - | Entity ID | The unique identifier of the entity in Vectra for which the assignment - should be removed. | String | Yes | Must be a valid integer string. | + | Entity ID | string | Yes | The unique identifier of the entity (Account or Host) + from which the assignment should be removed. | - | Entity Type | The category of the entity. | DDL | Yes | Options are 'Account' - or 'Host'. | + | Entity Type | ddl | Yes | The type of the entity. Options: Account, Host. | ### Flow Description - 1. **Validation**: The action validates that the provided 'Entity ID' is a valid - integer. - - 2. **Entity Retrieval**: It fetches the current details of the specified entity - from Vectra AI to check for an existing assignment. + 1. Extract configuration parameters (API Root, API Token, Verify SSL) and action + parameters (Entity ID, Entity Type). - 3. **Assignment Identification**: If an assignment is found, the action extracts - the unique 'Assignment ID'. + 2. Initialize the `VectraQUXManager` with the provided credentials. - 4. **Deletion**: It executes a DELETE request to the Vectra API to remove the - identified assignment. + 3. Call `describe_entity` to retrieve the entity's current details and assignment + information. - 5. **Outcome**: If no assignment is found on the entity, the action reports a - failure state indicating the entity has no assignment to remove. + 4. If an assignment exists, call `remove_assignment` to delete it from the Vectra + platform. - - ### Additional Notes - - This action requires the 'Entity ID' and 'Entity Type' to be explicitly provided - as parameters and does not automatically iterate over entities in the Google SecOps - case scope. + 5. Return the execution status and a success or failure message. capabilities: can_create_case_comments: false can_create_insight: false @@ -1270,12 +1904,19 @@ Remove Assignment: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Deletes an assignment record in the Vectra AI platform via a DELETE request - to the assignments API endpoint. + Removes an assignment from an entity in the external Vectra QUX platform. fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action fetches entity details (GET request) to identify the assignment ID, + then performs a DELETE request to remove the assignment in the external Vectra + system. It does not modify internal SOAR case data (e.g., insights, entities, + or comments). categories: enrichment: false + reasoning: >- + The action mutates external data (removes an assignment), which violates the + requirement for enrichment actions to be read-only regarding external systems. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1291,14 +1932,50 @@ Remove Assignment: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action accepts 'Entity ID' and 'Entity Type' as input parameters rather + than iterating over the SOAR 'target_entities' list. Therefore, it does not + operate on SOAR entities directly. Remove Group: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action modifies group membership in the VectraQUX system. This aligns with + the definition of `Update Identity` ('Modifies account metadata, such as group + memberships, permissions, or contact information'). It does not fit other categories + like `Enrich IOC` or `Contain Host`. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: true + update_ticket: false ai_description: >- ### General Description - The **Remove Group** action allows users to remove specific members from a group - in Vectra AI using the group's unique ID. This action is designed to manage group - memberships dynamically, which is useful for containment or policy adjustments - during an investigation. + This action removes specified members from a group within the VectraQUX system. + It validates the provided group ID, fetches the current group members, and then + performs an update to remove the requested members. ### Parameters Description @@ -1307,47 +1984,27 @@ Remove Group: | :--- | :--- | :--- | :--- | - | **Group ID** | String | Yes | The unique identifier of the group in Vectra. - Although provided as a string, the action validates it as a positive integer. - | + | Group ID | string | Yes | The ID of the specific group to modify. | - | **Members** | String | Yes | A comma-separated list of members to be removed - from the group. The identifier type (e.g., IP, hostname, account UID, or domain) - must correspond to the group's defined type. | + | Members | string | Yes | A comma-separated list of members to remove from the + group. | ### Flow Description - 1. **Initialization**: The action extracts the API configuration (Root, Token, - SSL) and the action parameters (Group ID and Members). + 1. Extracts configuration parameters (API Root, API Token, Verify SSL) and action + parameters (Group ID, Members). - 2. **Validation**: The `Group ID` is validated to ensure it is a valid positive - integer. The `Members` string is processed into a list of individual identifiers. + 2. Validates that the `Group ID` is a valid integer. - 3. **Pre-Execution Fetch**: The action retrieves the current members of the group - to facilitate a comparison after the removal process. + 3. Initializes the `VectraQUXManager` to interact with the VectraQUX API. - 4. **External Mutation**: A `PATCH` request is sent to the Vectra API endpoint - for the specific group ID, using the `membership_action="remove"` parameter to - delete the specified members. + 4. Fetches the current members of the specified group. - 5. **Post-Execution Analysis**: The action compares the updated group membership - with the initial state to identify which members were successfully removed and - which were not found or could not be removed. + 5. Updates the group by removing the specified members. - 6. **Result Reporting**: The action outputs the updated group details as a JSON - object and renders an HTML table for the case wall. It provides a status message - indicating the count of removed members and any identifiers that were not found - in the group. - - - ### Additional Notes - - - The action will fail if none of the provided members exist in the specified - group. - - - The type of member identifiers provided must match the group's type (e.g., if - the group type is 'host', the members should be hostnames). + 6. Renders the updated group details as an HTML view and adds the result as JSON + to the action output. capabilities: can_create_case_comments: false can_create_insight: false @@ -1356,12 +2013,19 @@ Remove Group: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Removes specified members from a group in Vectra AI by sending a PATCH request - to the group's API endpoint. + Removes specified members from a group in the VectraQUX system. fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action fetches data from the VectraQUX API (`get_group_members`) and mutates + external data (`update_group_members` with `membership_action='remove'`). It + does not mutate internal SOAR data (e.g., updating entities, creating insights, + or modifying alert data). categories: enrichment: false + reasoning: >- + The action mutates external data (removes members from a group), therefore it + is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1377,47 +2041,53 @@ Remove Group: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code does not iterate over `siemplify.target_entities`. It uses parameters + provided in the action settings (`Group ID`, `Members`). Remove Note: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action removes a note from an external system. This does not match any of + the predefined categories (e.g., Enrich IOC, Update Alert, Contain Host). + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description - - The **Remove Note** action allows users to delete a specific note associated with - an entity in the Vectra platform. This action is designed to manage and clean - up documentation or comments within Vectra directly from the Google SecOps environment - by targeting specific note and entity identifiers. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | **Entity ID** | String | Yes | The unique identifier of the entity (Account, - Host, or Detection) from which the note should be removed. | - - | **Note ID** | String | Yes | The unique identifier of the specific note to be - deleted. | - - | **Entity Type** | DDL | Yes | The category of the entity. Supported values are - `Account`, `Host`, and `Detection`. | - - - ### Flow Description - - 1. **Parameter Extraction:** The action retrieves the API configuration (API Root, - Token) and the specific identifiers for the entity and the note from the action - parameters. - - 2. **Validation:** The `Entity ID` and `Note ID` are validated to ensure they - are valid integer values before proceeding with the API request. - - 3. **API Interaction:** The action sends a `DELETE` request to the Vectra API - endpoint corresponding to the specified entity type and IDs (e.g., `/api/v2.5/hosts/{entity_id}/notes/{note_id}`). - - 4. **Result Handling:** If the request is successful, the action returns a success - message. If the note or entity is not found, or if the user lacks permissions, - the action raises a specific exception and reports failure. + General description: This action removes a note from a specific entity (Account, + Host, or Detection) in the VectraQUX platform. Parameters description: Entity + ID (string, mandatory): The ID of the entity from which the note should be removed. + Note ID (string, mandatory): The ID of the note to be removed. Entity Type (ddl, + mandatory): The type of the entity (Account, Host, or Detection). Additional notes: + The action requires the Entity ID, Note ID, and Entity Type to be provided as + parameters. Flow description: 1. Extracts configuration parameters (API Root, + API Token, SSL verification). 2. Extracts action parameters (Entity ID, Note ID, + Entity Type). 3. Validates that Entity ID and Note ID are integers. 4. Sends a + DELETE request to the VectraQUX API to remove the specified note from the entity. + 5. Returns a success or failure message based on the API response. capabilities: can_create_case_comments: false can_create_insight: false @@ -1426,12 +2096,17 @@ Remove Note: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Deletes a specific note associated with an entity (Account, Host, or Detection) - in the Vectra platform via a DELETE request. + Deletes a note from an entity in the VectraQUX platform. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a DELETE request to the VectraQUX API to remove a note. + It does not fetch data, nor does it modify internal SOAR data. categories: enrichment: false + reasoning: >- + The action is a mutation action (DELETE) on an external system, not an enrichment + action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1447,25 +2122,84 @@ Remove Note: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action uses parameters provided by the user (Entity ID, Entity Type) rather + than iterating over siemplify.target_entities. Thus, it does not run on entities + in the SOAR context. Remove Tags: - ai_description: "Removes specific tags from a Vectra entity (Account, Host, or Detection)\ - \ based on a provided Entity ID. This action interacts with the Vectra API to\ - \ manage entity metadata, allowing for the cleanup of labels or status markers.\ - \ \n\n### Parameters\n| Parameter | Type | Mandatory | Description |\n| :--- |\ - \ :--- | :--- | :--- |\n| Tags | string | Yes | A comma-separated list of tags\ - \ to be removed from the entity. |\n| Entity ID | string | Yes | The unique identifier\ - \ of the entity in Vectra. |\n| Entity Type | ddl | Yes | The type of entity to\ - \ target. Options are 'Account', 'Host', or 'Detection'. |\n\n### Flow Description\n\ - 1. **Initialization**: Extracts API configuration and action parameters (Tags,\ - \ Entity ID, and Entity Type).\n2. **Tag Processing**: Parses the comma-separated\ - \ 'Tags' input into a unique list of strings.\n3. **Data Retrieval**: Fetches\ - \ the current list of tags associated with the specified Entity ID and Type from\ - \ the Vectra platform.\n4. **Logic Execution**: Compares the provided tags against\ - \ the existing tags. It identifies which tags can be removed and which do not\ - \ exist on the entity.\n5. **External Mutation**: If matching tags are found,\ - \ it sends a PATCH request to Vectra with the updated (reduced) tag list.\n6.\ - \ **Reporting**: Generates a summary message and a data table ('Tag Updated Status')\ - \ detailing which tags were successfully removed and which were not found." + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action updates tags on an external entity. It does not match any of the + predefined categories (e.g., it is not an enrichment, ticket, or containment + action). + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: >- + ### General Description + + Removes specified tags from an entity (Account, Host, or Detection) within the + VectraQUX platform. This action retrieves the current tags for the specified entity, + removes the requested tags from the list, and updates the entity in VectraQUX + with the modified tag set. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Tags | string | Yes | A comma-separated list of tags to remove from the entity. + | + + | Entity ID | string | Yes | The unique identifier of the entity from which tags + should be removed. | + + | Entity Type | ddl | Yes | The type of the entity (Account, Host, or Detection). + | + + + ### Flow Description + + 1. Extracts configuration parameters (API Root, API Token, Verify SSL) and action + parameters (Tags, Entity ID, Entity Type). + + 2. Validates the Entity ID as an integer. + + 3. Fetches the existing tags for the specified entity using the VectraQUX API. + + 4. Identifies which of the provided tags exist on the entity. + + 5. Removes the identified tags from the entity's tag list. + + 6. Updates the entity in VectraQUX with the new tag list via a PATCH request. + + 7. Logs the operation status and adds a result table to the action output. capabilities: can_create_case_comments: false can_create_insight: false @@ -1474,12 +2208,20 @@ Remove Tags: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Removes specified tags from an entity (Account, Host, or Detection) in the Vectra - platform by updating the entity's tag list via a PATCH request. + Updates the entity's tag list in the VectraQUX platform by removing the specified + tags. fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action fetches current tag data from the VectraQUX API (fetches_data=true) + and performs a PATCH request to update the entity's tags on the external platform + (can_mutate_external_data=true). It does not modify internal SOAR case data + or entities directly. categories: enrichment: false + reasoning: >- + The action mutates external data (updates tags on VectraQUX), therefore it does + not meet the criteria for an Enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1495,68 +2237,91 @@ Remove Tags: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over the `siemplify.target_entities` list. Instead, + it relies on user-provided parameters (`Entity ID` and `Entity Type`) to identify + the target entity. Therefore, it does not run on entities in the context of + the SOAR entity model. Resolve Assignment: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action resolves an assignment in the Vectra platform. It does not match + any of the defined categories, such as updating an alert within SecOps, creating + a ticket, or modifying IOC blocklists. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description - - Resolves a specific assignment in Vectra AI based on a provided Assignment ID - and Outcome ID. This action allows security analysts to close out assignments - by marking them with specific outcomes (e.g., Benign, Malicious, or False Positive) - and optionally adding triage rules and notes. It interacts with the Vectra API - via a PUT request to the resolution endpoint. + Resolves an assignment in the Vectra QUX platform. This action updates the status + of a specific assignment by providing an outcome ID and optional metadata such + as notes, triage rules, and associated detection IDs. - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Assignment ID | string | Yes | The unique identifier of the assignment to be - resolved. Must be a valid integer. | + ### Flow Description - | Outcome ID | string | Yes | The ID representing the resolution outcome. Common - values: 1 (Benign True Positive), 2 (Malicious True Positive), 3 (False Positive). - Custom outcomes are also supported. | + 1. **Initialization**: Extracts configuration parameters (API Root, API Token, + Verify SSL) and action parameters (Assignment ID, Outcome ID, Note Title, Triage + As, Detection IDs). - | Note Title | string | No | An optional note or title to be associated with the - resolution of the assignment. | + 2. **Validation**: Validates the provided Assignment ID, Outcome ID, Triage As, + and Detection IDs to ensure they meet format requirements. - | Triage As | string | No | An optional triage rule to apply. If provided, at - least one Detection ID must also be specified. | + 3. **Execution**: Initializes the `VectraQUXManager` and sends a PUT request to + the Vectra API to resolve the specified assignment. - | Detection IDs | string | No | A comma-separated list of integer detection IDs - to be associated with the resolution. Required if 'Triage As' is used. | + 4. **Output**: Adds the API response as a JSON result and constructs a data table + containing the resolved assignment details for the analyst. - ### Additional Notes + ### Parameters - - The action performs strict validation on the 'Assignment ID' and 'Outcome ID' - to ensure they are valid integers. + | Parameter | Type | Mandatory | Description | - - If the 'Triage As' parameter is populated, the action requires at least one - 'Detection ID' to be provided; otherwise, it will fail with a validation error. + | :--- | :--- | :--- | :--- | - - The 'Triage As' value must be at least 4 characters long and cannot contain - special characters like `!@#$%^&*()`. + | Assignment ID | string | Yes | The ID of the assignment to resolve. | + | Outcome ID | string | Yes | The outcome ID for resolving the assignment (e.g., + 1 for Benign True Positive, 2 for Malicious True Positive, 3 for False Positive). + | - ### Flow Description + | Note Title | string | No | A note title to be added for the assignment resolution. + | - 1. **Parameter Extraction**: Retrieves the Assignment ID, Outcome ID, and optional - parameters (Note, Triage, Detection IDs) from the action input. + | Triage As | string | No | Triage rule for resolving the assignment. | - 2. **Validation**: Validates that IDs are integers and checks the logical dependency - between 'Triage As' and 'Detection IDs'. + | Detection IDs | string | No | A comma-separated list of Integer detection IDs + associated with the resolution. | - 3. **API Interaction**: Initializes the VectraQUXManager and sends a PUT request - to the `/assignments/{assignment_id}/resolve` endpoint with the resolution payload. - 4. **Data Processing**: Parses the updated assignment object returned by the API. + ### Additional Notes - 5. **Output Generation**: Adds the raw JSON response to the action results and - creates a data table named 'Resolved Assignment' containing the key details of - the resolution. + If `Triage As` is provided, at least one `Detection ID` must also be provided + for the action to succeed. capabilities: can_create_case_comments: false can_create_insight: false @@ -1565,12 +2330,19 @@ Resolve Assignment: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates the state of an assignment in the Vectra AI platform to 'Resolved' and - applies the specified outcome, notes, and triage rules. - fetches_data: true + Resolves an assignment in the Vectra QUX platform via a PUT request. + fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a PUT request to the Vectra API to resolve an assignment, + which constitutes an external data mutation. It does not fetch data from the + external system, nor does it modify internal SOAR data (entities, insights, + or alert data). categories: enrichment: false + reasoning: >- + The action does not fetch data (it is a resolution/mutation action) and it mutates + external data. Therefore, it does not meet the criteria for an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1586,89 +2358,120 @@ Resolve Assignment: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not operate on entities. It takes an 'Assignment ID' as a direct + input parameter and does not iterate over or filter the 'target_entities' list. Search Accounts: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action searches for accounts within the Vectra platform. This matches the + 'Search Asset' category, as it is searching for assets (accounts) associated + with the product. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: true + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - Searches for and retrieves account details from Vectra AI based on user-defined - query parameters. This action allows for granular filtering of accounts using - scores, states, timestamps, and tags, providing a comprehensive list of matching - accounts for investigation. - - - ### Parameters Description + ### General Description + The **Search Accounts** action queries the Vectra platform to retrieve a list + of accounts based on specific filter criteria. This action allows analysts to + search for accounts by name, state, threat score, certainty score, privilege level, + and various timestamps. The results are returned as a JSON object and a formatted + data table, providing visibility into account details within the Vectra environment. - | Parameter | Type | Mandatory | Description | - | :--- | :--- | :--- | :--- | + ### Flow Description - | Order | String (DDL) | No | Determines the sort direction of the results: 'Ascending' - or 'Descending'. | + 1. **Initialization**: The action initializes the `SiemplifyAction` and extracts + configuration parameters (API Root, API Token, Verify SSL) and action-specific + filters. - | Limit | String | No | The maximum number of account records to retrieve. | + 2. **Validation**: It validates the provided input parameters, such as `Limit`, + `Threat GTE`, `Certainty GTE`, and `Privilege Level`, ensuring they meet the required + formats. - | Order By | String (DDL) | No | The field used to sort the results (e.g., threat - score, certainty score, last detection timestamp, or ID). | + 3. **API Interaction**: It instantiates the `VectraQUXManager` and executes a + search request against the Vectra API using the provided filters. - | Fields | Multi-select | No | A list of specific account attributes to include - in the output (e.g., name, state, threat, tags). | + 4. **Data Processing**: If accounts are found, the action processes the results + by removing API version strings from URLs and extracting mandatory fields for + the data table. - | Name | String | No | Filters the search results to accounts matching a specific - name. | + 5. **Output**: The action adds the raw JSON results to the action output and generates + a data table titled "List Of Accounts" for the analyst to review. - | State | String (DDL) | No | Filters accounts by their current state: 'Active' - or 'Inactive'. | - | Threat GTE | String | No | Filters for accounts with a threat score greater - than or equal to the specified value. | + ### Parameters Description - | Certainty GTE | String | No | Filters for accounts with a certainty score greater - than or equal to the specified value. | + | Parameter | Type | Mandatory | Description | - | Last Detection Timestamp GTE | String | No | Filters for accounts with a last - detection timestamp greater than or equal to this value. | + | :--- | :--- | :--- | :--- | - | Last Detection Timestamp LTE | String | No | Filters for accounts with a last - detection timestamp less than or equal to this value. | + | Order | ddl | No | Filter accounts by ascending or descending order. | - | Tags | String | No | A comma-separated list of tags to filter the accounts by. - | + | Limit | string | No | The maximum number of records to fetch. | - | Note Modified Timestamp GTE | String | No | Filters for accounts where notes - were modified after the specified timestamp. | + | Order By | ddl | No | Field to order results by (e.g., t_score, c_score, last_detection_timestamp, + id). | - | Privilege Level | String | No | Filters accounts by a specific privilege level. - | + | Fields | multi_choice | No | Comma-separated list of fields to include in the + results. | - | Privilege Category | String (DDL) | No | Filters accounts by privilege category: - 'Low', 'Medium', or 'High'. | + | Name | string | No | Filter accounts by name. | + | State | ddl | No | Filter accounts by state (Active, Inactive). | - ### Additional Notes + | Threat GTE | string | No | Filter accounts with a threat score greater than + or equal to the provided value. | + | Certainty GTE | string | No | Filter accounts with a certainty score greater + than or equal to the provided value. | - This action does not operate on specific entities within the SOAR case; instead, - it performs a global search within the Vectra AI platform based on the provided - criteria. + | Last Detection Timestamp GTE | string | No | Filter accounts with a last detection + timestamp greater than or equal to the provided value. | + | Last Detection Timestamp LTE | string | No | Filter accounts with a last detection + timestamp less than or equal to the provided value. | - ### Flow Description + | Tags | string | No | Filter accounts by tags (comma-separated). | + | Note Modified Timestamp GTE | string | No | Filter accounts with a note modified + timestamp greater than or equal to the provided value. | - 1. **Parameter Extraction**: The action retrieves configuration settings (API - Root, Token) and user-provided search filters from the action parameters. + | Privilege Level | string | No | Filter accounts by privilege level. | - 2. **Validation**: Numeric parameters such as 'Limit', 'Threat GTE', and 'Certainty - GTE' are validated to ensure they are proper integers. + | Privilege Category | ddl | No | Filter accounts by privilege category (Low, + Medium, High). | - 3. **API Query**: The action constructs a request and queries the Vectra AI `/accounts` - endpoint, applying the specified filters and pagination logic. - 4. **Data Sanitization**: The returned account data is processed to remove API - versioning strings from URLs and to extract a subset of mandatory fields for display. + ### Additional Notes - 5. **Result Delivery**: The action outputs the full account details as a JSON - object and creates a summary data table titled "List Of Accounts" in the SOAR - interface. + This action does not require any specific entity context to run, as it performs + a global search within the Vectra platform based on the provided parameters. capabilities: can_create_case_comments: false can_create_insight: false @@ -1679,8 +2482,18 @@ Search Accounts: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the Vectra API to search for accounts based + on user-provided filters. It does not modify any external systems, nor does + it modify internal SOAR case data (entities, insights, etc.). It simply retrieves + and displays data. categories: enrichment: false + reasoning: >- + The action is a search/query action. It does not enrich an existing entity (it + searches for accounts based on criteria), nor does it meet the criteria for + an enrichment action as defined (it does not update entity attributes or create + insights). entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1696,96 +2509,117 @@ Search Accounts: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over or filter by `target_entities`. It performs + a search based on user-provided parameters. Search Detections: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: true + reasoning: >- + The action searches for detections in an external system based on provided filters. + This directly aligns with 'Search Events' (retrieving historical logs/telemetry) + and 'Get Alert Information' (fetching information about detections from the + 3rd party product). + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: true + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - This action searches for and retrieves a list of detections from the Vectra QUX - platform based on a wide variety of user-defined query parameters. It allows analysts - to filter detections by time, host, tags, asset status, scores (threat/certainty), - and state. The results are returned as a detailed JSON object and a summary data - table within the Google SecOps case. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Last Timestamp GTE | String | No | Filters detections with a last seen timestamp - greater than or equal to the provided value. | - - | Host ID | String | No | Filters detections associated with a specific Host ID. - | + This action searches for detections in the Vectra AI platform based on a variety + of user-defined filters. It allows analysts to query for specific detections, + such as those related to a particular host, source IP, or detection category, + and retrieve detailed information about them. The action outputs the results as + a JSON object and a formatted data table for easy viewing within the Google SecOps + platform. - | Tags | String | No | Filters detections by a comma-separated list of tags. | - | Is Targeting Key Asset | DDL | No | Filters detections based on whether they - target a key asset (True/False). | + ### Flow Description - | Note Modified Timestamp GTE | String | No | Filters detections where the associated - note was modified after the given timestamp. | + 1. **Initialization:** The action initializes the `SiemplifyAction` and extracts + configuration parameters (API Root, API Token, Verify SSL) and action parameters + (filters). - | Order | DDL | No | Specifies the sort direction: 'Ascending' or 'Descending'. - | + 2. **Validation:** It validates the input parameters, such as `Limit`, `Threat + GTE`, `Certainty GTE`, and `Host ID`, ensuring they meet the required formats. - | Limit | String | No | The maximum number of detection records to retrieve. | + 3. **Search:** It uses the `VectraQUXManager` to perform a search against the + Vectra AI API (`/api/v2.5/detections`) using the provided filters. - | Order By | DDL | No | The field used to sort the results (e.g., last_timestamp, - t_score, c_score). | + 4. **Processing:** If detections are found, it processes the results by cleaning + up URLs and extracting mandatory fields (e.g., ID, detection type, category, timestamps, + state) and source information (account/host name and IP). - | Fields | Multi-select | No | A list of specific fields to include in the response - for each detection. | + 5. **Output:** It adds the full JSON response to the action results and constructs + a data table titled "List Of Detections" for the analyst to review. - | State | DDL | No | Filters detections by their current state (Active, Inactive, - Fixed). | - | Detection Type | String | No | Filters by the specific type of detection. | + ### Parameters Description - | Detection Category | DDL | No | Filters by the detection category (e.g., Command - and Control, Exfiltration). | + | Parameter | Type | Mandatory | Description | - | Src IP | String | No | Filters detections by the source IP address. | + | :--- | :--- | :--- | :--- | - | Threat GTE | String | No | Filters detections with a threat score greater than - or equal to the provided value. | + | Last Timestamp GTE | string | No | Filter by last detection timestamp greater + than or equal to the given value. | - | Certainty GTE | String | No | Filters detections with a certainty score greater - than or equal to the provided value. | + | Host ID | string | No | Filter by host ID. | + | Tags | string | No | Filter by comma-separated tags. | - ### Additional Notes + | Is Targeting Key Asset | ddl | No | Filter if detections are targeting a key + asset (True/False). | - - The 'Limit' parameter is validated to ensure it is a positive integer. + | Note Modified Timestamp GTE | string | No | Filter based on note modified timestamp. + | - - If 'Order' is set to 'Descending', the 'Order By' field is prefixed with a minus - sign (-) before being sent to the Vectra API. + | Order | ddl | No | Order results in Ascending or Descending order. | - - The 'Fields' parameter expects a JSON-formatted list of strings if provided - manually, though typically handled by the UI multi-choice selector. + | Limit | string | No | The maximum number of records to fetch. | + | Order By | ddl | No | Field to order results by (last_timestamp, created_datetime, + t_score, c_score, id). | - ### Flow Description + | Fields | multi_choice | No | Select specific fields to include in the output. + | - 1. **Parameter Extraction:** The action retrieves configuration settings (API - Root, Token) and all 15 optional search parameters. + | State | ddl | No | Filter by detection state (Active, Inactive, Fixed). | - 2. **Validation:** It validates numeric inputs such as 'Limit', 'Threat GTE', - and 'Certainty GTE' to ensure they are valid integers. + | Detection Type | string | No | Filter by detection type. | - 3. **Query Construction:** It prepares the API request, including formatting the - sort order and joining selected fields into a comma-separated string. + | Detection Category | ddl | No | Filter by detection category (Command and Control, + Botnet, etc.). | - 4. **API Interaction:** The action calls the Vectra QUX `search_detections` endpoint - via a GET request, utilizing pagination to retrieve the requested number of records. + | Src IP | string | No | Filter by source IP address. | - 5. **Data Processing:** For each retrieved detection, the script cleans up internal - API versioning strings from URLs and extracts a set of mandatory fields (ID, type, - category, timestamps, state). + | Threat GTE | string | No | Filter by threat score greater than or equal to the + given value. | - 6. **Output Generation:** The processed data is added to the action results as - a raw JSON object and a formatted data table titled 'List Of Detections'. + | Certainty GTE | string | No | Filter by certainty score greater than or equal + to the given value. | capabilities: can_create_case_comments: false can_create_insight: false @@ -1796,8 +2630,17 @@ Search Detections: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to search for detections in an external system + (Vectra AI). It does not modify any external or internal data, nor does it update + entities, create insights, or modify alert data. It simply retrieves and displays + information. categories: enrichment: false + reasoning: >- + The action is a search/retrieval action. It does not meet the criteria for an + Enrichment Action because it does not update entities, create insights, or add + comments to the case. It is a search/query action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1813,109 +2656,123 @@ Search Detections: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over `siemplify.target_entities`. It relies entirely + on user-provided parameters to perform its search. Therefore, it does not run + on entities. Search Hosts: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action searches for hosts (assets) in the Vectra platform and returns the + results. This matches 'Search Asset'. It also returns a collection of data matching + search parameters, which matches 'Search Events' as it returns host telemetry/logs. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: true + search_email: false + search_events: true + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - The **Search Hosts** action allows users to query and retrieve a list of host - entities from the Vectra AI platform based on a wide array of filtering criteria. - It is primarily used for threat hunting and asset discovery, enabling analysts - to find hosts based on their threat scores, certainty levels, active traffic status, - or specific tags. The action returns detailed host metadata, including IP addresses, - severity levels, and detection summaries. + This action searches for hosts within the Vectra QUX platform based on a comprehensive + set of filter criteria. It allows analysts to query the Vectra API to retrieve + specific host information, such as threat scores, certainty levels, and activity + status, and presents the results directly within the SOAR action output. - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Limit | String | No | The maximum number of host records to retrieve. Defaults - to 0 (all available up to system limits). | - - | Tags | String | No | Filter hosts that match specific tags. | + ### Flow Description - | Last Source | String | No | Filter hosts based on their last reported source. - | + 1. **Parameter Extraction**: The action retrieves configuration parameters (API + Root, Token) and user-defined search filters (e.g., Name, State, Threat Level, + Tags, Time ranges). - | Order | DDL | No | Specifies whether the results should be in 'Ascending' or - 'Descending' order. | + 2. **API Interaction**: It initializes the `VectraQUXManager` and executes a search + request against the Vectra API using the provided filters. - | Fields | Multi-choice | No | A list of specific host attributes to include in - the response (e.g., id, name, ip, threat). | + 3. **Data Processing**: The action processes the returned host data, including + cleaning up API version strings from URLs and extracting specific fields for display. - | Name | String | No | Filter hosts by their specific name. | + 4. **Output Generation**: The results are formatted and added to the action output + as a JSON object and a structured data table for easy review by the analyst. - | State | DDL | No | Filter hosts by their current state: 'Active' or 'Inactive'. - | - | Threat GTE | String | No | Filter for hosts with a threat score greater than - or equal to this value. | - - | Certainty GTE | String | No | Filter for hosts with a certainty score greater - than or equal to this value. | + ### Parameters Description - | Last Detection Timestamp GTE | String | No | Filter for hosts with detections - occurring on or after this timestamp. | + | Parameter | Type | Mandatory | Description | - | Last Detection Timestamp LTE | String | No | Filter for hosts with detections - occurring on or before this timestamp. | + | :--- | :--- | :--- | :--- | - | Is Targeting Key Asset | DDL | No | Filter hosts based on whether they are targeting - key assets ('True' or 'False'). | + | Limit | string | No | The maximum number of records to fetch. | - | Privilege Level GTE | String | No | Filter for hosts with a privilege level - greater than or equal to this value. | + | Tags | string | No | Filter hosts based on specific tags. | - | Privilege Category | DDL | No | Filter hosts by privilege category: 'Low', 'Medium', - or 'High'. | + | Last Source | string | No | Filter hosts based on the last source. | - | Active Traffic | DDL | No | Filter hosts that have shown active traffic within - the last two hours ('True' or 'False'). | + | Order | ddl | No | Sort order (Ascending or Descending). | - | Order By | DDL | No | The field used to sort the results (e.g., t_score, c_score, - last_detection_timestamp). | + | Fields | multi_choice | No | Select specific fields to include in the output + (e.g., id, name, ip, threat, certainty). | - | Note Modified Timestamp GTE | String | No | Filter hosts where notes were modified - on or after this timestamp. | + | Name | string | No | Filter hosts by name. | + | State | ddl | No | Filter hosts by state (Active or Inactive). | - ### Additional Notes + | Threat GTE | string | No | Filter hosts with a threat score greater than or + equal to the provided value. | - - The action performs input validation on numeric fields like `Limit`, `Threat - GTE`, and `Certainty GTE` to ensure they are valid integers. + | Certainty GTE | string | No | Filter hosts with a certainty score greater than + or equal to the provided value. | - - If `Order` is set to 'Descending', the action automatically prefixes the `Order - By` parameter with a minus sign (e.g., `-t_score`) to comply with the Vectra API - requirements. + | Last Detection Timestamp GTE | string | No | Filter hosts with a last detection + timestamp greater than or equal to the provided value. | - - The action automatically strips API version strings (e.g., `/api/v2.5`) from - returned URLs to provide cleaner data for the SOAR interface. + | Last Detection Timestamp LTE | string | No | Filter hosts with a last detection + timestamp less than or equal to the provided value. | + | Is Targeting Key Asset | ddl | No | Filter hosts that are targeting key assets + (True/False). | - ### Flow Description + | Privilege Level GTE | string | No | Filter hosts with a privilege level greater + than or equal to the provided value. | - 1. **Initialization**: The action initializes the Vectra AI manager using the - provided API Root and Token. + | Privilege Category | ddl | No | Filter hosts by privilege category (Low, Medium, + High). | - 2. **Parameter Extraction**: It retrieves all user-defined filters and sorting - preferences from the action parameters. + | Active Traffic | ddl | No | Filter hosts with active traffic (True/False). | - 3. **Validation**: It validates that the `Limit` and score-based parameters are - valid integers. + | Order By | ddl | No | Field to order the results by (t_score, c_score, id, last_detection_timestamp). + | - 4. **API Request**: It constructs a GET request with the specified query parameters - and sends it to the Vectra `/hosts` endpoint. + | Note Modified Timestamp GTE | string | No | Filter hosts based on note modification + timestamp. | - 5. **Pagination**: If the number of results exceeds the page size, the action - handles pagination to retrieve the requested number of records up to the `Limit`. - 6. **Data Processing**: The action iterates through the retrieved hosts, cleans - up URL fields, and extracts mandatory fields for the summary table. + ### Additional Notes - 7. **Output**: It populates a data table named 'List Of Hosts' and attaches the - full JSON response to the action results. + This action does not require any specific entities to be selected in the SOAR + case; it operates independently based on the provided search parameters. capabilities: can_create_case_comments: false can_create_insight: false @@ -1926,8 +2783,18 @@ Search Hosts: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the Vectra API to search for hosts based + on user-provided filters. It does not modify any external systems or internal + SOAR data (entities, insights, etc.). It simply returns the search results in + the action output. categories: enrichment: false + reasoning: >- + The action is a search/retrieval action, not an enrichment action. It does not + update entities or create insights. It does not meet the criteria for an enrichment + action as it does not gather supplemental context about existing entities in + the case. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1943,15 +2810,50 @@ Search Hosts: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not operate on `siemplify.target_entities`. It uses input parameters + to perform a search against the Vectra API. Unmark Detection Fixed: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action performs a state change (unmarking as fixed) on detections within + an external system (Vectra). It does not match the 'Update Alert' category (which + is specific to the SecOps platform), nor does it match any other provided categories + like ticket management, identity management, or IOC blocklisting. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - Unmarks specific detections as fixed within the Vectra AI platform. This action - is used to revert the status of detections that were previously marked as resolved, - allowing them to be treated as active or requiring further investigation. It interacts - with the Vectra AI API via a PATCH request to update the state of the specified - detection IDs. + This action unmarks specified detections as fixed within the Vectra QUX platform. + It communicates with the Vectra API to update the status of detections, effectively + reverting them from a 'fixed' state to an active or unresolved state based on + the provided detection IDs. ### Parameters Description @@ -1960,27 +2862,34 @@ Unmark Detection Fixed: | :--- | :--- | :--- | :--- | - | Detection IDs | String | Yes | A comma-separated list of numeric identifiers - for the detections that should be unmarked as fixed. Each ID is validated as an - integer before processing. | + | Detection IDs | string | Yes | A comma-separated list of detection IDs to be + unmarked as fixed. | - ### Flow Description + ### Additional Notes - 1. **Initialization**: The action initializes the VectraQUX manager using the - provided API Root, API Token, and SSL verification settings. + - This action requires valid API credentials (API Root and API Token) configured + in the integration settings. - 2. **Parameter Parsing**: It extracts the 'Detection IDs' string, splits it by - commas, and validates that each entry is a valid integer. + - The action performs a PATCH request to the Vectra API. Ensure the provided IDs + are valid integers. - 3. **API Interaction**: The action calls the `unmark_detection_as_fixed` method - in the manager, which sends a PATCH request to the Vectra AI detections endpoint. - 4. **State Mutation**: The request payload includes the list of detection IDs - and explicitly sets the `mark_as_fixed` attribute to `False`. + ### Flow Description - 5. **Result Handling**: The response from the Vectra AI API is captured and added - to the action's result JSON for auditing and further playbook logic. + 1. **Initialization**: The action initializes the `SiemplifyAction` and extracts + configuration parameters (API Root, API Token, Verify SSL) and the action parameter + (`Detection IDs`). + + 2. **Validation**: The provided `Detection IDs` string is split and validated + to ensure each ID is a valid integer. + + 3. **API Interaction**: The `VectraQUXManager` is instantiated, and the `unmark_detection_as_fixed` + method is called, which sends a PATCH request to the Vectra API (`/api/v2.5/detections`) + with the payload `{"detectionIdList": detection_list_id, "mark_as_fixed": "False"}`. + + 4. **Result**: The response from the API is added to the action result JSON, and + the action completes with a success or failure status. capabilities: can_create_case_comments: false can_create_insight: false @@ -1989,12 +2898,21 @@ Unmark Detection Fixed: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates the status of detections in the Vectra AI platform by setting the 'mark_as_fixed' - attribute to False for the specified detection IDs via a PATCH request. + Updates the detection status in the external Vectra system by unmarking it as + fixed. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a PATCH request to an external API (Vectra) to update the + state of detections. It does not fetch data (GET), nor does it modify internal + SOAR data (entities, insights, or case comments). categories: enrichment: false + reasoning: >- + The action is a mutation action that changes the state of detections in an external + system. It does not fetch data, nor does it perform any of the allowed internal + mutations (creating insights, updating entities, or adding comments). Therefore, + it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -2010,68 +2928,97 @@ Unmark Detection Fixed: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over or process `siemplify.target_entities`. It + takes a string of detection IDs as an input parameter. Update Assignment: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action updates the assignment of an entity to a user in the Vectra QUX system. + This modifies the entity's assignment metadata, which aligns with the 'Update + Identity' category. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: true + update_ticket: false ai_description: >- - ### General Description - - The **Update Assignment** action allows users to change the assigned analyst for - a specific entity (Host or Account) within the Vectra QUX platform. This action - is primarily used for reassigning ownership of security entities during an investigation. - + Updates the assigned user for a specific entity (Account or Host) in the Vectra + QUX system. This action retrieves the current entity details to identify the existing + assignment and then updates it by assigning the specified User ID. It returns + the update result and adds a data table to the action results. - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - | :--- | :--- | :--- | :--- | + ### Flow Description - | **Entity ID** | String | Yes | The unique numeric identifier of the entity in - Vectra QUX. | + 1. Validates input parameters (Entity ID, User ID). - | **Entity Type** | DDL | Yes | The type of entity to update. Options are `Account` - or `Host`. | + 2. Retrieves current entity details from Vectra QUX to identify the existing assignment. - | **User ID** | String | Yes | The unique numeric identifier of the user to whom - the entity should be reassigned. | + 3. Updates the assignment by assigning the specified User ID to the entity. + 4. Returns the update result and adds a data table to the action results. - ### Additional Notes - - This action requires the entity to already have an existing assignment; it will - fail if no assignment is currently associated with the provided Entity ID. + ### Parameters Description - - Both the Entity ID and User ID must be valid numeric values. + | Parameter | Type | Mandatory | Description | + | :--- | :--- | :--- | :--- | - ### Flow Description + | Entity ID | string | Yes | The ID of the entity to update. | - 1. **Initialization**: Retrieves API credentials and action parameters (Entity - ID, Entity Type, and User ID). + | Entity Type | ddl | Yes | The type of entity (Account or Host). | - 2. **Validation**: Validates that the provided Entity ID and User ID are integers. + | User ID | string | Yes | The ID of the user to assign. | - 3. **Pre-check**: Fetches the current details of the entity from Vectra QUX to - verify its existence and check for an existing assignment. - 4. **Execution**: If an assignment exists, it sends a `PUT` request to the Vectra - QUX API to update the assignment with the new User ID. + ### Additional Notes - 5. **Output**: Returns the updated assignment details as a JSON object and populates - a data table named 'Updated Assignment' with the reassignment information. + - The action requires valid API credentials for the Vectra QUX integration. capabilities: can_create_case_comments: false can_create_insight: false can_modify_alert_data: false can_mutate_external_data: true - can_mutate_internal_data: false + can_mutate_internal_data: true can_update_entities: false external_data_mutation_explanation: >- - Updates the 'assign_to_user_id' field for an existing assignment record in the - Vectra QUX platform via a PUT request. + Updates the assignment of an entity to a new user in the Vectra QUX system. fetches_data: true - internal_data_mutation_explanation: null + internal_data_mutation_explanation: >- + Adds result JSON and a data table to the SOAR action results. + reasoning: >- + The action fetches entity details (fetches_data=true) and updates the assignment + in the external Vectra QUX system (can_mutate_external_data=true). It also adds + result JSON and a data table to the SOAR action results (can_mutate_internal_data=true). categories: enrichment: false + reasoning: >- + The action mutates external data (updates assignment), so it is not an enrichment + action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -2087,3 +3034,7 @@ Update Assignment: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action takes Entity ID and Entity Type as input parameters and does not + iterate over `siemplify.target_entities`, therefore it does not run on entities + in the context of the SOAR entity model. diff --git a/content/response_integrations/third_party/community/vectra_qux/resources/ai/connectors_ai_description.yaml b/content/response_integrations/third_party/community/vectra_qux/resources/ai/connectors_ai_description.yaml new file mode 100644 index 000000000..0e96ce877 --- /dev/null +++ b/content/response_integrations/third_party/community/vectra_qux/resources/ai/connectors_ai_description.yaml @@ -0,0 +1,85 @@ +Vectra QUX - Entities Connector: + ai_description: >- + ### General Description + + The Vectra QUX - Entities Connector integrates Google SecOps (SOAR) with the Vectra + QUX platform. It is designed to periodically retrieve security entities, such + as Hosts or Accounts, and their associated detections. By mapping these entities + to alerts and their detections to events, the connector enables security teams + to monitor, investigate, and respond to threats identified by Vectra directly + within the SOAR platform. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | API Root | String | Yes | The base URL of the Vectra QUX API. | + + | API Token | Password | Yes | Authentication token for the Vectra QUX API. | + + | Certainty Score GTE | Integer | No | Filters entities with a certainty score + greater than or equal to this value. | + + | Detection Category | String | No | Filters results by detection category (e.g., + Command & Control, Botnet Activity). | + + | Detection Type | String | No | Filters results by specific detection type. | + + | DeviceProductField | String | Yes | Field name used to determine the device + product. | + + | Entity Type | String | Yes | The type of entity to fetch (e.g., Host, Account). + | + + | EventClassId | String | Yes | Field name used to determine the event name. | + + | Limit | Integer | No | Maximum number of entities to fetch per iteration. | + + | Max Hours Backwards | Integer | No | Number of hours to look back for initial + data retrieval. | + + | Partial Tag | String | No | Partial tag to filter results. | + + | PythonProcessTimeout | String | Yes | Timeout limit (in seconds) for the script + execution. | + + | Query | String | No | Custom query string for advanced filtering. | + + | Specific Tag | String | No | Specific tag to filter results. | + + | Threat Score GTE | Integer | No | Filters entities with a threat score greater + than or equal to this value. | + + | Verify SSL | Boolean | No | Whether to verify SSL certificates for API requests. + | + + + ### Flow Description + + 1. **Initialization**: The connector initializes the connection to the Vectra + QUX API using the provided API Root and Token. + + 2. **Validation**: Input parameters are validated to ensure correct entity types + and score formats. + + 3. **Data Retrieval**: The connector queries the Vectra QUX API for entities (Hosts + or Accounts) based on the configured filters (e.g., threat score, certainty, tags, + and time range). + + 4. **Deduplication**: It checks against previously processed alert IDs to avoid + creating duplicate cases. + + 5. **Processing**: For each retrieved entity, the connector fetches associated + detections. + + 6. **Mapping**: Each entity is mapped to a SOAR alert, and its detections are + mapped as alert events. + + 7. **Ingestion**: The processed alerts are ingested into Google SecOps as cases + for further investigation. + + 8. **Cleanup**: Timestamps and processed IDs are saved to maintain state for the + next iteration. diff --git a/content/response_integrations/third_party/community/vectra_qux/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/vectra_qux/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..5875b90c3 --- /dev/null +++ b/content/response_integrations/third_party/community/vectra_qux/resources/ai/integration_ai_description.yaml @@ -0,0 +1,25 @@ +product_categories: + asset_inventory: true + cloud_security: true + collaboration: false + edr: false + email_security: false + iam_and_identity_management: true + itsm: false + network_security: false + reasoning: >- + The Vectra QUX integration is a threat detection platform that ingests security + entities (Hosts and Accounts) and their associated detections into Chronicle SOAR, + which aligns with the SIEM category for alert and event ingestion. It provides + threat and certainty scores for entities and detections, supporting the Threat + Intelligence category for enrichment. The integration manages 'Accounts' and 'Hosts,' + including assignment and group management, which aligns with the IAM & Identity + Management category. The description explicitly mentions 'hybrid and multi-cloud + enterprises,' and the connector retrieves cloud-relevant entities, supporting + the Cloud Security category. It also functions as an Asset Inventory tool by retrieving + detailed host and account information. It does not perform EDR-specific tasks + (process trees, isolation), Network Security (firewall logs, blocking), Email + Security, ITSM, Vulnerability Management, or Collaboration. + siem: true + threat_intelligence: true + vulnerability_management: false diff --git a/content/response_integrations/third_party/community/vectra_qux/resources/ai/jobs_ai_description.yaml b/content/response_integrations/third_party/community/vectra_qux/resources/ai/jobs_ai_description.yaml new file mode 100644 index 000000000..cf36ed992 --- /dev/null +++ b/content/response_integrations/third_party/community/vectra_qux/resources/ai/jobs_ai_description.yaml @@ -0,0 +1,52 @@ +Vectra QUX - Clear Empty Cases Job: + ai_description: >- + ### General Description + + This job automates the maintenance of the Google SecOps (Chronicle) SOAR case + queue by identifying and closing empty or duplicate cases originating from the + Vectra QUX integration. It helps reduce investigation noise by analyzing open + cases, filtering them based on specific environments and product names, and automatically + closing cases that contain redundant or identical alerts. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Max Hours Backwards | String | No | The maximum number of hours to look back + for open cases. Defaults to 24 hours. Set to '0' to process all open cases. | + + | Environments | String | Yes | A comma-separated list of environments to filter + cases by. Defaults to 'Default Environment'. | + + | Products | String | Yes | A comma-separated list of product field names to filter + alerts by. Defaults to 'Vectra QUX'. | + + + ### Flow Description + + 1. Extracts and validates the job configuration parameters (Max Hours Backwards, + Environments, and Products). + + 2. Calculates the start time for the job based on the last successful execution + timestamp to ensure incremental processing. + + 3. Fetches all open cases from the SOAR platform that match the specified time + range. + + 4. Iterates through each open case to retrieve associated entities and their corresponding + detections. + + 5. Filters the retrieved detections to include only those matching the provided + environment and product name criteria. + + 6. Analyzes the filtered cases to identify identical alerts or cases that are + effectively empty. + + 7. Closes redundant cases or removes duplicate alerts from cases as identified + by the analysis logic. + + 8. Updates the job's last success timestamp in the database to track progress + for the next execution. diff --git a/content/response_integrations/third_party/community/vectra_rux/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/vectra_rux/resources/ai/actions_ai_description.yaml index 68f56ab9e..a8c870b8f 100644 --- a/content/response_integrations/third_party/community/vectra_rux/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/vectra_rux/resources/ai/actions_ai_description.yaml @@ -1,43 +1,72 @@ Add Note: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action adds a note to an entity in the VectraRUX platform. It does not match + any of the provided categories (e.g., it is not adding a comment to a SOAR alert, + nor is it an enrichment or containment action). + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - Adds a note to a specific entity within the Vectra RUX platform. This action allows - users to attach textual context or observations to specific Accounts, Hosts, or - Detections by providing the entity's unique identifier and type. The action performs - a POST request to the Vectra API and returns the details of the created note, - including its ID and creation timestamp. + ### General Description + Adds a note to a specific entity (Account, Host, or Detection) within the VectraRUX + platform. This action allows analysts to append contextual information or investigation + notes directly to an entity in the external system. - ### Parameters + + ### Parameters Description | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Note | string | Yes | The textual content of the note to be added to the entity. + | Note | string | Yes | The text content of the note to be added to the entity. | - | Entity ID | string | Yes | The unique numeric identifier of the entity in Vectra - RUX. | + | Entity ID | string | Yes | The unique identifier of the entity in VectraRUX. + | - | Entity Type | ddl | Yes | The type of entity to which the note will be attached. - Supported values: Account, Host, Detection. | + | Entity Type | ddl | Yes | The type of the entity. Supported values: Account, + Host, Detection. | ### Flow Description - 1. **Parameter Extraction:** Retrieves the API configuration (Root, Client ID, - Secret) and action parameters (Note, Entity ID, Entity Type). - - 2. **Validation:** Validates that the provided `Entity ID` is a valid integer. + 1. Extracts configuration parameters (API Root, Client ID, Client Secret) and + action parameters (Note, Entity ID, Entity Type). - 3. **API Interaction:** Authenticates with Vectra RUX and sends a POST request - to the `/entities/{entity_id}/notes` endpoint with the note content and entity - type. + 2. Validates the provided Entity ID. - 4. **Result Processing:** Parses the API response into a `Note` object. + 3. Sends a POST request to the VectraRUX API endpoint (`/entities/{entity_id}/notes`) + to create the note. - 5. **Output Generation:** Adds the note details to a data table and provides the - raw JSON response for downstream use in the playbook. + 4. Adds the API response to the action result as a data table and JSON for reporting + purposes. capabilities: can_create_case_comments: false can_create_insight: false @@ -46,12 +75,18 @@ Add Note: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates a new note record associated with a specific entity (Account, Host, - or Detection) in the Vectra RUX platform. + Adds a note to an entity (Account, Host, or Detection) in the VectraRUX platform. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a POST request to the VectraRUX API to add a note to an + entity. It does not fetch data, nor does it modify internal SOAR case data or + entities. It is a mutation action on an external system. categories: enrichment: false + reasoning: >- + The action is a mutation action (adding a note to an external system) and does + not fetch data for enrichment purposes, therefore it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -67,14 +102,51 @@ Add Note: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not use `siemplify.target_entities`. It accepts `Entity ID` + and `Entity Type` as manual input parameters from the user, rather than operating + on entities already present in the case. Add Tags: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action updates tags on an external system (Vectra RUX). None of the provided + categories (e.g., Enrich IOC, Contain Host, Update Identity) perfectly match + this 'Update Tags' functionality. Therefore, all categories are set to false. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - Adds one or more tags to specific entities within the Vectra platform. This action - supports tagging Accounts, Hosts, and Detections by their unique Vectra identifiers. - It ensures that existing tags are preserved by fetching the current tag list before - appending the new ones. + Adds tags to specified entities (Account, Host, or Detection) in the Vectra RUX + platform. This action retrieves existing tags for the provided entity IDs, merges + them with the new tags, and updates the entity's tag list in the external system + via a PATCH request. The action logs the status of each update and provides a + summary table of the results. ### Parameters Description @@ -83,39 +155,38 @@ Add Tags: | :--- | :--- | :--- | :--- | - | Tags | String | Yes | A comma-separated list of tags to be added to the target - entities. | + | Tags | string | Yes | Comma-separated list of tags to add to the account, host, + or detection. | - | Entity IDs | String | Yes | A comma-separated list of the unique identifiers - (IDs) for the entities in Vectra. | + | Entity IDs | string | Yes | Comma-separated list of the Entity IDs to which + the user wants to add tags. | - | Entity Type | DDL | Yes | The type of Vectra entity being tagged. Options are: - `Account`, `Host`, or `Detection`. | + | Entity Type | ddl | Yes | The type of the entity to which tags will be added + (Options: Account, Host, Detection). | ### Flow Description - 1. **Initialization**: The action parses the comma-separated strings for `Tags` - and `Entity IDs` into unique lists and converts the `Entity Type` to lowercase. + 1. Extracts configuration (API credentials) and action parameters (Tags, Entity + IDs, Entity Type). - 2. **Data Retrieval**: For each provided Entity ID, the action calls the Vectra - API to retrieve the current list of tags associated with that entity. + 2. Validates and parses the input IDs and tags, removing duplicates. - 3. **Tag Merging**: The new tags are merged with the existing tags to create a - deduplicated set. + 3. Iterates through each provided Entity ID. - 4. **External Mutation**: The action sends a PATCH request to Vectra to update - the entity's tags with the new combined list. + 4. Fetches existing tags for the entity from the Vectra RUX API. - 5. **Result Reporting**: Successes and failures are tracked per ID. A data table - named "Tag Update Status" is created in the SOAR case to summarize the outcome - for each entity. + 5. Merges the existing tags with the new tags. + + 6. Updates the entity's tags in Vectra RUX via a PATCH request. + + 7. Logs the status of each update and generates a result table in the SOAR case. ### Additional Notes - This action does not process entities currently present in the SOAR case scope; - it operates strictly on the IDs provided in the input parameters. + The action requires valid API credentials for the Vectra RUX integration to be + configured. capabilities: can_create_case_comments: false can_create_insight: false @@ -124,12 +195,19 @@ Add Tags: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - The action performs a PATCH request to the Vectra API to update the tags associated - with specific entities (Accounts, Hosts, or Detections). + Updates the tag list for the specified entity in the Vectra RUX platform. fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action fetches existing tags from the Vectra RUX API (fetches_data=true) + and then performs a PATCH request to update the tags on the external system + (can_mutate_external_data=true). It does not modify internal SOAR case data + or entities directly. categories: enrichment: false + reasoning: >- + The action mutates external data (updates tags), so it is not an enrichment + action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -145,14 +223,48 @@ Add Tags: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over `siemplify.target_entities`. It takes `Entity + IDs` as an input parameter. Therefore, it does not run on SOAR entities. Assign Entity: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action assigns an entity to a user in the Vectra RUX platform. This does + not match any of the provided categories (Enrichment, Containment, Ticket management, + etc.). + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - Assigns a Vectra entity (Host or Account) to a specific user within the Vectra - RUX platform. This action is primarily used for workflow orchestration and incident - management, allowing analysts to programmatically manage resource ownership and - responsibility within the Vectra console. + This action assigns a specific entity (either a Host or an Account) to a designated + user within the Vectra RUX platform. It facilitates the management of entity assignments + by interacting directly with the Vectra RUX API. ### Parameters Description @@ -161,39 +273,32 @@ Assign Entity: | :--- | :--- | :--- | :--- | - | Entity ID | String | Yes | The unique identifier of the entity to be assigned. - This must be a valid integer representing a Host or Account ID in Vectra. | + | Entity ID | string | Yes | The unique identifier of the entity (Host or Account) + to be assigned. | - | Entity Type | DDL | Yes | The category of the entity. Must be either 'Account' + | Entity Type | ddl | Yes | The type of the entity. Supported values are 'Account' or 'Host'. | - | User ID | String | Yes | The unique identifier of the user to whom the entity - will be assigned. This must be a valid integer. | - - - ### Additional Notes - - This action does not automatically process entities from the SOAR case context. - It requires the explicit input of IDs via the action parameters. Both the Entity - ID and User ID are validated as integers before the API request is made. + | User ID | string | Yes | The unique identifier of the user to whom the entity + will be assigned. | ### Flow Description - 1. **Initialization:** The action initializes the Vectra RUX manager using provided - API credentials (API Root, Client ID, and Client Secret). + 1. **Initialization**: The action initializes the `SiemplifyAction` and extracts + configuration parameters (API Root, Client ID, Client Secret) and action parameters + (User ID, Entity ID, Entity Type). - 2. **Parameter Validation:** It extracts the User ID, Entity ID, and Entity Type - from the action parameters and validates that the IDs are numeric. + 2. **Validation**: The action validates that the provided `Entity ID` and `User + ID` are valid integers. - 3. **API Request:** It executes a POST request to the Vectra RUX assignments endpoint - (`api/v3.4/assignments`) with the assignment details. + 3. **Execution**: The action initializes the `VectraRUXManager` and calls the + `assign_entity` method, which performs a POST request to the Vectra RUX API to + create the assignment. - 4. **Data Processing:** Upon a successful response, the action parses the new - assignment data into a structured object. - - 5. **Output Generation:** It populates a data table named 'Assign Entity' with - the assignment details and attaches the full raw JSON response to the action results. + 4. **Result Reporting**: Upon successful assignment, the action adds the assignment + details to the action results as a data table and a JSON object containing the + raw response data. capabilities: can_create_case_comments: false can_create_insight: false @@ -202,12 +307,20 @@ Assign Entity: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates a new assignment record in the Vectra RUX platform, linking a specific - user to a host or account entity. - fetches_data: true + Assigns an entity (Host or Account) to a user in the Vectra RUX platform via + a POST request. + fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a POST request to the Vectra RUX API to assign an entity + to a user. It does not fetch data for enrichment, nor does it modify internal + SOAR case data (such as updating entities or adding insights). It only reports + the result of the external mutation. categories: enrichment: false + reasoning: >- + The action is a mutation action (assigning an entity) and does not fetch data + for enrichment purposes. It does not meet the criteria for an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -223,35 +336,86 @@ Assign Entity: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not use `siemplify.target_entities`. It takes `Entity ID` and + `Entity Type` as direct input parameters from the action configuration, rather + than operating on entities already present in the case. Assign Group: - ai_description: "### General Description\nThe **Assign Group** action allows users\ - \ to add multiple members to a specific group within the Vectra RUX platform.\ - \ This action is designed to manage group memberships dynamically, supporting\ - \ various group types such as hosts, accounts, IPs, or domains. It appends the\ - \ provided members to the existing group list without overwriting current members.\n\ - \n### Parameters\n| Parameter | Type | Mandatory | Description |\n| :--- | :---\ - \ | :--- | :--- |\n| **Group ID** | String | Yes | The unique numerical identifier\ - \ of the target group in Vectra RUX. |\n| **Members** | String | Yes | A comma-separated\ - \ list of member identifiers to be added to the group. The identifier type (e.g.,\ - \ IP address, Hostname, Account UID) must correspond to the group's specific type.\ - \ |\n\n### Flow Description\n1. **Parameter Extraction and Validation**: The action\ - \ retrieves the `Group ID` and `Members` list. It validates that the `Group ID`\ - \ is a positive integer and parses the `Members` string into a unique list of\ - \ identifiers.\n2. **Authentication**: The action establishes a session with the\ - \ Vectra RUX API using provided client credentials.\n3. **External Mutation**:\ - \ It executes a `PATCH` request to the Vectra RUX `/groups/{group_id}` endpoint\ - \ with the `membership_action` set to `append`, effectively adding the new members\ - \ to the group.\n4. **Response Processing**: The action receives the updated group\ - \ object from Vectra. It compares the requested members against the actual members\ - \ in the updated group to identify any identifiers that failed to be assigned\ - \ (e.g., if the member does not exist in the Vectra system).\n5. **Reporting**:\ - \ \n - If successful, it generates an HTML summary table showing the group's\ - \ updated properties (ID, Name, Type, Importance) and the current member list.\n\ - \ - It provides a raw JSON result of the updated group object.\n - It returns\ - \ a status message indicating how many members were successfully assigned and\ - \ listing any that were not.\n\n### Additional Notes\n- This action performs an\ - \ **append** operation; it does not remove existing members.\n- The action will\ - \ fail if none of the provided members can be successfully assigned to the group." + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action modifies group membership in an external system (VectraRUX). This + aligns with the 'Update Identity' category, which includes modifying group memberships. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: true + update_ticket: false + ai_description: >- + ### General Description + + Adds members to a specified group in the VectraRUX system. This action allows + users to append a list of members to an existing group by providing the group's + ID and the list of members to be added. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Group ID | string | Yes | The ID of the group to which members will be added. + | + + | Members | string | Yes | A comma-separated list of members to assign to the + group. | + + + ### Flow Description + + 1. Extracts configuration (API Root, Client ID, Client Secret) and action parameters + (Group ID, Members). + + 2. Validates the `Group ID` as an integer. + + 3. Initializes the `VectraRUXManager` with the provided credentials. + + 4. Calls the API to append the specified members to the group. + + 5. Compares the requested members with the updated group members to identify which + were successfully assigned. + + 6. Generates an HTML view of the group details and adds the raw JSON response + to the action results. + + + ### Additional Notes + + - The action expects the `Group ID` to be a valid integer. + + - The `Members` parameter should be a comma-separated string of member identifiers. capabilities: can_create_case_comments: false can_create_insight: false @@ -260,12 +424,19 @@ Assign Group: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates group membership in the Vectra RUX platform by appending new members - to a specified group via a PATCH API request. + Appends specified members to a group in the VectraRUX system. fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a PATCH request to update group members in VectraRUX (can_mutate_external_data=true). + It retrieves the updated group object from the response (fetches_data=true). + It does not modify internal SOAR case data or entities. categories: enrichment: false + reasoning: >- + The action modifies group membership in an external system (VectraRUX), which + constitutes a mutation of external data. Therefore, it cannot be classified + as an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -281,45 +452,62 @@ Assign Group: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code does not reference `target_entities` or perform any entity-based operations. + It uses input parameters `Group ID` and `Members` to perform the action. Describe Assignment: - ai_description: >- - ### General Description - - Retrieves comprehensive details for a specific assignment in Vectra RUX using - its unique identifier. This action is used to gain visibility into the status, - ownership, and resolution outcomes of assignments related to hosts or accounts - within the Vectra platform. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Assignment ID | String | Yes | The unique identifier of the assignment to retrieve - details for. This value must be a valid integer. | - - - ### Flow Description - - 1. **Parameter Initialization**: The action retrieves configuration parameters - (API Root, Client ID, Client Secret) and the mandatory `Assignment ID` from the - input. - - 2. **Validation**: The `Assignment ID` is validated to ensure it is a proper integer - value. - - 3. **API Interaction**: The action initializes the `VectraRUXManager` and performs - a GET request to the Vectra API endpoint for assignments using the provided ID. - - 4. **Data Processing**: The retrieved assignment data is parsed into a structured - object containing details such as the assigned user, resolver, outcome, and associated - entity (Host or Account). - - 5. **Output Generation**: The action outputs the raw JSON response and constructs - a formatted data table titled "Describe Assignment" containing key fields for - the SOAR interface. + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves details for a specific assignment ID. It does not perform + enrichment on IOCs or Assets, nor does it modify alerts, tickets, or identities. + It does not fit the specific definitions of the provided categories. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: "### General Description\nThis action retrieves detailed information\ + \ about a specific assignment from the VectraRUX platform. It allows analysts\ + \ to fetch metadata, user assignments, and resolution details for a given assignment\ + \ ID, providing visibility into the assignment's status and history within the\ + \ VectraRUX environment.\n\n### Parameters Description\n| Parameter | Type | Mandatory\ + \ | Description |\n| :--- | :--- | :--- | :--- |\n| Assignment ID | string | Yes\ + \ | The unique identifier of the assignment to retrieve. |\n\n### Additional Notes\n\ + - This action requires valid API credentials (API Root, Client ID, Client Secret)\ + \ configured in the integration settings.\n- The action performs a read-only operation\ + \ and does not modify any data in VectraRUX or the SOAR platform.\n\n### Flow\ + \ Description\n1. **Initialization**: The action initializes the `SiemplifyAction`\ + \ and extracts the required configuration parameters (API Root, Client ID, Client\ + \ Secret) and the `Assignment ID` action parameter.\n2. **Validation**: The `Assignment\ + \ ID` is validated to ensure it is a valid integer.\n3. **API Interaction**: The\ + \ `VectraRUXManager` is initialized, and the `describe_assignment` method is called\ + \ to fetch the assignment details from the VectraRUX API.\n4. **Result Processing**:\ + \ \n - The raw JSON response is added to the action results.\n - The assignment\ + \ information is formatted into a CSV-based data table and added to the action\ + \ output.\n5. **Completion**: The action concludes by setting the execution status\ + \ and output message, providing the retrieved details to the analyst." capabilities: can_create_case_comments: false can_create_insight: false @@ -330,8 +518,17 @@ Describe Assignment: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the VectraRUX API to retrieve assignment + details. It does not modify any external systems (no POST/PUT/DELETE), nor does + it modify internal SOAR data (no entity updates or insights). It simply fetches + and displays information. categories: - enrichment: true + enrichment: false + reasoning: >- + The action fetches data from an external source, but it does not gather context + about alerts or entities (it gathers context about an assignment). Therefore, + it does not meet the definition of an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -347,16 +544,50 @@ Describe Assignment: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not operate on entities. It takes an `Assignment ID` as a direct + input parameter to fetch details from the VectraRUX API. Describe Detection: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: true + reasoning: >- + The action retrieves detailed information about a specific detection from the + Vectra RUX platform. This directly aligns with the 'Get Alert Information' category, + as it fetches information about an alert (detection) from the 3rd party product. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description The **Describe Detection** action retrieves comprehensive details for a specific - detection from the Vectra RUX platform using its unique Detection ID. This action - is designed to provide deep-dive visibility into a security event, including its - state, category, threat level, and the source entities (hosts or accounts) involved. - It is typically used in playbooks to gather context about a specific alert identifier - before making further orchestration decisions. + detection from the Vectra RUX platform. This action is designed to provide analysts + with deep-dive information about a detection by querying the Vectra API using + a unique Detection ID. The output is presented in both a structured data table + and a raw JSON format, facilitating easier investigation and decision-making. ### Parameters Description @@ -365,40 +596,29 @@ Describe Detection: | :--- | :--- | :--- | :--- | - | Detection ID | String | Yes | The unique identifier of the detection to retrieve. - This value must be a numeric string representing a valid integer. | - - - ### Additional Notes - - - This action does not automatically iterate over entities in the current Google - SecOps case; it requires the `Detection ID` to be explicitly provided as an input - parameter. - - - The action validates the input ID to ensure it is a non-negative integer before - making the API call. + | Detection ID | string | Yes | The unique identifier of the detection to be retrieved. + This value must be a valid integer. | ### Flow Description - 1. **Parameter Extraction:** The action retrieves the `Detection ID` from the - input parameters. + 1. **Configuration Extraction**: The action retrieves the necessary API credentials + (API Root, Client ID, Client Secret) from the integration configuration. - 2. **Validation:** It validates that the provided ID is a valid integer using - an internal utility function. + 2. **Parameter Extraction**: The action extracts the `Detection ID` provided by + the user. - 3. **Authentication:** The action initializes the `VectraRUXManager`, which handles - OAuth2 authentication and token management. + 3. **Validation**: The `Detection ID` is validated to ensure it is a valid integer. - 4. **API Interaction:** It performs a GET request to the Vectra RUX API endpoint - (`/api/v3.4/detections/{detection_id}`) to fetch the detection metadata. + 4. **API Interaction**: The action initializes the `VectraRUXManager` and calls + the `describe_detection` method to fetch the detection details from the Vectra + RUX API. - 5. **Data Processing:** The raw API response is parsed into a structured `Detection` - data model. + 5. **Result Formatting**: The retrieved detection data is formatted into a data + table and a JSON object, which are then added to the action results. - 6. **Output Generation:** The action populates the SOAR results with a flattened - data table for UI display and the full raw JSON response for downstream playbook - logic. + 6. **Completion**: The action concludes by setting the execution status and providing + a success or error message. capabilities: can_create_case_comments: false can_create_insight: false @@ -409,8 +629,18 @@ Describe Detection: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the Vectra RUX API to retrieve detection + details based on a provided ID. It does not perform any write operations (POST/PUT/DELETE) + on external systems, nor does it modify internal SOAR case data (e.g., updating + entities, adding insights, or modifying alert status). It is a read-only enrichment + action. categories: - enrichment: false + enrichment: true + reasoning: >- + The action fetches supplemental context (detection details) from an external + source (Vectra RUX) without modifying any external or internal state. This aligns + with the definition of an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -426,48 +656,79 @@ Describe Detection: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over `siemplify.target_entities` or use entity-specific + identifiers. It accepts a `Detection ID` as a direct input parameter to fetch + detection details, therefore it does not run on entities. Describe Entity: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: true + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves contextual metadata (e.g., state, urgency, tags) for a + resource (Account or Host), which directly matches the 'Enrich Asset' category. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - The **Describe Entity** action retrieves comprehensive details for a specific - entity (either a **Host** or an **Account**) from the Vectra RUX platform using - its unique identifier. This action is primarily used for deep-dive enrichment, - providing security analysts with granular information about an entity's state, - severity, urgency scores, and associated detection sets. + Retrieves detailed information for a specific entity (Account or Host) from the + VectraRUX platform. This action fetches comprehensive metadata, including state, + urgency scores, and detection history, and presents it in the action results as + a data table and raw JSON. ### Parameters Description - | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | **Entity ID** | String | Yes | The unique numerical identifier for the entity - in Vectra RUX. This value must be a valid integer. | + | Entity ID | string | Yes | The unique identifier of the entity to retrieve. + | - | **Entity Type** | DDL | Yes | Specifies the category of the entity. Supported - values are `Account` and `Host`. | + | Entity Type | ddl | Yes | The type of entity, either 'Account' or 'Host'. | ### Flow Description - 1. **Parameter Extraction:** The action retrieves the `Entity ID` and `Entity - Type` from the user input and validates that the ID is a valid integer. + 1. Extracts configuration parameters (API Root, Client ID, Client Secret) and + action parameters (Entity ID, Entity Type). + + 2. Validates the provided Entity ID as an integer. - 2. **Manager Initialization:** It initializes the `VectraRUXManager` using the - provided API credentials (API Root, Client ID, and Client Secret). + 3. Initializes the VectraRUXManager to handle API communication. - 3. **API Interaction:** The action performs a `GET` request to the Vectra RUX - API endpoint specifically for the provided entity type and ID. + 4. Executes a GET request to the VectraRUX API to describe the specified entity. - 4. **Data Processing:** The raw JSON response is parsed into a structured `Entity` - data model. + 5. Adds the retrieved entity details to the action result as a data table and + raw JSON. - 5. **Output Generation:** The action populates the SOAR results with a data table - (CSV format) for quick viewing and the full raw JSON response for further automated - processing. + 6. Handles potential errors (e.g., invalid ID, item not found) and logs the execution + status. capabilities: can_create_case_comments: false can_create_insight: false @@ -478,8 +739,16 @@ Describe Entity: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to retrieve entity details from the VectraRUX + API. It does not modify any external systems or internal SOAR data (it only + adds result data to the action execution). categories: enrichment: true + reasoning: >- + The action fetches contextual data about an entity from an external source (VectraRUX) + without modifying any external or internal systems. This aligns with the definition + of an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -495,14 +764,47 @@ Describe Entity: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action takes 'Entity ID' and 'Entity Type' as input parameters rather than + iterating over the 'target_entities' list. Therefore, it does not directly operate + on SOAR entities. Download PCAP: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: true + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves a specific file (PCAP) from the Vectra RUX platform. This + directly matches the 'Download File' category. It does not perform enrichment, + alert updates, or containment operations. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description - - Downloads a Packet Capture (PCAP) file from Vectra RUX associated with a specific - detection ID. This action allows security analysts to retrieve raw network traffic - data for forensic investigation and detailed protocol analysis directly within - Google SecOps. + Downloads a PCAP file associated with a specific detection ID from the Vectra + RUX platform. This action retrieves the forensic PCAP file and attaches it to + the action result for further analysis. ### Parameters @@ -511,28 +813,27 @@ Download PCAP: | :--- | :--- | :--- | :--- | - | Detection ID | string | Yes | The unique identifier of the detection in Vectra - RUX for which the PCAP file should be downloaded. | + | Detection ID | string | Yes | The unique identifier of the detection for which + the PCAP file should be downloaded. | ### Flow Description - 1. **Initialization**: The action initializes the Vectra RUX manager using the - provided API Root, Client ID, and Client Secret. + 1. **Initialization**: Extracts API configuration (API Root, Client ID, Client + Secret) and the `Detection ID` parameter. - 2. **Validation**: Validates that the provided `Detection ID` is a valid integer. + 2. **Manager Setup**: Initializes the `VectraRUXManager` to handle API communication. - 3. **Data Retrieval**: Performs a GET request to the Vectra RUX API endpoint `/api/v3.4/detections/{detection_id}/pcap` - to fetch the file content. + 3. **Validation**: Validates that the provided `Detection ID` is a valid integer. - 4. **File Processing**: Extracts the filename from the `Content-Disposition` header - and saves the binary content to a local path. + 4. **Data Retrieval**: Requests the PCAP file content from the Vectra RUX API + using the provided detection ID. - 5. **Attachment**: Encodes the PCAP file content into Base64 and adds it as an - attachment to the action result in Google SecOps. + 5. **File Handling**: Saves the retrieved PCAP file locally and attaches the file + content to the SOAR action result. - 6. **Completion**: Returns a success message indicating the file has been retrieved - and attached. + 6. **Completion**: Returns the execution status and a summary message indicating + success or failure. capabilities: can_create_case_comments: false can_create_insight: false @@ -543,8 +844,17 @@ Download PCAP: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to retrieve a PCAP file from the Vectra RUX + API. It does not modify any external system state (no POST/PUT/DELETE on external + resources). It does not modify internal SOAR case data, entities, or insights; + it only attaches a file to the action result, which is a standard output mechanism. categories: enrichment: false + reasoning: >- + The action is a specific file retrieval task ('Download PCAP') rather than a + general enrichment action designed to gather context about entities or alerts. + Therefore, it does not meet the criteria for an Enrichment Action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -560,15 +870,50 @@ Download PCAP: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over `siemplify.target_entities`. It operates based + on a provided `Detection ID` parameter, meaning it does not run on specific + entity types. List Assignments: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves a list of assignments from an external system. It does + not match any of the specific categories like 'Enrich IOC', 'Enrich Asset', + 'Update Alert', or 'Search Events' as it is specific to assignment management. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - The **List Assignments** action retrieves a list of assignments from the Vectra - RUX platform based on user-defined filtering criteria. It allows security analysts - to query assignments by account, host, assignee, resolution status, and creation - time. The results are presented in a structured data table and a raw JSON format - for further processing. + This action retrieves a list of assignments from the VectraRUX platform based + on specified filter criteria. It allows analysts to query assignments by account, + host, assignee, resolution status, and creation time, providing visibility into + current investigation assignments. ### Parameters Description @@ -577,58 +922,40 @@ List Assignments: | :--- | :--- | :--- | :--- | - | **Accounts IDs** | String | No | A comma-separated list of account IDs to filter - the assignments. | - - | **Assignees IDs** | String | No | A comma-separated list of user IDs (assignees) - to filter the assignments. | - - | **Resolution IDs** | String | No | A comma-separated list of outcome/resolution - IDs to filter the assignments. | - - | **Resolved** | DDL | No | Filters assignments by their resolution status. Options - are `None`, `True`, or `False`. | - - | **Created After** | String | No | Filters assignments created after a specific - timestamp. Supports relative formats (e.g., "2 hours", "2 days") and absolute - ISO 8601 formats. | + | Accounts IDs | string | No | Comma-separated account IDs to filter assignments. + | - | **Limit** | String | No | The maximum number of assignment records to retrieve. + | Assignees IDs | string | No | Comma-separated user IDs to filter assignments. | - | **Hosts IDs** | String | No | A comma-separated list of host IDs to filter the - assignments. | + | Resolution IDs | string | No | Comma-separated resolution IDs to filter assignments. + | + | Resolved | ddl | No | Filter assignments by resolved status (None, True, False). + | - ### Additional Notes + | Created After | string | No | Filter assignments created after a specific timestamp + (e.g., '2 days', 'yyyy-mm-dd'). | - - All ID-based parameters (Accounts, Assignees, Resolution, Hosts) are validated - as integers before being sent to the API. + | Limit | string | No | The maximum number of records to return. | - - If no assignments match the criteria, the action will complete successfully - with a message indicating no results were found. + | Hosts IDs | string | No | Comma-separated host IDs to filter assignments. | ### Flow Description - 1. **Parameter Extraction:** The action retrieves configuration details (API Root, - Credentials) and user-provided filter parameters. + 1. Initialize the VectraRUX manager using the configured API credentials. - 2. **Validation:** ID strings are parsed into lists of integers, and the `Limit` - parameter is validated for numeric integrity. + 2. Parse and validate the provided action parameters (filters). - 3. **Query Construction:** A mapping of query parameters is created based on the - provided filters (e.g., `resolved`, `created_after`, `accounts`, `hosts`). + 3. Construct the query parameters mapping based on the provided inputs. - 4. **API Interaction:** The `VectraRUXManager` authenticates and performs a paginated - `GET` request to the `/assignments` endpoint. + 4. Execute a GET request to the VectraRUX API to fetch the assignment list. - 5. **Data Processing:** The retrieved assignment data is parsed into internal - models for structured output. + 5. Format the retrieved assignment data into a data table for the case wall and + a JSON result for further processing. - 6. **Output Generation:** The action populates a data table named "Assignment - Details" with key assignment information and attaches the full raw JSON response - to the action result. + 6. Return the final output message indicating the number of assignments retrieved. capabilities: can_create_case_comments: false can_create_insight: false @@ -639,8 +966,16 @@ List Assignments: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to retrieve assignment data from the VectraRUX + API. It does not modify any external or internal data, nor does it update entities, + create insights, or modify alert data. categories: enrichment: false + reasoning: >- + The action fetches data from an external system but does not perform enrichment + on specific entities or alerts within the SOAR platform. It is a standalone + search/list action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -656,108 +991,143 @@ List Assignments: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over or interact with `siemplify.target_entities`. + It relies solely on user-provided input parameters to query the API. List Detections: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: true + reasoning: >- + The action retrieves a collection of detections based on search parameters, + which aligns with 'Search Events' and 'Get Alert Information'. It does not perform + enrichment on a specific IOC or asset, nor does it perform any mutation actions. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: true + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description This action retrieves a list of detections from the Vectra RUX platform based - on a wide variety of filtering criteria. It is primarily used for searching and - auditing detections associated with specific entities (Hosts or Accounts) or broad - categories within the Vectra environment. The results are presented as a formatted - data table on the case wall and as a raw JSON object for further playbook processing. + on various filtering criteria. It allows analysts to query detections by category, + threat score, certainty, timestamp, tags, entity type, and entity ID. The action + processes the retrieved detection data, cleans up URLs, and presents the results + in a structured data table and raw JSON format for further analysis. - ### Parameters Description + ### Flow Description - | Parameter | Type | Mandatory | Description | + 1. **Parameter Extraction**: The action extracts configuration parameters (API + Root, Client ID, Client Secret) and action parameters (filters like Detection + Category, Threat GTE, Entity ID, etc.). - | :--- | :--- | :--- | :--- | + 2. **Initialization**: It initializes the `VectraRUXManager` to handle API communication. - | Detection Category | DDL | No | Filters detections by category (e.g., Exfiltration, - Lateral Movement, Reconnaissance). | + 3. **Data Retrieval**: It calls the Vectra RUX API to fetch detections matching + the provided filters. - | Threat GTE | String | No | Filters detections with a threat score greater than - or equal to the provided integer. | + 4. **Data Processing**: The action processes the retrieved detections, including + removing API version strings from URLs and extracting relevant fields. - | Certainty GTE | String | No | Filters detections with a certainty score greater - than or equal to the provided integer. | + 5. **Output Generation**: It adds the processed detections to the action output + as a data table and a raw JSON result. - | Last Timestamp GTE | String | No | Filters detections with a last seen timestamp - greater than or equal to the provided value. | - | Last Timestamp LTE | String | No | Filters detections with a last seen timestamp - less than or equal to the provided value. | - - | Tags | String | No | A comma-separated list of tags to filter detections. | + ### Parameters Description - | Entity Type | DDL | No | Specifies the type of entity to filter by (Host or - Account). | + | Parameter | Type | Mandatory | Description | - | Entity ID | String | No | The specific ID of the entity for which to list detections. - | + | :--- | :--- | :--- | :--- | - | Is Targeting Key Asset | DDL | No | Filters detections based on whether they - target a key asset (True/False). | + | Detection Category | ddl | No | Filter detections by Detection Category (e.g., + Info, Exfiltration, Lateral Movement). | - | Note Modified Timestamp GTE | String | No | Filters detections based on when - their notes were last modified. | + | Threat GTE | string | No | Filter detections whose threat score is greater than + or equal to the given value. | - | Limit | String | No | The maximum number of detection records to retrieve. | + | Certainty GTE | string | No | Filter detections whose certainty score is greater + than or equal to the given value. | - | Order | DDL | No | Specifies the sort order (Ascending or Descending). | + | Last Timestamp GTE | string | No | Filter detections based on the start of the + timestamp range. | - | Order By | DDL | No | The field to sort results by (last_timestamp, threat_score, - or certainty_score). | + | Last Timestamp LTE | string | No | Filter detections based on the end of the + timestamp range. | - | State | DDL | No | Filters detections by their current state (Active, Inactive, - Fixed). | + | Tags | string | No | Filter detections by comma-separated tags. | - | Detection Type | String | No | Filters detections by a specific detection type - string. | + | Entity Type | ddl | No | Filter detections by Entity Type (Host or Account). + | + | Entity ID | string | No | Filter detections by the specific ID of the entity. + | - ### Additional Notes + | Is Targeting Key Asset | ddl | No | Filter detections based on whether they + target a key asset. | - - The action performs validation on integer-based parameters like 'Threat GTE', - 'Certainty GTE', and 'Limit'. If invalid values are provided, the action will - fail. + | Note Modified Timestamp GTE | string | No | Filter detections based on the note + modified timestamp. | - - If 'Order By' is selected, the action automatically handles the mapping of score - fields (e.g., converting 'threat_score' to 'threat' for the API call). + | Limit | string | No | The maximum number of records to fetch. | + | Order | ddl | No | Order records by Ascending or Descending. | - ### Flow Description + | Order By | ddl | No | Field to order records by (last_timestamp, threat_score, + certainty_score). | - 1. **Parameter Extraction:** The action extracts configuration details (API Root, - Credentials) and all 15 optional filtering parameters. + | State | ddl | No | Filter detections by State (Active, Inactive, Fixed). | - 2. **Validation:** It validates that numeric inputs (Limit, Threat, Certainty) - are valid integers and processes DDL selections into the format expected by the - Vectra API. + | Detection Type | string | No | Filter detections by detection type. | - 3. **API Interaction:** The action authenticates with the Vectra RUX service and - performs a paginated GET request to the detections endpoint using the provided - filters. - 4. **Data Processing:** Retrieved detections undergo URL cleaning (removing API - version strings) and field extraction for reporting. + ### Additional Notes - 5. **Output Generation:** The action populates a data table named 'List Of Detections' - on the case wall and attaches the full raw JSON response to the action result. + - This action does not require any specific entity to be selected in the SOAR + platform, as it uses the provided `Entity ID` and `Entity Type` parameters to + perform the search. capabilities: can_create_case_comments: false can_create_insight: false can_modify_alert_data: false can_mutate_external_data: false - can_mutate_internal_data: true + can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null fetches_data: true - internal_data_mutation_explanation: >- - The action adds a data table titled 'List Of Detections' to the case wall, which - modifies the internal case data representation. + internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the Vectra RUX API to retrieve detection + data based on provided filters. It does not modify any external or internal + system state. It adds a data table and raw JSON to the action results, which + is standard for reporting and enrichment actions. categories: - enrichment: false + enrichment: true + reasoning: >- + The action fetches data from an external source (Vectra RUX) and does not mutate + any external or internal systems. It fits the criteria for an enrichment action + as it provides supplemental context (detections) for investigation. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -773,86 +1143,69 @@ List Detections: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over `siemplify.target_entities`. It accepts `Entity + ID` and `Entity Type` as input parameters to perform the search, meaning it + does not run on specific SOAR entities. List Entities: - ai_description: >- - ### General Description - - The **List Entities** action retrieves a filtered list of entities (either Hosts - or Accounts) from the Vectra RUX platform. It serves as a search utility allowing - analysts to query the Vectra environment for specific entity data based on various - attributes like threat scores, status, and timestamps. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | **Entity Type** | DDL | Yes | Specifies the category of entities to retrieve. - Valid values are 'Host' or 'Account'. | - - | **Order By** | DDL | No | Determines the field used to sort the records (e.g., - urgency_score, last_detection_timestamp). | - - | **Fields** | Multi-choice | No | Allows the user to select specific data fields - to be returned in the results. | - - | **Name** | String | No | Filters the results to entities matching a specific - name. | - - | **State** | DDL | No | Filters entities by their current state: 'Active' or - 'Inactive'. | - - | **Last Detection Timestamp GTE** | String | No | Filters for entities where - the last detection occurred on or after this timestamp. | - - | **Last Detection Timestamp LTE** | String | No | Filters for entities where - the last detection occurred on or before this timestamp. | - - | **Tags** | String | No | Filters entities by a comma-separated list of tags. - | - - | **Note Modified Timestamp GTE** | String | No | Filters for entities where notes - were modified on or after this timestamp. | - - | **Prioritized** | DDL | No | Filters entities based on their prioritization - status (True/False). | - - | **Limit** | String | No | The maximum number of entity records to fetch from - the API. | - - | **Order** | DDL | No | Specifies the sorting direction: 'Ascending' or 'Descending'. - | - - - ### Additional Notes - - - This action is a search/query tool and does not process entities currently associated - with the SOAR case (it does not iterate over `target_entities`). - - - The action automatically cleans API versioning from returned URLs to ensure - they are user-friendly. - - - ### Flow Description - - 1. **Initialization:** The action extracts the Vectra RUX configuration and user-provided - filter parameters. - - 2. **Validation:** It validates the 'Limit' parameter to ensure it is a valid - positive integer. - - 3. **API Query:** It executes a GET request to the Vectra RUX `/entities` endpoint, - applying all provided filters and handling pagination if the requested limit exceeds - the default page size. - - 4. **Data Refinement:** The action processes the raw JSON response, removing internal - API version strings from URLs and extracting a set of mandatory fields (ID, Name, - Severity, etc.) for the summary view. - - 5. **Output:** It generates a CSV-formatted data table for the SOAR case wall - and attaches the full raw JSON response for further automated processing. + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves a list of assets (hosts or accounts) from the Vectra RUX + platform based on search criteria. This matches the 'Search Asset' category. + It does not enrich specific IOCs or assets, nor does it perform any containment + or ticket management actions. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: true + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: "Retrieves a list of entities (hosts or accounts) from the Vectra\ + \ RUX platform based on specified filtering criteria. \n\n### Flow Description\n\ + 1. Extracts configuration parameters (API Root, Client ID, Client Secret).\n2.\ + \ Extracts action parameters (Entity Type, Limit, Order By, Fields, Name, State,\ + \ etc.).\n3. Initializes the `VectraRUXManager` and calls the `list_entities`\ + \ method with the provided filters.\n4. Processes the retrieved entities, removing\ + \ API version strings from URLs.\n5. Constructs a CSV table of the entities and\ + \ adds it to the action results.\n6. Adds the full JSON response of the entities\ + \ to the action results.\n\n### Parameters Description\n| Parameter | Type | Mandatory\ + \ | Description |\n| :--- | :--- | :--- | :--- |\n| Entity Type | ddl | Yes |\ + \ The type of entity to retrieve (e.g., \"account\", \"host\"). |\n| Order By\ + \ | ddl | No | Sorts records by fields like `urgency_score`, `last_detection_timestamp`,\ + \ `name`, or `last_modified_timestamp`. Use \"-\" for descending order. |\n| Fields\ + \ | multi_choice_parameter | No | Filter the fields to show in the output. |\n\ + | Name | string | No | Filter based on entity Name. |\n| State | ddl | No | Filter\ + \ based on State (Active, Inactive). |\n| Last Detection Timestamp GTE | string\ + \ | No | Filter based on Last Detection Timestamp GTE. |\n| Last Detection Timestamp\ + \ LTE | string | No | Filter based on Last Detection Timestamp LTE. |\n| Tags\ + \ | string | No | Filter based on Tags (comma-separated values). |\n| Note Modified\ + \ Timestamp GTE | string | No | Filter based on Note Modified Timestamp GTE. |\n\ + | Prioritized | ddl | No | Filter based on if the entity is prioritized or not.\ + \ |\n| Limit | string | No | Fetch this number of Entities. |\n| Order | ddl |\ + \ No | Filter based on ascending or descending order. |\n\n### Additional Notes\n\ + - The action does not modify any external or internal system state; it is a read-only\ + \ operation that reports data." capabilities: can_create_case_comments: false can_create_insight: false @@ -863,8 +1216,19 @@ List Entities: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the Vectra RUX API to retrieve a list of + entities based on user-provided filters. It does not modify any external system + state, nor does it update internal SOAR entities, insights, or case comments. + It simply reports the retrieved data in the action results. categories: enrichment: false + reasoning: >- + The action retrieves a list of entities from an external system. It does not + perform enrichment on existing entities (i.e., it does not update entity attributes + or add insights to them), nor does it meet the criteria for an enrichment action + as it does not proactively fetch context for existing entities in the case. + Therefore, it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -880,29 +1244,87 @@ List Entities: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over `siemplify.target_entities` or perform operations + on specific entities already present in the case. It takes input parameters + to query the Vectra RUX API for a list of entities. Therefore, it does not run + on entities. List Entity Detections: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: true + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves detections associated with a specific entity (Host or Account). + This provides contextual metadata about the entity's security posture, aligning + with the 'Enrich Asset' category. It does not perform any other listed actions. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description This action retrieves a list of security detections from - Vectra AI for a specific entity identified by its ID. It allows analysts to pivot - from a known Vectra Entity ID to see all associated malicious or suspicious activities, - filtered by state and limited by count. ### Parameters Description | Parameter - | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | | **Entity ID** - | String | Yes | The unique numerical identifier of the entity in Vectra. | | - **Entity Type** | DDL | Yes | The type of entity being queried. Options are 'Account' - or 'Host'. | | **Limit** | String | No | The maximum number of detection records - to return. | | **State** | DDL | Yes | Filters the detections based on their current - status in Vectra. Options include 'Active', 'Inactive', or 'Fixed'. | ### Additional - Notes - This action is a manual lookup and does not automatically process entities - from the current SOAR case; it requires the user to provide a specific Entity - ID. - The Entity ID must be a valid integer. ### Flow Description 1. **Initialization**: - The action initializes the Vectra RUX manager using the provided API credentials. - 2. **Input Validation**: It validates that the Entity ID and Limit parameters - are correctly formatted as integers. 3. **Entity Metadata Retrieval**: It performs - a lookup for the specified entity to obtain the list of detection IDs associated - with it. 4. **Detection Fetching**: It queries the Vectra API for the details - of each detection ID found, applying the State filter and the Limit constraint. - 5. **Output Generation**: The action populates a JSON result with the full detection - details and creates a data table in the case wall for quick review. + ### General Description + + This action retrieves a list of detections associated with a specific entity (Host + or Account) from the Vectra RUX platform. It allows analysts to filter detections + by their state (Active, Inactive, or Fixed) and limit the number of results returned. + The action provides visibility into the security events linked to a particular + asset, aiding in investigation and threat hunting. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Entity ID | string | Yes | The unique identifier of the entity (Host or Account) + in Vectra RUX. | + + | Entity Type | ddl | Yes | The type of the entity. Options: 'Account' or 'Host'. + | + + | Limit | string | No | The maximum number of detections to return. | + + | State | ddl | Yes | The state of detections to filter by. Options: 'Active', + 'Inactive', or 'Fixed'. | + + + ### Flow Description + + 1. **Initialization**: Extracts configuration parameters (API Root, Client ID, + Client Secret) and action parameters (Entity ID, Entity Type, Limit, State). + + 2. **Validation**: Validates the provided Entity ID and Limit parameters. + + 3. **Entity Retrieval**: Calls the Vectra RUX API to describe the specified entity + and retrieve its associated detection IDs. + + 4. **Detection Fetching**: If detections exist, it queries the Vectra RUX API + to list the detections based on the provided state and limit. + + 5. **Output**: Returns the retrieved detections as a JSON object and displays + them in a data table within the action results. capabilities: can_create_case_comments: false can_create_insight: false @@ -913,8 +1335,16 @@ List Entity Detections: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs GET requests to retrieve entity and detection information + from the Vectra RUX API. It does not modify any external or internal system + state. It outputs data to the action result using standard SDK methods. categories: - enrichment: false + enrichment: true + reasoning: >- + The action fetches contextual data (detections) for an entity. It does not mutate + external systems or modify internal SOAR data (like updating entities or adding + insights). It meets the criteria for an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -930,88 +1360,97 @@ List Entity Detections: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over `siemplify.target_entities`. It takes `Entity + ID` and `Entity Type` as input parameters. Therefore, it does not run on entities + in the context of the SOAR entity model. List Groups: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action is a listing utility that retrieves group information from the Vectra + RUX platform. It does not match any of the specific operational categories like + enrichment, containment, or ticket management. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description - - The **List Groups** action retrieves a list of groups from the Vectra AI platform - based on various user-defined filtering criteria. It is primarily used for administrative - oversight or to gather context about existing group configurations within the - Vectra environment. The action supports extensive filtering by group name, type, - importance, and specific member identifiers like IP addresses or hostnames. - - - ### Parameters Description + Lists groups from the Vectra RUX platform based on provided filter criteria. This + action allows users to query groups by various attributes such as name, type, + importance, and associated network identifiers (IPs, hostnames, etc.). - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Last Modified Timestamp GTE | String | No | Filters for groups modified on or - after the specified timestamp (ISO 8601 format). | - - | Last Modified By | String | No | Filters groups by the username of the person - who last modified them. | - - | Name | String | No | Filters groups by their specific name. | - | Type | DDL | No | Filters groups by their category. Options include: `account`, - `ip`, `domain`, `host`, or `None`. | + ### Flow Description - | Limit | String | No | Specifies the maximum number of group records to retrieve. - Defaults to a system maximum if not provided. | + 1. **Parameter Extraction**: The action retrieves configuration parameters (API + credentials) and action-specific filters (e.g., Name, Type, IPs, Limit) from the + integration settings. - | Account Names | String | No | A comma-separated list of account names to filter - the groups. | + 2. **Initialization**: The `VectraRUXManager` is initialized with the provided + API credentials to establish a connection. - | Domains | String | No | A comma-separated list of domain names to filter the - groups. | + 3. **Data Retrieval**: The action queries the Vectra RUX API to fetch groups matching + the specified filters. - | Host Ids | String | No | A comma-separated list of host IDs to filter the groups. - | + 4. **Result Formatting**: If groups are found, the action formats the retrieved + data into a table and a JSON result, which are then added to the action output. - | Host Names | String | No | A comma-separated list of host names to filter the - groups. | - | Importance | DDL | No | Filters groups by their assigned importance level. Options: - `low`, `medium`, `high`, `never_prioritize`, or `None`. | + ### Parameters Description - | IPs | String | No | A comma-separated list of IP addresses to filter the groups. - | + | Parameter | Type | Mandatory | Description | - | Description | String | No | Performs a case-insensitive match against the group's - description field. | + | :--- | :--- | :--- | :--- | + | Last Modified Timestamp GTE | string | No | Last modified timestamp (greater + or equal) of the group. | - ### Additional Notes + | Last Modified By | string | No | Username who has modified the group. | - - Comma-separated parameters (like IPs or Host Names) are automatically parsed - into lists before the API request is made. + | Name | string | No | Name of the group. | - - The action utilizes pagination to ensure that large sets of results are handled - efficiently up to the specified limit. + | Type | ddl | No | Type of group (account, ip, domain, host). | + | Limit | string | No | Specify the limit for fetching records. | - ### Flow Description + | Account Names | string | No | Comma-separated values of account names. | - 1. **Initialization**: The action extracts the necessary API credentials (API - Root, Client ID, Client Secret) and all optional filtering parameters. + | Domains | string | No | Comma-separated values of domains. | - 2. **Validation**: It validates the `Limit` parameter to ensure it is a non-negative - integer. + | Host Ids | string | No | Comma-separated values of host IDs. | - 3. **Data Processing**: Comma-separated string inputs for accounts, domains, hosts, - and IPs are converted into clean lists for API consumption. + | Host Names | string | No | Comma-separated values of host names. | - 4. **API Request**: The action authenticates with Vectra AI and sends a GET request - to the `/groups` endpoint, applying all provided filters as query parameters. + | Importance | ddl | No | Importance of the group (low, medium, high, never_prioritize). + | - 5. **Pagination**: If the number of results exceeds the page size, the action - iterates through subsequent pages until the `Limit` is reached or all data is - retrieved. + | IPs | string | No | Comma-separated values of IPs. | - 6. **Output**: The retrieved group details are formatted into a SOAR data table - titled "List Of Groups" and the raw JSON response is attached to the action result. + | Description | string | No | Description of the group (case-insensitive match). + | capabilities: can_create_case_comments: false can_create_insight: false @@ -1022,8 +1461,17 @@ List Groups: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the Vectra RUX API to retrieve a list of + groups based on user-provided filters. It does not modify any external systems, + nor does it modify internal case data or entities. It simply reports the retrieved + data in the action results. categories: enrichment: false + reasoning: >- + The action is a utility for listing groups from an external system. It does + not proactively fetch context for specific entities or alerts to enrich them, + nor does it meet the criteria for an enrichment action as defined. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1039,31 +1487,72 @@ List Groups: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not operate on `siemplify.target_entities`. It uses input parameters + to filter the list of groups retrieved from the API. List Outcomes: - ai_description: "### General Description\nRetrieves a comprehensive list of all\ - \ assignment outcomes from the Vectra RUX platform. This action is primarily used\ - \ to identify the available resolution types and categories that can be applied\ - \ when managing assignments or detections within Vectra. The results are presented\ - \ both as a structured data table and a raw JSON object for downstream automation.\n\ - \n### Parameters Description\n| Parameter | Description | Type | Mandatory | Notes\ - \ |\n| :--- | :--- | :--- | :--- | :--- |\n| Limit | Specifies the maximum number\ - \ of outcome records to retrieve from the API. | String | No | If provided, must\ - \ be a valid positive integer. If omitted, the action fetches all available records\ - \ up to the integration's default limit. |\n\n### Additional Notes\n- This action\ - \ does not operate on specific entities (IPs, Hosts, etc.) and can be run as a\ - \ standalone task within a playbook.\n- The 'Limit' parameter is validated to\ - \ ensure it is a positive integer; providing '0' or a negative number will result\ - \ in an execution failure.\n\n### Flow Description\n1. **Authentication**: Establishes\ - \ a session with the Vectra RUX API using the configured API Root, Client ID,\ - \ and Client Secret.\n2. **Parameter Validation**: Extracts the 'Limit' parameter\ - \ and validates that it is a valid integer greater than zero.\n3. **Data Retrieval**:\ - \ Performs a paginated GET request to the `/assignment_outcomes` endpoint to fetch\ - \ the outcome definitions.\n4. **Data Processing**: Parses the raw API response\ - \ into structured Outcome objects, extracting fields such as Outcome ID, Title,\ - \ Category, and whether it is a built-in or user-selectable outcome.\n5. **Output\ - \ Generation**: \n - Constructs a data table named 'Outcome Details' for the\ - \ Case Wall.\n - Attaches the full raw response as a JSON result for use in\ - \ subsequent playbook steps." + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves a list of assignment outcomes from the Vectra RUX system. + It does not match any of the specific categories like 'Enrich IOC', 'Enrich + Asset', or 'Update Alert'. It is a general data retrieval action. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: >- + Lists assignment outcomes from the Vectra RUX system. This action retrieves a + list of configured outcomes, allowing analysts to view available options for assignment + resolution within the Vectra RUX platform. + + + ### Parameters + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Limit | string | No | Specifies the maximum number of records to fetch. | + + + ### Flow Description + + 1. Initialize the VectraRUX manager using the provided API credentials (API Root, + Client ID, Client Secret). + + 2. Validate the 'Limit' parameter to ensure it is a valid non-negative integer. + + 3. Call the Vectra RUX API to retrieve the list of assignment outcomes. + + 4. If outcomes are found, construct a data table with the outcome details and + add it to the action results. + + 5. Add the raw list of outcomes as a JSON result to the action output. + + 6. Complete the action execution with a success status. capabilities: can_create_case_comments: false can_create_insight: false @@ -1074,8 +1563,16 @@ List Outcomes: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to retrieve a list of assignment outcomes + from the Vectra RUX API. It does not modify any external or internal data, nor + does it update entities, create insights, or modify alert data. categories: enrichment: false + reasoning: >- + The action fetches data (list of outcomes) but does not enrich entities or alerts, + nor does it meet the criteria for an enrichment action (which requires updating + entities, insights, or adding comments). entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1091,40 +1588,91 @@ List Outcomes: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with the `target_entities` list or perform operations + on specific entities. List Users: - ai_description: "### General Description\nThe **List Users** action retrieves a\ - \ list of users from the Vectra RUX platform based on specified query parameters.\ - \ It allows security analysts to search for user accounts by their role, email\ - \ address, or the time of their last login. The results are presented in a structured\ - \ data table within the Google SecOps case and are also available as a raw JSON\ - \ object for further automated processing.\n\n### Parameters Description\n| Parameter\ - \ | Description | Type | Mandatory | Notes |\n| :--- | :--- | :--- | :--- | :---\ - \ |\n| Role | Filters the user list by a specific role (e.g., 'admin', 'readonly').\ - \ | String | No | |\n| Email | Filters the user list by a specific email address.\ - \ | String | No | |\n| Last Login GTE | Filters for users whose last login timestamp\ - \ is greater than or equal to the provided value. | String | No | Expected format\ - \ is typically ISO 8601 or as defined by the Vectra API. |\n| Limit | Specifies\ - \ the maximum number of user records to retrieve. | String | No | Must be a positive\ - \ integer. If not provided, a default system limit is applied. |\n\n### Additional\ - \ Notes\n- This action does not operate on specific entities within a case; it\ - \ performs a global search across the Vectra RUX environment.\n- If no users match\ - \ the provided criteria, the action will complete successfully with a message\ - \ stating that no users were found.\n- The `Limit` parameter is validated to ensure\ - \ it is a valid integer greater than zero if provided.\n\n### Flow Description\n\ - 1. **Parameter Extraction:** The action retrieves the API configuration (Root\ - \ URL, Client ID, Client Secret) and the user-provided search filters (Role, Email,\ - \ Last Login GTE, Limit).\n2. **Validation:** The `Limit` parameter is validated\ - \ to ensure it is a valid integer.\n3. **Authentication:** The action authenticates\ - \ with the Vectra RUX API using OAuth2 client credentials, managing token generation\ - \ and refresh logic internally.\n4. **Data Retrieval:** A GET request is sent\ - \ to the `/users` endpoint of the Vectra RUX API, applying the specified filters\ - \ as query parameters. The action handles pagination automatically to fetch results\ - \ up to the defined limit.\n5. **Data Processing:** The raw API response is parsed\ - \ into internal user objects.\n6. **Output Generation:** \n - A data table\ - \ named \"List Of Users\" is created, containing key details like Name, Email,\ - \ Role, and Last Login.\n - The full list of user data is attached to the action\ - \ result as a JSON object.\n - A summary message is returned indicating the\ - \ number of users successfully retrieved." + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves a list of users from the VectraRUX platform. It does not + match any of the provided categories (e.g., it is not an enrichment of an IOC/Asset, + nor does it perform any containment or ticket management). + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: >- + ### General Description + + This action retrieves a list of users from the VectraRUX platform based on optional + filtering criteria. It allows analysts to query users by role, email, or last + login timestamp, providing a structured view of user data within the VectraRUX + environment. + + + ### Flow Description + + 1. **Initialization**: The action extracts configuration parameters (API Root, + Client ID, Client Secret) and action parameters (Role, Email, Last Login GTE, + Limit). + + 2. **Validation**: The 'Limit' parameter is validated to ensure it is a non-negative + integer. + + 3. **API Interaction**: The `VectraRUXManager` is initialized to authenticate + and communicate with the VectraRUX API. + + 4. **Data Retrieval**: The action calls the `get_user_list` method to fetch user + records from the VectraRUX API based on the provided filters. + + 5. **Output**: If users are found, the action constructs a CSV data table and + a JSON result containing the user details. If no users are found, an appropriate + message is returned. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Role | string | No | Filter users by their assigned role. | + + | Email | string | No | Filter users by their email address. | + + | Last Login GTE | string | No | Filter users whose login timestamp is greater + than or equal to the provided value. | + + | Limit | string | No | Specify the maximum number of records to fetch. | + + + ### Additional Notes + + This action does not require any specific entity context to run, as it is a standalone + utility for listing users from the VectraRUX platform. capabilities: can_create_case_comments: false can_create_insight: false @@ -1135,8 +1683,17 @@ List Users: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to retrieve user data from the VectraRUX API. + It does not modify any external or internal systems. It outputs the results + as a data table and JSON, which are standard reporting outputs, not internal + mutations. categories: enrichment: false + reasoning: >- + The action fetches data from an external source but does not gather supplemental + context about specific alerts or entities. It is a standalone list action, not + an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1152,22 +1709,83 @@ List Users: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not operate on entities. It is a standalone utility action to + list users. Mark Detection Fixed: - ai_description: "Marks specific detections as 'fixed' within the Vectra RUX platform.\ - \ This action allows analysts to programmatically update the status of one or\ - \ more detections by providing their unique identifiers. \n\n### Parameters\n\ - | Parameter | Description | Type | Mandatory | Notes |\n| :--- | :--- | :--- |\ - \ :--- | :--- |\n| Detection IDs | A comma-separated list of numeric identifiers\ - \ for the detections to be marked as fixed. | String | Yes | The IDs must be valid\ - \ integers. |\n\n### Flow Description\n1. **Initialization**: Retrieves API credentials\ - \ (API Root, Client ID, Client Secret) from the integration configuration.\n2.\ - \ **Parameter Extraction**: Extracts the 'Detection IDs' string from the action\ - \ parameters.\n3. **Validation**: Splits the input string by commas and validates\ - \ that each ID is a valid integer.\n4. **API Interaction**: Sends a PATCH request\ - \ to the Vectra RUX API endpoint for detections, passing the list of IDs and setting\ - \ the 'mark_as_fixed' attribute to True.\n5. **Result Processing**: Captures the\ - \ API response, attaches it as a JSON result to the action, and provides a success\ - \ or failure message based on the outcome." + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action performs a PATCH request to an external system (Vectra RUX) to update + the status of detections. It does not match any of the provided categories (Enrichment, + Ticket, Blocklist, Containment, etc.). + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: >- + ### General Description + + Marks specific detections as fixed in the Vectra RUX platform. This action updates + the status of one or more detections to 'fixed' by sending a PATCH request to + the Vectra RUX API. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Detection IDs | string | Yes | A comma-separated list of detection IDs to be + marked as fixed. | + + + ### Flow Description + + 1. Extracts the API root and authentication credentials (Client ID, Client Secret) + from the integration configuration. + + 2. Extracts the 'Detection IDs' parameter from the action input. + + 3. Initializes the `VectraRUXManager` to handle API communication. + + 4. Parses the comma-separated string of Detection IDs into a list of integers. + + 5. Sends a `PATCH` request to the Vectra RUX API endpoint (`/api/v3.4/detections`) + with the list of detection IDs and the `mark_as_fixed` flag set to `True`. + + 6. Adds the API response to the action results using `siemplify.result.add_result_json`. + + + ### Additional Notes + + - The action requires valid API credentials to authenticate with the Vectra RUX + platform. + + - If an invalid detection ID is provided, the action will fail and log an error. capabilities: can_create_case_comments: false can_create_insight: false @@ -1176,12 +1794,20 @@ Mark Detection Fixed: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates the state of specified detections to 'fixed' in the Vectra RUX platform - via a PATCH request to the detections endpoint. + Updates the status of specified detections to 'fixed' in the Vectra RUX platform + via a PATCH request. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a PATCH request to an external system (Vectra RUX) to update + the status of detections (can_mutate_external_data=true). It does not fetch + contextual data (fetches_data=false), nor does it modify internal SOAR case + data (can_mutate_internal_data=false). categories: enrichment: false + reasoning: >- + The action is a mutation action (PATCH request) and does not fetch data for + enrichment purposes, therefore it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1197,44 +1823,77 @@ Mark Detection Fixed: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over `siemplify.target_entities` and does not use + entity-specific identifiers to perform its task. It takes `Detection IDs` as + a parameter. Mark Entity Fixed: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action marks detections as fixed in an external system. This does not align + with the provided categories, which are focused on IOCs, tickets, identities, + or host containment. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - Marks all detections associated with a specific entity as 'fixed' in the Vectra - RUX platform. This action is used to programmatically resolve or acknowledge multiple - security detections linked to a single Host or Account entity simultaneously. + Marks all detections associated with a specific entity (Host or Account) as fixed + in the VectraRUX system. This action is used to update the status of security + detections in the external Vectra platform based on the provided entity identifier. ### Parameters Description | Parameter | Type | Mandatory | Description | - | :--- | :--- | :--- | :--- | + | --- | --- | --- | --- | - | Entity ID | string | Yes | The unique numeric identifier of the entity in Vectra - RUX whose detections should be marked as fixed. | + | Entity ID | string | Yes | The unique identifier of the entity to mark as fixed. + | - | Entity Type | ddl | Yes | The type of entity associated with the ID. Supported - values are 'Account' or 'Host'. | + | Entity Type | ddl | Yes | The type of the entity. Options: Account, Host. | ### Flow Description - 1. **Parameter Extraction:** The action retrieves the `Entity ID` and `Entity - Type` from the input parameters. + 1. Extracts configuration parameters (API Root, Client ID, Client Secret) and + action parameters (Entity ID, Entity Type). - 2. **Validation:** Validates that the `Entity ID` is a valid integer. + 2. Initializes the `VectraRUXManager` to handle API communication. - 3. **Entity Retrieval:** Calls the Vectra RUX API to describe the entity and retrieve - the list of all associated `detection_ids` currently linked to that entity. + 3. Calls `describe_entity` to retrieve the entity details and its associated detection + IDs. - 4. **Detection Update:** If detections are found, the action sends a PATCH request - to the Vectra RUX detections endpoint to update the state of all retrieved detection - IDs to 'fixed'. + 4. If detections are found, sends a PATCH request to the VectraRUX API to mark + the identified detections as fixed. - 5. **Result Reporting:** Adds the raw API response to the action's JSON results - and provides a summary message indicating the number of detections updated. + 5. Adds the API response to the action results. capabilities: can_create_case_comments: false can_create_insight: false @@ -1243,12 +1902,19 @@ Mark Entity Fixed: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates the state of detections in the Vectra RUX platform by marking them as - 'fixed' via a PATCH request. + Marks detections associated with the specified entity as fixed in the external + VectraRUX system. fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action fetches entity details (GET) to retrieve detection IDs and then performs + a PATCH request to update the state of those detections in the external VectraRUX + system. It does not modify internal SOAR case data or entities. categories: enrichment: false + reasoning: >- + The action mutates external data (marking detections as fixed), which violates + the 'Read-Only' constraint required for Enrichment actions. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1264,53 +1930,77 @@ Mark Entity Fixed: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action uses parameters ('Entity ID', 'Entity Type') provided by the user + to perform its task. It does not iterate over or process the `siemplify.target_entities` + list. Ping: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action is a connectivity test (Ping) and does not perform any of the defined + functional outcomes like enriching data, blocking IOCs, or managing tickets. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description - - Tests the connectivity between the Google SecOps (Chronicle) server and the Vectra - RUX platform. This action ensures that the provided credentials (Client ID and - Client Secret) and the API Root URL are correct and that the SOAR server can successfully - authenticate and communicate with the Vectra API. + Tests the connectivity of the Chronicle SOAR server to the Vectra platform. This + action validates the API credentials by attempting to authenticate with the Vectra + RUX API. It retrieves an OAuth token to verify that the integration is correctly + configured and that the SOAR server can communicate with the external service. - ### Parameters Description + ### Parameters | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | API Root | String | Yes | The base URL of the Vectra RUX instance. | + | API Root | string | Yes | The base URL of the Vectra RUX API. | - | Client ID | String | Yes | The Client ID for OAuth2 authentication. | + | Client ID | string | Yes | The Client ID used for authentication. | - | Client Secret | String | Yes | The Client Secret for OAuth2 authentication. - | - - - ### Additional Notes - - This action is typically used during the initial setup of the integration to verify - that the configuration is correct. It does not process any entities or modify - any data. The parameters listed are configuration parameters required for the - integration to function. + | Client Secret | string | Yes | The Client Secret used for authentication. | ### Flow Description - 1. **Initialization**: The action starts by retrieving the integration's configuration - parameters: API Root, Client ID, and Client Secret. + 1. The action initializes the `VectraRUXManager` using the provided API Root, + Client ID, and Client Secret. - 2. **Manager Setup**: It initializes the `VectraRUXManager`, which handles the - session and authentication logic. + 2. It attempts to establish a connection by calling `test_connectivity()`. - 3. **Connectivity Test**: The manager calls the `test_connectivity` method, which - internally attempts to generate or refresh an OAuth2 access token using the provided - credentials. + 3. The manager generates an OAuth token by sending a POST request to the authentication + endpoint. - 4. **Result Handling**: If a token is successfully retrieved, the action reports - a successful connection. If an error occurs (e.g., invalid credentials, network - timeout), the action fails and provides an error message. + 4. If the authentication is successful, the action logs a success message and + completes. + + 5. If the authentication fails, the action logs the error and marks the execution + as failed. capabilities: can_create_case_comments: false can_create_insight: false @@ -1321,8 +2011,15 @@ Ping: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a connectivity test by attempting to authenticate with the + Vectra RUX API. It does not fetch contextual data, mutate external data (other + than standard authentication), or modify internal SOAR data. categories: enrichment: false + reasoning: >- + The action is a connectivity test (Ping). Per the instructions, Ping actions + are not enrichment actions. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1338,22 +2035,78 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with entities. Remove Assignment: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action removes an assignment from an entity in Vectra RUX. This is a state + change in the external system. It does not match any of the provided categories + (Enrich IOC, Enrich Asset, Update Alert, etc.). + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - General Description: Removes the assignment for a specified entity (Account or - Host) in Vectra AI. This action is used to clear ownership or status of an entity - within the Vectra platform, typically when an investigation is concluded or needs - to be reset. Parameters Description: 1. Entity ID (String, Mandatory): The unique - numeric identifier of the entity in Vectra. 2. Entity Type (DDL, Mandatory): The - category of the entity, which must be either 'Account' or 'Host'. Flow Description: - 1. Validation: The action validates that the provided Entity ID is a valid integer. - 2. Information Retrieval: It fetches current metadata for the specified entity - from Vectra to check for an existing assignment. 3. Assignment Identification: - If an assignment is found, the action extracts the specific assignment ID. 4. - Removal: It sends a DELETE request to the Vectra API to remove the identified - assignment. 5. Outcome: Reports success if the assignment was deleted or failure - if the entity had no active assignment. Additional Notes: This action requires - valid API credentials (Client ID and Secret) and the API Root of the Vectra instance. + ### General Description + + Removes an assignment from a specified entity (Account or Host) in Vectra RUX. + This action identifies the assignment associated with the provided entity ID and + type, then deletes the assignment record from the external system. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Entity ID | string | Yes | The ID of the entity to remove the assignment from. + | + + | Entity Type | ddl | Yes | The type of the entity (Account or Host). | + + + ### Additional Notes + + None. + + + ### Flow Description + + 1. Extracts configuration (API credentials) and action parameters (Entity ID, + Entity Type). + + 2. Initializes the Vectra RUX manager. + + 3. Retrieves the entity information to identify the current assignment. + + 4. If an assignment exists, it deletes the assignment using the assignment ID. + + 5. Returns the operation status. capabilities: can_create_case_comments: false can_create_insight: false @@ -1362,12 +2115,19 @@ Remove Assignment: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Deletes an existing assignment record in Vectra AI via a DELETE request to the - assignments API endpoint. + Deletes an assignment record from the Vectra RUX system. fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action fetches entity information to find an assignment ID and then performs + a DELETE request to remove that assignment from the Vectra RUX system. It does + not modify internal SOAR data or entities. categories: enrichment: false + reasoning: >- + The action performs a deletion on an external system (Vectra RUX), which violates + the 'External State Preservation' rule for enrichment actions. Therefore, it + is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1383,65 +2143,80 @@ Remove Assignment: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action uses action parameters (`Entity ID`, `Entity Type`) to identify the + target, rather than iterating over `siemplify.target_entities`. Therefore, it + does not run on entities in the context of the SOAR entity model. Remove Group: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action modifies group memberships, which aligns with the 'Update Identity' + category definition: 'Modifies account metadata, such as group memberships, + permissions, or contact information.' + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: true + update_ticket: false ai_description: >- - ### General Description - - Removes specified members from a group in Vectra AI using the group's unique identifier. - This action allows for the automated management of group memberships, which is - useful for containment or policy enforcement workflows. It supports removing various - member types (IPs, Hostnames, Accounts, Domains) depending on the group's configuration - in Vectra. + Removes specified members from a group in the Vectra RUX platform. This action + retrieves the current group membership, performs the removal operation, and provides + a summary of the changes. - ### Parameters Description - + ### Parameters | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Group ID | String | Yes | The unique identifier of the target group in Vectra - AI. This value must be a valid integer. | - - | Members | String | Yes | A comma-separated list of member identifiers to be - removed from the group. The identifier type must match the group's type (e.g., - IP addresses for IP groups, account UIDs for account groups). | - - - ### Additional Notes - - - The action performs a validation check on the `Group ID` to ensure it is a positive - integer. - - - If the action is unable to remove any of the provided members (e.g., if the - members were not part of the group or the identifiers were invalid), the action - will return a failure status. + | Group ID | string | Yes | The ID of the specific group from which members should + be removed. | - - The action provides a detailed HTML table showing the updated group properties - and its remaining members. + | Members | string | Yes | A comma-separated list of members to remove from the + group. | ### Flow Description - 1. **Parameter Extraction:** Retrieves the `Group ID` and the list of `Members` - from the action input. + 1. **Initialization**: Extracts configuration parameters (API Root, Client ID, + Client Secret) and action parameters (Group ID, Members). - 2. **Validation:** Validates that the `Group ID` is a valid integer and processes - the `Members` string into a clean list. + 2. **Validation**: Validates that the Group ID is a valid integer. - 3. **Pre-check:** Fetches the current members of the group from Vectra AI to establish - a baseline. + 3. **Fetch**: Retrieves the current list of members for the specified group using + the Vectra RUX API. - 4. **Mutation:** Sends a `PATCH` request to the Vectra AI API with the `membership_action` - set to `remove` for the specified members. + 4. **Mutation**: Calls the Vectra RUX API to remove the specified members from + the group. - 5. **Result Processing:** Compares the API response with the requested removal - list to determine which members were successfully removed and which were not. + 5. **Verification**: Compares the requested removals against the updated group + membership to determine which members were successfully removed. - 6. **Output Generation:** Creates an HTML representation of the updated group, - attaches the raw JSON response, and returns a success or failure message based - on the outcome. + 6. **Reporting**: Generates an HTML view of the group details and adds the raw + JSON response to the action results. capabilities: can_create_case_comments: false can_create_insight: false @@ -1450,12 +2225,20 @@ Remove Group: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Removes specified members from a group in Vectra AI by sending a PATCH request - to the group's endpoint with the 'remove' membership action. + Removes specified members from a group in the Vectra RUX platform. fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action fetches current group members to verify the state before performing + a removal. It then performs a PATCH request to the Vectra RUX API to remove + members from a group, which constitutes an external data mutation. It does not + modify internal SOAR case data, entities, or alert status. categories: enrichment: false + reasoning: >- + The action performs an external mutation (removing members from a group), which + violates the 'External State Preservation' rule for enrichment actions. Therefore, + it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1471,54 +2254,80 @@ Remove Group: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over or utilize the `target_entities` attribute. + It relies solely on input parameters provided by the user. Remove Note: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action removes a note from an external system. This does not align with + any of the provided categories such as enrichment, containment, ticketing, or + alert management. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description + Removes a specific note from an entity within the Vectra RUX system. This action + allows analysts to clean up or remove outdated or incorrect notes associated with + accounts, hosts, or detections. - Removes a specific note from a designated entity within the Vectra platform. This - action allows users to manage and clean up annotations on Hosts, Accounts, or - Detections by providing the unique identifiers for both the entity and the note. - - ### Parameters Description + ### Parameters | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Entity ID | String | Yes | The unique identifier of the entity (Host, Account, - or Detection) from which the note will be removed. | - - | Note ID | String | Yes | The unique identifier of the specific note to be deleted. - | - - | Entity Type | DDL | Yes | The category of the entity. Supported values are 'Account', - 'Host', and 'Detection'. | - - - ### Additional Notes + | Entity ID | string | Yes | The unique identifier of the entity from which the + note should be removed. | - - The action validates that both the 'Entity ID' and 'Note ID' are valid integers - before attempting the API call. + | Note ID | string | Yes | The unique identifier of the note to be removed. | - - This action performs a hard delete of the note in the external Vectra system. + | Entity Type | ddl | Yes | The type of the entity (e.g., Account, Host, Detection). + | ### Flow Description - 1. **Parameter Extraction**: Retrieves the API configuration (Root, Client ID, - Secret) and the action parameters (Entity ID, Note ID, Entity Type). + 1. **Initialization**: The action initializes the `SiemplifyAction` and extracts + the necessary configuration parameters (API Root, Client ID, Client Secret) and + action parameters (Entity ID, Note ID, Entity Type). + + 2. **Manager Setup**: It initializes the `VectraRUXManager` to handle API communication. - 2. **Validation**: Validates that the provided 'Entity ID' and 'Note ID' are integers - using a utility manager. + 3. **Validation**: It validates that the provided Entity ID and Note ID are valid + integers. - 3. **API Interaction**: Initializes the VectraRUXManager and executes a DELETE - request to the specific note endpoint: `api/v3.4/entities/{entity_id}/notes/{note_id}`. + 4. **Execution**: It calls the `remove_note` method of the `VectraRUXManager`, + which performs a DELETE request to the Vectra RUX API to remove the specified + note. - 4. **Result Handling**: If the request is successful, it returns a completion - status. If the note or entity is not found, or if permissions are insufficient, - it catches the specific exception and fails the action with a descriptive error - message. + 5. **Completion**: It logs the outcome and returns a success or failure message + to the SOAR platform. capabilities: can_create_case_comments: false can_create_insight: false @@ -1527,12 +2336,19 @@ Remove Note: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Deletes a specific note record from an entity (Host, Account, or Detection) - within the Vectra platform via a DELETE API request. + The action deletes a note from the Vectra RUX system via an API call. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a DELETE request to an external API (Vectra RUX) to remove + a note. It does not fetch data (no GET requests for context), does not update + internal SOAR entities, and does not create insights or comments. It is a pure + external mutation action. categories: enrichment: false + reasoning: >- + The action does not fetch data, so it cannot be an enrichment action. It is + a management/mutation action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1548,61 +2364,86 @@ Remove Note: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action uses input parameters ('Entity ID', 'Entity Type') provided by the + user to identify the target, rather than iterating over the `siemplify.target_entities` + list. Therefore, it does not run on entities in the context of the SOAR entity + model. Remove Tags: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action updates tags on an entity in the VectraRUX platform. None of the + provided product categories (e.g., Enrich IOC, Contain Host, Update Alert) specifically + cover the modification of entity tags. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - The **Remove Tags** action allows users to remove specific tags from an entity - within the Vectra RUX platform. It supports three types of entities: **Account**, - **Host**, and **Detection**. The action first retrieves the existing tags for - the specified entity, filters out the tags requested for removal, and then updates - the entity with the remaining tags. + Removes specified tags from an entity (Account, Host, or Detection) within the + VectraRUX platform. This action retrieves the current tags for the specified entity, + removes the requested tags from the list, and updates the entity's tag configuration + in the external system. - ### Parameters Description + ### Parameters | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | **Tags** | String | Yes | A comma-separated list of tags to be removed from - the entity. | + | Tags | string | Yes | A comma-separated list of tags to remove from the entity. + | - | **Entity ID** | String | Yes | The unique identifier of the entity (Account, - Host, or Detection) from which tags should be removed. | + | Entity ID | string | Yes | The unique identifier of the entity (Account, Host, + or Detection). | - | **Entity Type** | DDL | Yes | The type of entity. Options are: `Account`, `Host`, - or `Detection`. | + | Entity Type | ddl | Yes | The type of the entity. Supported values: Account, + Host, Detection. | ### Flow Description - 1. **Initialization**: The action initializes the Vectra RUX manager using the - provided API credentials (API Root, Client ID, and Client Secret). + 1. Extracts configuration parameters (API Root, Client ID, Client Secret) and + action parameters (Tags, Entity ID, Entity Type). - 2. **Parameter Processing**: It parses the comma-separated `Tags` input into a - unique list and validates that the `Entity ID` is a valid integer. + 2. Initializes the VectraRUX manager to handle API communication. - 3. **Fetch Current State**: The action calls the Vectra API to retrieve the current - list of tags associated with the specified `Entity ID` and `Entity Type`. + 3. Validates the Entity ID and fetches the current tags for the specified entity + using the `get_entity_tags` method. - 4. **Tag Comparison**: It compares the requested tags against the existing tags. - If a requested tag exists, it is marked for removal. - - 5. **Update External System**: If valid tags were found and removed, the action - sends a `PATCH` request to the Vectra platform to update the entity's tag list. - - 6. **Reporting**: The action generates a JSON result and a data table ('Tag Updated - Status') summarizing the success or failure of the removal for each tag. - - - ### Additional Notes + 4. Compares the requested tags with the existing tags and removes the matches. - - If none of the tags provided in the input exist on the target entity, the action - will fail with a `TagsUpdateFailException`. + 5. Updates the entity's tags in the VectraRUX platform using the `update_tags` + method. - - The `Entity Type` parameter is case-insensitive in the logic but provided as - a DDL for user convenience. + 6. Logs the operation status and adds the result to the action output as a JSON + object and a data table. capabilities: can_create_case_comments: false can_create_insight: false @@ -1611,12 +2452,20 @@ Remove Tags: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates the entity's tag list in Vectra RUX by removing the specified tags via - a PATCH request. + Updates the tag list for an entity (Account, Host, or Detection) in the external + VectraRUX platform. fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action fetches existing tags from the external VectraRUX system (GET request) + and subsequently performs a PATCH request to update the entity's tags. It does + not modify internal SOAR case data or update SOAR entity objects directly. categories: enrichment: false + reasoning: >- + The action performs a mutation on an external system (updating tags), which + violates the requirement for an enrichment action to be read-only regarding + external systems. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1632,65 +2481,91 @@ Remove Tags: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over `siemplify.target_entities`. It accepts `Entity + ID` and `Entity Type` as direct input parameters to identify the target, meaning + it does not operate on the SOAR entity model. Resolve Assignment: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action resolves an assignment in the Vectra RUX platform. This is an operational + update to an external record, which aligns with the 'Update Ticket' category + as assignments are effectively tickets in this context. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: true ai_description: >- ### General Description - Resolves a specific assignment in Vectra RUX using a provided Assignment ID and - Outcome ID. This action allows analysts to programmatically close assignments - in the Vectra platform, optionally applying triage rules, notes, and associating - specific detection IDs with the resolution. + Resolves an assignment in the Vectra RUX platform. This action allows analysts + to update the status of an assignment by providing an outcome ID and optional + metadata such as notes, triage rules, and associated detection IDs. - ### Parameters Description + ### Flow Description - | Parameter | Type | Mandatory | Description | + 1. **Initialization**: Extracts configuration parameters (API Root, Client ID, + Client Secret) and action parameters (Assignment ID, Outcome ID, Note Title, Triage + As, Detection IDs). - | :--- | :--- | :--- | :--- | + 2. **Validation**: Validates the provided Assignment ID, Outcome ID, and Triage + As parameters to ensure they meet the required format and constraints. - | Outcome ID | String | Yes | The ID representing the resolution outcome. Standard - values include 1 (Benign True Positive), 2 (Malicious True Positive), and 3 (False - Positive). Custom outcome IDs are also supported. | + 3. **Execution**: Initializes the `VectraRUXManager` and performs a PUT request + to the Vectra API to resolve the specified assignment. - | Assignment ID | String | Yes | The unique integer identifier of the assignment - to be resolved. | + 4. **Output**: Adds the resolution result as a JSON object and a data table to + the action results. - | Note Title | String | No | An optional note or title to be attached to the assignment - resolution record. | - | Triage As | String | No | An optional triage rule to apply to the assignment. - | - - | Detection IDs | String | No | A comma-separated list of integer detection IDs - to be associated with this resolution. | + ### Parameters Description + | Parameter | Type | Mandatory | Description | - ### Additional Notes + | :--- | :--- | :--- | :--- | - - **Dependency:** If the **Triage As** parameter is provided, at least one **Detection - ID** must also be provided; otherwise, the action will fail with a validation - error. + | Assignment ID | string | Yes | The ID of the assignment to resolve. | - - **Validation:** Both the **Assignment ID** and **Outcome ID** must be valid - integer strings. + | Outcome ID | string | Yes | The outcome ID for resolving the assignment (e.g., + 1 for Benign True Positive, 2 for Malicious True Positive, 3 for False Positive). + | + | Note Title | string | No | A note to be added for resolving the assignment. + | - ### Flow Description + | Triage As | string | No | Triage rule for resolving the assignment. | - 1. **Parameter Extraction and Validation:** The action retrieves all input parameters - and validates that the Assignment ID and Outcome ID are integers. It also ensures - that if a triage rule is specified, detection IDs are also present. + | Detection IDs | string | No | A list of Integer detection IDs separated by commas + or a single detection ID. | - 2. **Authentication:** The action authenticates with the Vectra RUX API using - the provided Client ID and Client Secret to obtain a bearer token. - 3. **API Request:** It executes a `PUT` request to the Vectra RUX resolution endpoint - (`/assignments/{assignment_id}/resolve`) with a payload containing the outcome, - notes, and triage details. + ### Additional Notes - 4. **Result Handling:** Upon a successful API response, the action parses the - updated assignment object, adds the raw JSON to the execution results, and generates - a data table for the case wall displaying the resolution details. + If 'Triage As' is provided, at least one 'Detection ID' must also be provided. capabilities: can_create_case_comments: false can_create_insight: false @@ -1699,12 +2574,19 @@ Resolve Assignment: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates the status of an assignment in the Vectra RUX platform to 'Resolved' - and applies specific outcomes, notes, and triage rules via a PUT request. - fetches_data: true + Resolves an assignment in the Vectra RUX platform via a PUT request. + fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a PUT request to the Vectra API to resolve an assignment. + It does not fetch data for enrichment purposes, nor does it modify internal + SOAR entities or case data. It is a state-changing operation on an external + system. categories: enrichment: false + reasoning: >- + The action is not an enrichment action as it does not fetch data to enrich entities + or alerts. It is a mutation action on an external system. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1720,47 +2602,84 @@ Resolve Assignment: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not use `siemplify.target_entities`. It operates on an `Assignment + ID` provided as a parameter. Unmark Detection Fixed: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action updates the status of detections in an external product (VectraRUX). + It does not match any of the provided categories, such as enrichment, containment, + or ticket management. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - Unmarks specified detections as fixed in the Vectra AI platform. This action is - used to revert the status of detections that were previously marked as resolved - or fixed, allowing them to be re-evaluated or tracked as active issues within - the Vectra console. + Unmarks specific detections as fixed in the VectraRUX platform. This action allows + analysts to revert the 'fixed' status of detections, ensuring they remain visible + or active for further investigation. - ### Parameters + ### Flow Description - | Parameter | Type | Mandatory | Description | + 1. **Configuration**: The action retrieves the API Root, Client ID, and Client + Secret from the integration configuration. - | :--- | :--- | :--- | :--- | + 2. **Parameter Extraction**: It extracts the comma-separated list of Detection + IDs from the action parameters. - | Detection IDs | String | Yes | Comma-separated values of numeric IDs for the - detections to be unmarked as fixed. | + 3. **Initialization**: The `VectraRUXManager` is initialized with the provided + credentials to establish a connection to the VectraRUX API. + 4. **Validation**: The provided Detection IDs are validated to ensure they are + integers. - ### Flow Description + 5. **Execution**: The action sends a `PATCH` request to the VectraRUX API to update + the status of the specified detections, setting `mark_as_fixed` to `False`. - 1. **Initialization**: The action initializes the VectraRUXManager using the provided - API Root, Client ID, and Client Secret to establish an authenticated session. + 6. **Result**: The API response is added to the action result as a JSON object. - 2. **Parameter Parsing**: It extracts the `Detection IDs` string from the input, - splits it by commas, and validates that each ID is a valid integer. - 3. **API Interaction**: It sends a PATCH request to the Vectra AI detections endpoint - (`/api/v3.4/detections`) with a payload containing the list of IDs and the `mark_as_fixed` - flag set to `False`. + ### Parameters Description + + | Parameter | Type | Mandatory | Description | - 4. **Result Handling**: The raw JSON response from the Vectra API is captured - and added to the action's result JSON, and the action completes with a success - message if the request was processed. + | :--- | :--- | :--- | :--- | + + | Detection IDs | string | Yes | A comma-separated list of Detection IDs to be + unmarked as fixed. | ### Additional Notes - This action does not operate on Google SecOps entities; it requires the manual - provision of Detection IDs via the action parameters. + This action performs a state change in the external VectraRUX system. Ensure that + the provided Detection IDs are valid and exist within the VectraRUX environment. capabilities: can_create_case_comments: false can_create_insight: false @@ -1769,12 +2688,21 @@ Unmark Detection Fixed: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates the status of specific detections in Vectra AI by unmarking them as - fixed via a PATCH request to the detections endpoint. + Updates the 'fixed' status of detections in the VectraRUX platform by sending + a PATCH request. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a PATCH request to the VectraRUX API to update the status + of specific detections. It does not fetch data for enrichment, nor does it modify + internal SOAR entities, case wall, or insights. It only adds the result of the + API call to the action output. categories: enrichment: false + reasoning: >- + The action is a mutation action (updating detection status) and does not retrieve + data for enrichment. Therefore, it does not meet the criteria for an enrichment + action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1790,13 +2718,46 @@ Unmark Detection Fixed: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over or utilize `siemplify.target_entities`. It + relies entirely on a user-provided parameter for Detection IDs. Update Assignment: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action updates an assignment in the VectraRUX system. It does not match + any of the provided categories (e.g., Enrich IOC, Update Alert, Create Ticket, + etc.). + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description - - Updates the assigned user for a Vectra RUX assignment associated with a specific - entity. This action is used to reassign investigations or tasks within the Vectra - platform to a different user by targeting the assignment linked to a Host or Account. + Updates the assigned user for a specific assignment in the VectraRUX system. This + action retrieves the assignment ID associated with a given entity and then updates + that assignment to the specified user. ### Parameters @@ -1805,38 +2766,28 @@ Update Assignment: | :--- | :--- | :--- | :--- | - | Entity ID | String | Yes | The unique identifier of the entity (Host or Account) - whose assignment is being updated. | + | Entity ID | string | Yes | The ID of the entity (Account or Host) whose assignment + is being updated. | - | Entity Type | DDL | Yes | The category of the entity. Supported values: `Account`, - `Host`. | + | Entity Type | ddl | Yes | The type of the entity (Account or Host). | - | User ID | String | Yes | The unique identifier of the Vectra user to whom the - assignment will be transferred. | + | User ID | string | Yes | The ID of the user to assign the assignment to. | ### Flow Description - 1. **Parameter Extraction**: The action retrieves the Entity ID, Entity Type, - and target User ID from the input parameters. - - 2. **Validation**: It validates that the Entity ID and User ID are valid integers. + 1. Extract configuration parameters (API Root, Client ID, Client Secret) and action + parameters (Entity ID, Entity Type, User ID). - 3. **Assignment Retrieval**: It queries the Vectra API to find the specific assignment - ID associated with the provided entity. + 2. Validate that the provided Entity ID and User ID are valid integers. - 4. **Update Execution**: It performs a PUT request to the Vectra assignments endpoint - to update the `assign_to_user_id` field with the new User ID. + 3. Initialize the VectraRUXManager to handle API interactions. - 5. **Result Reporting**: The action returns the updated assignment details as - a JSON object and populates a data table named "Updated Assignment" for visibility - in the case wall. + 4. Fetch the specific entity information to retrieve the associated `assignment_id`. + 5. Perform a PUT request to update the assignment with the provided `user_id`. - ### Additional Notes - - The action will fail if the specified entity does not have an active assignment - or if the provided IDs are invalid. + 6. Add the response data and a summary table to the action result. capabilities: can_create_case_comments: false can_create_insight: false @@ -1845,12 +2796,18 @@ Update Assignment: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates the assigned user for a specific assignment in Vectra RUX via a PUT - request to the assignments API endpoint. + Updates the assigned user for a specific assignment in the VectraRUX system. fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action fetches entity information (GET) and updates an assignment (PUT) + in the external VectraRUX system. It does not modify internal SOAR data (entities, + insights, or case comments). categories: enrichment: false + reasoning: >- + The action mutates external data (updates an assignment), which violates the + 'Read-Only' requirement for enrichment actions. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1866,3 +2823,7 @@ Update Assignment: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action uses parameters 'Entity ID' and 'Entity Type' provided by the user, + rather than iterating over 'siemplify.target_entities'. Therefore, it does not + run on entities in the context of the SOAR entity model. diff --git a/content/response_integrations/third_party/community/vectra_rux/resources/ai/connectors_ai_description.yaml b/content/response_integrations/third_party/community/vectra_rux/resources/ai/connectors_ai_description.yaml new file mode 100644 index 000000000..e41935713 --- /dev/null +++ b/content/response_integrations/third_party/community/vectra_rux/resources/ai/connectors_ai_description.yaml @@ -0,0 +1,69 @@ +Vectra RUX - Entities Connector: + ai_description: >- + ### General Description + + The Vectra RUX - Entities Connector is designed to integrate the Vectra RUX platform + with Google SecOps (SOAR). It periodically retrieves security entities (such as + Hosts or Accounts) and their associated detections from Vectra RUX, mapping them + into structured alerts and events within the SOAR platform for further investigation + and response. This connector ensures that security teams can monitor and act upon + high-priority entities identified by Vectra RUX. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | API Root | String | Yes | The base URL of the Vectra RUX API. | + + | Client ID | String | Yes | Unique identifier for API authentication. | + + | Client Secret | Password | Yes | Confidential key for API authentication. | + + | DeviceProductField | String | Yes | The field name used to determine the device + product. | + + | Entity Type | String | Yes | The type of entity to fetch (Account or Host). + | + + | EventClassId | String | Yes | The field name used to determine the event name + (sub-type). | + + | Limit | Integer | No | Maximum number of entities to fetch per iteration. | + + | Max Hours Backwards | Integer | No | Time window (in hours) to look back for + new entities. | + + | Prioritized | Boolean | No | If enabled, only fetches entities with a priority + score above the threshold. | + + | PythonProcessTimeout | String | Yes | Timeout limit (in seconds) for the connector + script. | + + | Specific Tag | String | No | A specific tag used to filter the retrieved entities. + | + + + ### Flow Description + + 1. The connector initializes and authenticates with the Vectra RUX API using the + provided credentials. + + 2. It calculates the start time based on the `Max Hours Backwards` parameter to + determine the data retrieval window. + + 3. It queries the Vectra RUX API to list entities (Hosts or Accounts) based on + the configured filters (e.g., entity type, priority, tags). + + 4. For each retrieved entity, the connector fetches associated active detections. + + 5. It maps each entity to a SOAR alert and its associated detections to alert + events, including relevant metadata and assignments. + + 6. The connector checks for duplicates and overflow conditions before ingesting + the alerts into the SOAR platform. + + 7. Finally, it updates the internal state (timestamps and processed IDs) to ensure + subsequent iterations only fetch new data. diff --git a/content/response_integrations/third_party/community/vectra_rux/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/vectra_rux/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..59ed8ef6a --- /dev/null +++ b/content/response_integrations/third_party/community/vectra_rux/resources/ai/integration_ai_description.yaml @@ -0,0 +1,27 @@ +product_categories: + asset_inventory: true + cloud_security: true + collaboration: false + edr: true + email_security: false + iam_and_identity_management: true + itsm: true + network_security: true + reasoning: >- + The Vectra RUX integration is a cloud-native threat detection platform that ingests + entities and detections, providing visibility into suspicious activity across + cloud, data center, and network environments. It qualifies as a SIEM because its + connector ingests entities and detections for monitoring. It qualifies as EDR + because it manages hosts and retrieves detection details for them. It qualifies + as Network Security because it consolidates network data and detects threats within + the network. It qualifies as Threat Intelligence because it provides threat scores + and certainty scores for detections. It qualifies as IAM & Identity Management + because it manages accounts, group memberships, and user assignments. It qualifies + as Cloud Security because it is a cloud-native threat detection platform. It qualifies + as ITSM because it includes assignment management and resolution actions. It qualifies + as Asset Inventory because it lists and describes assets like hosts and accounts. + It does not qualify for Email Security, Vulnerability Management, or Collaboration + as it lacks specific actions for those domains. + siem: true + threat_intelligence: true + vulnerability_management: false diff --git a/content/response_integrations/third_party/community/vectra_rux/resources/ai/jobs_ai_description.yaml b/content/response_integrations/third_party/community/vectra_rux/resources/ai/jobs_ai_description.yaml new file mode 100644 index 000000000..1f6edcf01 --- /dev/null +++ b/content/response_integrations/third_party/community/vectra_rux/resources/ai/jobs_ai_description.yaml @@ -0,0 +1,44 @@ +Vectra RUX - Clear Empty Cases Job: + ai_description: >- + ### General Description + + This job automates the maintenance of the investigation queue by identifying and + closing empty or duplicate cases originating from the Vectra RUX integration. + It helps reduce noise by automatically resolving cases that contain redundant + alerts or are deemed non-malicious based on cross-case analysis. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Max Hours Backwards | String | No | The time window (in hours) to look back + for open cases. Use '0' to fetch all open cases. Default is 24. | + + | Environments | String | Yes | A comma-separated list of environments to process. + | + + | Products | String | Yes | A comma-separated list of product field names to process. + | + + + ### Flow Description + + 1. Initialize job parameters and retrieve the last successful run timestamp from + the job context. + + 2. Fetch all open cases from the SOAR platform, optionally filtered by the specified + time window. + + 3. For each case, retrieve associated entities and their corresponding detections. + + 4. Filter the detections based on the provided `Environments` and `Products` parameters. + + 5. Analyze the collected alerts to identify identical or duplicate events across + different cases. + + 6. Automatically close cases or remove specific alerts identified as duplicates. + + 7. Save the current execution timestamp to the job context for the next run. diff --git a/content/response_integrations/third_party/community/vorlon/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/vorlon/resources/ai/actions_ai_description.yaml index 0220713c0..a8be4cc66 100644 --- a/content/response_integrations/third_party/community/vorlon/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/vorlon/resources/ai/actions_ai_description.yaml @@ -1,68 +1,82 @@ Get Alerts: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: true + reasoning: >- + The action fetches alert information from the Vorlon server based on provided + filters. This matches the 'Get Alert Information' category. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description - - This action retrieves a list of alerts from the Vorlon platform based on user-defined - filters. It is primarily used for searching and auditing alerts within the Vorlon - environment, allowing analysts to fetch specific alert details or broad sets of - alerts based on service IDs, timeframes, and status. + Retrieves a list of alerts from the Vorlon server based on specified filtering + criteria. This action allows users to filter alerts by requesting or responding + services, specific alert IDs, time ranges (From/To), alert status, and result + limits. The retrieved alert data is returned as a JSON result for further analysis + within the SOAR platform. - ### Parameters Description + ### Parameters | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Requesting Service | String | No | A comma-separated list of requesting service - IDs to include in the filter. | + | Requesting Service | string | No | Requesting service id(s) to include, specified + as a comma separated list of ids. | - | Responding Service | String | No | A comma-separated list of responding service - IDs to include in the filter. | + | Responding Service | string | No | Responding service id(s) to include, specified + as a comma separated list of ids. | - | Alert IDs | String | No | A comma-separated list of specific alert IDs to retrieve. - | - - | From | String | No | Filter alerts from this start time. Expected format: "YYYY-MM-DDTHH:MM:SS" - (e.g., 2023-01-01T00:00:00). | + | Alert IDs | string | No | The list of alert ids to retrieve, specified as a + comma separated list of ids. | - | To | String | No | Filter alerts up to this end time. Expected format: "YYYY-MM-DDTHH:MM:SS". + | From | string | No | Filter by start time in the format "YYYY-MM-DDTHH:MM:SS". | - | Alert Status | DDL | No | The status of alerts to retrieve. Options: `open`, - `dismissed`, `resolved`. Default is `open`. | - - | Limit | String | No | The maximum number of alerts to return. Default is 100. - | - - - ### Additional Notes - - - The action performs time conversion from the provided string format to epoch - timestamps required by the Vorlon API. + | To | string | No | Filter by end time in the format "YYYY-MM-DDTHH:MM:SS". | - - If no alerts are found, the action returns an empty JSON object. + | Alert Status | ddl | No | The list of alert statuses to retrieve (open, dismissed, + resolved). Default is 'open'. | - - This action does not operate on specific entities within the Google SecOps case; - it is a standalone search action. + | Limit | string | No | Filter by limit. Default is '100'. | ### Flow Description - 1. **Initialization**: The action extracts configuration credentials (API Root, - Client ID, Client Secret) and action parameters. + 1. The action initializes the VorlonManager using the provided API credentials. - 2. **Authentication**: It initializes the `VorlonManager`, which handles OAuth2 - token retrieval and session management. + 2. It extracts the user-provided filter parameters (services, IDs, time range, + status, limit). - 3. **Data Preparation**: It cleans input strings (removing extra spaces) and converts - the `From` and `To` time strings into epoch timestamps. + 3. It calls the `get_alerts` method on the VorlonManager, which performs a GET + request to the `/rest/v1/alerts` endpoint. - 4. **API Request**: It sends a GET request to the `/rest/v1/alerts` endpoint with - the constructed query parameters. + 4. The retrieved alert data is added to the action result using `siemplify.result.add_result_json`. - 5. **Result Processing**: The retrieved alerts are added to the action's JSON - result, and the action completes successfully. + 5. The action completes with a success or failure message based on the API response. capabilities: can_create_case_comments: false can_create_insight: false @@ -73,8 +87,15 @@ Get Alerts: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the Vorlon API to retrieve alert information. + It does not modify any external systems, nor does it update internal SOAR entities, + insights, or case data. categories: enrichment: false + reasoning: >- + The action retrieves data (alerts) but does not enrich existing entities or + alerts. It is a data retrieval action, not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -90,48 +111,75 @@ Get Alerts: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with or filter by any entities. It operates independently + of the entity model. Get All Services: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves a list of services from the Vorlon server. It does not + match any of the specific categories provided (e.g., Enrich IOC, Enrich Asset, + Update Alert, etc.) as it is a general information retrieval action. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - The **Get All Services** action retrieves a comprehensive list of all detected - and observed services from the Vorlon platform. This action is primarily used - for visibility and auditing, allowing users to see the full scope of services - monitored by the Vorlon integration. + This action retrieves a comprehensive list of all detected and observed services + from the Vorlon server. It is designed to provide visibility into the service + landscape managed by the Vorlon integration. - ### Parameters Description - - There are no action-specific parameters for this action. It utilizes the global - integration configuration parameters: - - * **API Root**: The base URL of the Vorlon API. - - * **Client ID**: The unique identifier for API authentication. + ### Flow Description - * **Client Secret**: The secret key for API authentication. + 1. The action initializes the `VorlonManager` using the integration's configuration + parameters: `API Root`, `Client ID`, and `Client Secret`. + 2. It performs a GET request to the `/rest/v1/services` endpoint of the Vorlon + API. - ### Additional Notes + 3. The retrieved list of services is returned as a JSON result in the action output. - This action does not operate on specific entities (such as IPs or Hostnames) and - instead fetches a global list of services from the connected Vorlon instance. - The results are returned as a raw JSON object. + 4. If the request fails, the action logs the error and terminates with a failure + status. - ### Flow Description + ### Parameters Description - 1. **Initialization**: The action initializes the connection to the Vorlon platform - using the provided API Root and credentials. + There are no input parameters for this action. The action relies on the integration's + global configuration settings (API Root, Client ID, Client Secret) to authenticate + and communicate with the Vorlon server. - 2. **Authentication**: It retrieves an OAuth2 access token using the Client ID - and Client Secret. - 3. **Data Retrieval**: The action performs a GET request to the `/rest/v1/services` - endpoint to fetch all service data. + ### Additional Notes - 4. **Output**: The retrieved service list is attached to the action results as - a JSON object, and the action completes with a success message. + This action is a read-only operation and does not modify any data in the Vorlon + system or the SOAR platform. capabilities: can_create_case_comments: false can_create_insight: false @@ -142,8 +190,16 @@ Get All Services: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to retrieve service data from the Vorlon API. + It does not modify any external systems (no POST/PUT/DELETE), nor does it modify + internal SOAR data (entities, insights, or comments). categories: enrichment: false + reasoning: >- + The action fetches data from an external source but does not enrich specific + entities or alerts. It is a general data retrieval action and does not meet + the criteria for an Enrichment Action as defined. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -159,67 +215,89 @@ Get All Services: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with any entities. It fetches global service data + from the Vorlon API. Get Connection Summary: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves connection summary data from an external API. It does not + match any of the specific categories like enrichment, ticketing, or containment. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - The **Get Connection Summary** action retrieves a summary of network connections - for a specific service from the Vorlon platform. This action is used to gather - high-level connection statistics and metadata, allowing users to filter results - by instance, time range, and connection type (observed or detected). + This action retrieves a connection summary for a specified service from the Vorlon + server. It allows users to filter the summary by instance ID, time range, connection + type, and specific secret IDs. ### Parameters Description | Parameter | Type | Mandatory | Description | - | :--- | :--- | :--- | :--- | + | --- | --- | --- | --- | - | **Service ID** | string | Yes | The unique identifier (typically the service - name or application name) for which to retrieve the connection summary. | + | Service ID | string | Yes | The service or app name to get the connections summary + for. | - | **Instance ID** | string | No | If provided, filters the connection summary - by a specific instance ID of the service. | + | Instance ID | string | No | If provided, filter by the instance ID of the service. + | - | **From** | string | No | Filters connections starting from this timestamp. Expected - format: `YYYY-MM-DDTHH:MM:SS` (e.g., `2023-01-01T12:00:00`). | + | From | string | No | If provided, filter by from time in the format "YYYY-MM-DDTHH:MM:SS". + | - | **To** | string | No | Filters connections up to this timestamp. Expected format: - `YYYY-MM-DDTHH:MM:SS` (e.g., `2023-01-01T13:00:00`). | + | To | string | No | If provided, filter by to time in the format "YYYY-MM-DDTHH:MM:SS". + | - | **Type** | ddl | No | The type of connection to retrieve. Available options - are `observed` (default) or `detected`. | + | Type | string | No | Type of connection (observed or detected). Default is 'observed'. + | - | **Secret IDs** | string | No | A comma-separated list of secret IDs to filter - the connection summary. | + | Secret IDs | string | No | A comma-separated list of secret IDs. | ### Additional Notes - - This action does not operate on entities within the SOAR case; it relies entirely - on the provided `Service ID` and optional filter parameters. - - - The `Service ID` is a required path parameter for the underlying API request. + There are no additional notes. ### Flow Description - 1. **Parameter Extraction**: The action extracts the Vorlon API configuration - (API Root, Client ID, Client Secret) and the user-provided action parameters. - - 2. **Time Validation**: If `From` or `To` parameters are provided, the action - validates the format and converts the strings into epoch timestamps. + 1. Initialize the VorlonManager with API credentials (API Root, Client ID, Client + Secret). - 3. **API Request**: The action initializes the `VorlonManager` and calls the `get_connection_summary` - method, which sends a GET request to the Vorlon API endpoint `/rest/v1/connections/summary/{service_id}` - with the specified filters. + 2. Extract the action parameters (Service ID, Instance ID, From, To, Type, Secret + IDs). - 4. **Result Handling**: The retrieved JSON data is added to the action's result - object. + 3. Call the Vorlon API to retrieve the connection summary using the provided parameters. - 5. **Completion**: The action concludes with a success message and the fetched - data, or fails if the service ID is missing, the API returns an error, or the - response is empty. + 4. Add the retrieved JSON result to the action output. capabilities: can_create_case_comments: false can_create_insight: false @@ -230,8 +308,16 @@ Get Connection Summary: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to retrieve connection summary data from the + Vorlon API. It does not modify any external or internal data, nor does it update + entities or create insights. categories: enrichment: false + reasoning: >- + The action fetches data but does not perform any of the allowed internal mutations + (update entities, create insights, add comments). Therefore, it is not classified + as an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -247,34 +333,63 @@ Get Connection Summary: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with entities. It operates on service-level data. Get Connections: - ai_description: "### General Description\nThe **Get Connections** action retrieves\ - \ connection details for a specific service from the Vorlon platform. It allows\ - \ security analysts to query network or application connections associated with\ - \ a service ID, providing visibility into communication patterns and associated\ - \ secrets. The results are returned as a JSON object for further processing in\ - \ playbooks.\n\n### Parameters Description\n| Parameter | Type | Mandatory | Description\ - \ |\n| :--- | :--- | :--- | :--- |\n| **Service ID** | String | Yes | The unique\ - \ identifier for the service (typically the service name or app name) for which\ - \ connections are retrieved. |\n| **Instance ID** | String | No | Filters the\ - \ results by a specific instance ID of the service. |\n| **From** | String | No\ - \ | Filters connections starting from this time. Expected format: `YYYY-MM-DDTHH:MM:SS`.\ - \ |\n| **To** | String | No | Filters connections up to this time. Expected format:\ - \ `YYYY-MM-DDTHH:MM:SS`. |\n| **Secret IDs** | String | No | A comma-separated\ - \ list of secret IDs to filter the connection results. |\n| **Limit** | String\ - \ | No | The maximum number of connection records to return. Defaults to 100.\ - \ |\n\n### Additional Notes\n- The action requires a valid **Service ID** to function.\ - \ \n- Time parameters must strictly follow the `YYYY-MM-DDTHH:MM:SS` format to\ - \ be correctly converted to epoch time by the integration.\n\n### Flow Description\n\ - 1. **Parameter Extraction:** The action retrieves the API configuration (API Root,\ - \ Client ID, Client Secret) and user-provided parameters including the mandatory\ - \ Service ID and optional filters.\n2. **Manager Initialization:** It initializes\ - \ the `VorlonManager` which handles authentication and token management.\n3. **Data\ - \ Retrieval:** The action calls the Vorlon API's connections endpoint (`/rest/v1/connections/{service_id}`)\ - \ using a GET request, passing the filters (Instance ID, time range, secrets,\ - \ and limit) as query parameters.\n4. **Result Processing:** The retrieved connection\ - \ data is attached to the action result as a JSON object, and the action completes\ - \ with a success message." + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves connection telemetry data from an external service. This + aligns with the 'Search Events' category, which involves returning historical + logs or telemetry data. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: true + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: >- + The 'Get Connections' action retrieves connection telemetry data for a specified + service from the Vorlon server. This action is useful for auditing service interactions, + troubleshooting connectivity, or investigating traffic patterns. The action performs + a GET request to the Vorlon API using the provided service identifier and optional + filters. The resulting connection data is returned as a JSON object to the SOAR + platform for further analysis. ### Parameters | Parameter | Type | Mandatory | + Description | | --- | --- | --- | --- | | Service ID | string | Yes | The service + or application name to retrieve connections for. | | Instance ID | string | No + | Filter by the instance ID of the service. | | From | string | No | Start time + filter in YYYY-MM-DDTHH:MM:SS format. | | To | string | No | End time filter in + YYYY-MM-DDTHH:MM:SS format. | | Secret IDs | string | No | A comma-separated list + of secret IDs to filter by. | | Limit | string | No | The maximum number of results + to return (default is 100). | ### Flow Description 1. The action extracts the + necessary configuration parameters (API Root, Client ID, Client Secret) to authenticate + with the Vorlon server. 2. It extracts the action-specific parameters (Service + ID, Instance ID, From, To, Secret IDs, Limit). 3. The VorlonManager initializes + a session and authenticates using the provided credentials. 4. The action calls + the 'get_connections' method, which performs a GET request to the Vorlon API endpoint. + 5. The retrieved connection data is returned as a JSON result to the SOAR platform. + 6. If the request fails, the action logs the error and terminates with a failed + status. capabilities: can_create_case_comments: false can_create_insight: false @@ -285,8 +400,16 @@ Get Connections: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to an external API (Vorlon) to retrieve connection + data. It does not modify any external systems (no POST/PUT/DELETE), nor does + it modify any internal SOAR data (no entity updates, insights, or case comments). categories: enrichment: false + reasoning: >- + The action fetches data from an external source (Vorlon API). However, it does + not operate on entities or alerts, nor does it enrich them. It is a data retrieval + action, not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -302,59 +425,85 @@ Get Connections: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with the SOAR entity model. It operates based on + a 'Service ID' parameter provided by the user, not on target entities. Get Linked Alerts: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: true + reasoning: >- + The action retrieves information about linked alerts from an external system + (Vorlon) and returns it in the result JSON. This aligns with the 'Get Alert + Information' category. It does not perform any other actions like blocking, + ticketing, or updating alerts. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description - - Retrieves a list of alerts from the Vorlon platform that are linked to a specific - Alert ID. Alerts are considered linked if they share the same secret ID and belong - to the same alert group. This action is primarily used for incident investigation - to identify related security events and understand the broader context of a specific - alert. + Fetches linked alerts from the Vorlon server based on a provided Alert ID. This + action retrieves a list of alerts that share the same secret ID and alert group, + providing additional context for the investigation. - ### Parameters Description - - | Parameter | Type | Mandatory | Description | + ### Flow Description - | :--- | :--- | :--- | :--- | + 1. The action extracts configuration parameters (API Root, Client ID, Client Secret) + to authenticate with the Vorlon server. - | **Alert ID** | String | Yes | The unique identifier of the alert for which linked - alerts should be retrieved. | + 2. It extracts action parameters, including the mandatory Alert ID and optional + filters (Alert Status, Page, Limit). - | **Alert Status** | DDL | No | Filters the linked alerts by their current status. - Supported values: `open`, `dismissed`, `resolved`. | + 3. The action initializes the VorlonManager and calls the API to retrieve linked + alerts. - | **Page** | String | No | The page number to retrieve for paginated results. - | + 4. The retrieved alert data is added to the action's result JSON for the analyst + to review. - | **Limit** | String | No | The maximum number of linked alerts to return in the - response. Default is 100. | + ### Parameters - ### Additional Notes + | Parameter | Type | Mandatory | Description | - - This action does not process SecOps entities; it operates solely based on the - provided **Alert ID** parameter. + | :--- | :--- | :--- | :--- | - - The retrieved data is returned as a JSON object, which can be used for downstream - logic in playbooks. + | Alert ID | string | Yes | The ID of the alert for which linked alerts should + be returned. | + | Alert Status | ddl | No | Filter the linked alerts by status (e.g., open, dismissed, + resolved). | - ### Flow Description + | Page | string | No | The page number for pagination. | - 1. **Initialization**: The action extracts the Vorlon API configuration (API Root, - Client ID, Client Secret) and the user-provided parameters. + | Limit | string | No | The maximum number of results to return. | - 2. **API Connection**: It establishes a session with the Vorlon server and retrieves - an access token. - 3. **Data Retrieval**: The action performs a GET request to the Vorlon endpoint - `/rest/v1/alerts/linked/{id}` using the provided Alert ID and optional filters - (status, page, limit). + ### Additional Notes - 4. **Output**: The list of linked alerts is processed and added to the action's - JSON results, and a success message is returned to the SOAR platform. + This action does not modify any internal or external data; it is strictly a data + retrieval action used to gather information about related alerts. capabilities: can_create_case_comments: false can_create_insight: false @@ -365,8 +514,17 @@ Get Linked Alerts: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the Vorlon API to retrieve linked alerts. + It does not mutate any external systems (no POST/PUT/DELETE) and does not modify + any internal SOAR data (no entity updates, insights, or comments). It simply + returns the fetched data in the result JSON. categories: - enrichment: true + enrichment: false + reasoning: >- + While the action fetches data, it does not perform any internal mutations (such + as updating entities, creating insights, or adding comments) to enrich the case. + It is a data retrieval action rather than an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -382,55 +540,81 @@ Get Linked Alerts: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over `siemplify.target_entities`. It operates based + on an input parameter `Alert ID` provided by the user, not on SOAR entities. Get Secrets: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves secret details from an external system. It does not match + any of the defined product categories (e.g., Enrich IOC, Enrich Asset, Update + Alert, etc.) as it is not performing enrichment on entities or alerts, nor is + it modifying any system state. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - Retrieves detailed information about secrets from the Vorlon platform. This action - allows users to fetch data for specific secrets using their unique identifiers - or to retrieve all secrets associated with a particular service. The retrieved - data is returned as a JSON object for use in subsequent playbook steps. + This action retrieves secret details from the Vorlon server. It allows users to + query secrets either by providing a specific Service ID or a list of Secret IDs. ### Parameters Description - | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | **Service ID** | String | No | The unique identifier (typically the service - name) for which to retrieve associated secrets. | + | Service ID | string | No | The ID of the service (typically the service name). + | - | **Secret IDs** | String | No | A comma-separated list of specific secret IDs - to retrieve details for. | + | Secret IDs | string | No | A comma-separated list of secret IDs. | ### Additional Notes - - **Mutual Exclusivity:** The action requires exactly one of the two parameters - to be provided. If both `Service ID` and `Secret IDs` are provided, or if neither - is provided, the action will fail with an error message. - - - **Entity Support:** This action does not operate on SecOps entities; it is a - data retrieval utility based on user-provided parameters. + Either `Service ID` or `Secret IDs` must be provided for the action to execute + successfully. ### Flow Description - 1. **Initialization:** The action initializes the Vorlon manager using the API - Root, Client ID, and Client Secret from the integration configuration. + 1. The action extracts the necessary configuration parameters (API Root, Client + ID, Client Secret) to authenticate with the Vorlon server. + + 2. It extracts the `Service ID` and `Secret IDs` from the action parameters. - 2. **Parameter Extraction:** It extracts the `Service ID` and `Secret IDs` from - the action parameters. + 3. It initializes the `VorlonManager` with the provided credentials. - 3. **Validation & Request:** The manager validates that only one parameter is - set and then performs a GET request to the `/rest/v1/secrets` endpoint on the - Vorlon server. + 4. It calls the `get_secrets` method, which sends a GET request to the Vorlon + API to retrieve the requested secret details. - 4. **Result Handling:** The resulting secret data is added to the action's JSON - result, and the action completes with a success message if the data is successfully - fetched. + 5. The retrieved secret details are returned as a JSON result. capabilities: can_create_case_comments: false can_create_insight: false @@ -441,8 +625,17 @@ Get Secrets: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action fetches secret details from the Vorlon server using a GET request. + It does not mutate any external systems, nor does it modify any internal Google + SecOps data (entities, insights, or comments). It simply returns the retrieved + data as a JSON result. categories: enrichment: false + reasoning: >- + The action fetches data but does not perform any enrichment on entities or alerts. + It does not update entities, add insights, or add comments. Therefore, it does + not meet the criteria for an Enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -458,29 +651,86 @@ Get Secrets: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with `target_entities`. It retrieves data based + on user-provided parameters (`Service ID` or `Secret IDs`) and does not perform + any filtering on entities. Ping: - ai_description: "### General Description\nThe **Ping** action is a diagnostic tool\ - \ used to verify the connectivity between Google SecOps and the **Vorlon** instance.\ - \ It ensures that the provided credentials (Client ID and Client Secret) are valid\ - \ and that the API Root is reachable.\n\n### Parameters Description\n| Parameter\ - \ Name | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| **API\ - \ Root** | String | Yes | The base URL of the Vorlon API instance. |\n| **Client\ - \ ID** | String | Yes | The unique identifier for the API client used for authentication.\ - \ |\n| **Client Secret** | String | Yes | The secret key associated with the Client\ - \ ID for secure authentication. |\n\n*Note: These parameters are extracted from\ - \ the integration configuration rather than action-specific inputs.*\n\n### Flow\ - \ Description\n1. **Initialization**: The action starts by initializing the Siemplify\ - \ context and logging the start of the process.\n2. **Configuration Extraction**:\ - \ It retrieves the `API Root`, `Client ID`, and `Client Secret` from the Vorlon\ - \ integration settings.\n3. **Manager Setup**: It instantiates the `VorlonManager`.\ - \ During instantiation, the manager automatically attempts to retrieve an OAuth2\ - \ access token using the provided credentials.\n4. **Connectivity Test**: The\ - \ action calls the `test_connectivity` method, which performs a `GET` request\ - \ to the `/rest/v1/services` endpoint of the Vorlon API.\n5. **Result Handling**:\ - \ \n * If the request is successful, the action completes with a success\ - \ message.\n * If an error occurs (e.g., authentication failure, network\ - \ timeout), the exception is caught, and the action fails with a descriptive error\ - \ message." + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action is a connectivity test ('Ping'). It does not match any of the defined + product categories (Enrichment, Containment, Ticket management, etc.). + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: >- + ### General Description + + The Ping action verifies connectivity between the Google SecOps SOAR platform + and the Vorlon instance. It ensures that the integration configuration (API Root, + Client ID, and Client Secret) is valid and that the server is reachable. + + + ### Parameters Description + + There are no action-specific parameters for this action. However, the action relies + on the following integration configuration parameters: + + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | API Root | String | Yes | The base URL of the Vorlon API. | + + | Client ID | String | Yes | The client ID used for authentication. | + + | Client Secret | String | Yes | The client secret used for authentication. | + + + ### Additional Notes + + This action is strictly for connectivity testing and does not perform any data + enrichment or system modifications. + + + ### Flow Description + + 1. Initialize the `SiemplifyAction` object. + + 2. Extract the required integration configuration parameters (API Root, Client + ID, Client Secret). + + 3. Instantiate the `VorlonManager` with the provided credentials. + + 4. Execute the `test_connectivity` method, which performs a GET request to the + Vorlon services endpoint. + + 5. Return a success or failure message based on the connectivity test result. capabilities: can_create_case_comments: false can_create_insight: false @@ -491,8 +741,17 @@ Ping: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to verify connectivity to the Vorlon server. + It does not modify any external or internal data, nor does it interact with + entities. While it performs a network request, it does not fetch contextual + data for alerts or entities. categories: enrichment: false + reasoning: >- + The action is a 'Ping' action, which is explicitly excluded from being an enrichment + action. It does not fetch data to enrich entities, nor does it perform any state + changes. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -508,69 +767,95 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with any entities. Update Alert: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action updates an alert on the external Vorlon system. The 'Update Alert' + category is defined as changing the status, severity, or assignee of the alert + *within the SecOps platform*, which does not apply here. Therefore, none of + the provided categories match. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description + Updates an alert on the Vorlon server. This action takes a JSON-formatted alert + update request as input and sends it to the Vorlon API to modify the alert's status + or details. - Updates an alert's details or status within the Vorlon platform. This action allows - for programmatic management of alerts, such as dismissing them or changing their - status, by providing a JSON-formatted update request. It is primarily used for - workflow automation where alert states need to be synchronized between Google - SecOps and the Vorlon server. + ### Flow - ### Parameters Description + 1. Extracts the required configuration parameters (API Root, Client ID, Client + Secret) and the `Alert Object` parameter. - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | + 2. Initializes the `VorlonManager` with the provided credentials. - | Alert Object | String | Yes | The alert update request JSON body. This string - must be a valid JSON object containing the `alert_id` and the desired changes - (e.g., `new_status`, `apply_to_linked_alerts`). | + 3. Sends a `PUT` request to the Vorlon API endpoint (`/rest/v1/alerts/update`) + with the provided JSON body. + 4. Returns the response from the server as a JSON result. - ### Flow Description - - 1. **Parameter Extraction**: The action retrieves the connection configuration - (API Root, Client ID, Client Secret) and the mandatory `Alert Object` parameter. - 2. **Manager Initialization**: It initializes the `VorlonManager`, which handles - OAuth2 token generation and session management. + ### Parameters - 3. **JSON Validation**: The action attempts to parse the `Alert Object` string - into a Python dictionary. If the string is not valid JSON, the action fails with - an informative error. + | Parameter | Type | Mandatory | Description | - 4. **External API Call**: It performs a `PUT` request to the Vorlon API endpoint - `/rest/v1/alerts/update` using the parsed JSON body. + | :--- | :--- | :--- | :--- | - 5. **Result Handling**: The response from the Vorlon server (the updated alert - object) is captured and added to the action's JSON results. The action then completes - with a success message. + | Alert Object | string | Yes | The alert update request JSON body. Example: `{"alert_id": + "1234567890", "apply_to_linked_alerts": false, "new_status": "dismissed"}` | ### Additional Notes - - This action does not operate on SecOps entities; it requires a specific JSON - payload to identify the target alert in the external system. - - - Ensure the `Alert Object` follows the schema expected by the Vorlon API to avoid - 400-series errors. + - This action performs a mutation on an external system (Vorlon server). capabilities: can_create_case_comments: false can_create_insight: false - can_modify_alert_data: false + can_modify_alert_data: true can_mutate_external_data: true can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates the status, assignment, or metadata of an alert in the Vorlon platform - via a PUT request to the /rest/v1/alerts/update endpoint. - fetches_data: true + Updates the alert status or details on the external Vorlon server via a PUT + request. + fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a PUT request to an external API to update an alert's status + or details. It does not fetch data, nor does it modify internal SecOps entities + or cases. categories: enrichment: false + reasoning: >- + The action is not an enrichment action because it does not fetch data; it performs + a mutation (update) on an external system. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -586,3 +871,6 @@ Update Alert: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code does not iterate over `siemplify.target_entities` or use any entity + objects. It takes a raw JSON string as input. diff --git a/content/response_integrations/third_party/community/vorlon/resources/ai/connectors_ai_description.yaml b/content/response_integrations/third_party/community/vorlon/resources/ai/connectors_ai_description.yaml new file mode 100644 index 000000000..738bceedb --- /dev/null +++ b/content/response_integrations/third_party/community/vorlon/resources/ai/connectors_ai_description.yaml @@ -0,0 +1,62 @@ +Vorlon Connector: + ai_description: >- + ### General Description + + The Vorlon Connector enables the ingestion of security alerts from the Vorlon + platform into Google SecOps. It facilitates automated monitoring by periodically + querying the Vorlon API for new alerts, mapping them to standardized case formats, + and creating incidents within the SOAR environment. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | API Root | String | Yes | The base URL for the Vorlon API (e.g., https://.vorlon.io). + | + + | Client ID | String | Yes | The Client ID used for authentication. | + + | Client Secret | Password | Yes | The Client Secret used for authentication. + | + + | DeviceProductField | String | Yes | The field name used to determine the device + product. | + + | EventClassId | String | Yes | The field name used to determine the event name + (sub-type). | + + | Max Days Backwards | String | No | The number of days to look back when fetching + incidents (default is 1). | + + | Max Incidents per Fetch | String | Yes | The maximum number of incidents to + retrieve in a single fetch. | + + | Open Alerts Only | Boolean | No | If enabled, fetches only alerts with an "open" + status; otherwise, fetches all statuses. | + + | PythonProcessTimeout | String | Yes | The timeout limit (in seconds) for the + Python process. | + + + ### Flow Description + + 1. **Authentication**: The connector authenticates with the Vorlon API using the + provided Client ID and Client Secret to obtain an access token. + + 2. **Initialization**: It retrieves configuration parameters and determines the + time range for fetching alerts based on the last successful execution timestamp + or the `Max Days Backwards` setting. + + 3. **Data Fetching**: It queries the Vorlon `/rest/v1/alerts` endpoint, applying + filters for status (if configured) and time range. + + 4. **Case Creation**: For each retrieved alert, the connector creates a corresponding + event and maps it into a `CaseInfo` object, including details like start/end times, + severity, and service information. + + 5. **Ingestion**: The mapped cases are returned to the SOAR platform for processing, + and the latest timestamp is saved to ensure subsequent fetches start from the + correct point. diff --git a/content/response_integrations/third_party/community/vorlon/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/vorlon/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..0f855e630 --- /dev/null +++ b/content/response_integrations/third_party/community/vorlon/resources/ai/integration_ai_description.yaml @@ -0,0 +1,23 @@ +product_categories: + asset_inventory: false + cloud_security: true + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: false + reasoning: >- + The Vorlon integration is primarily focused on the discovery, monitoring, and + risk profiling of third-party applications and data in motion. The connector facilitates + the ingestion of security alerts into the SOAR platform, which aligns with SIEM + capabilities for alert ingestion and visibility into activity. Furthermore, the + focus on third-party application risk and monitoring of cloud-based services aligns + with Cloud Security (specifically SaaS security). It does not perform EDR, Network + Security (blocking/firewall), Threat Intelligence (reputation), Email Security, + IAM, ITSM, Vulnerability Management, or Collaboration functions. It is not classified + as Asset Inventory as it focuses on third-party applications rather than internal + IT-managed devices. + siem: true + threat_intelligence: false + vulnerability_management: false diff --git a/content/response_integrations/third_party/community/webhook/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/webhook/resources/ai/actions_ai_description.yaml index 11fe8e44f..edaa37232 100644 --- a/content/response_integrations/third_party/community/webhook/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/webhook/resources/ai/actions_ai_description.yaml @@ -1,24 +1,52 @@ Create Token: - ai_description: >- - ### General Description\nThis action creates a new webhook token within the Webhook - integration. Its primary purpose is to generate a unique endpoint (URL) that can - receive external HTTP requests. Users can configure the response that the webhook - URL provides when accessed, including the body content and the content type.\n\n### - Parameters\n| Parameter | Type | Mandatory | Description |\n| :--- | :--- | :--- - | :--- |\n| **Default Content** | string | Yes | The content to be returned in - the response body when the generated webhook URL is accessed. |\n| **Default Content - Type** | string | Yes | The MIME type of the content (e.g., `text/html` or `application/json`). - |\n| **Timeout** | string | No | The number of seconds (up to 10) the service - should wait before returning a response to a request made to the webhook URL. - |\n\n### Flow Description\n1. **Initialization**: The action retrieves the base - URL from the integration configuration and extracts the user-provided parameters - for content, content type, and timeout.\n2. **API Interaction**: It performs a - POST request to the Webhook service's `/token` endpoint with the specified configuration.\n3. - **URL Generation**: Upon a successful response, the action extracts the unique - UUID for the new token and constructs the full webhook URL.\n4. **Completion**: - The action returns the token metadata and the generated URL as a JSON result and - marks the execution as successful.\n\n### Additional Notes\n- This action does - not process or require any SecOps entities to run. + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action creates a new webhook token on an external service. It does not match + any of the predefined categories such as 'Create Ticket', 'Enrich IOC', or 'Contain + Host'. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: "Creates a new webhook token on the configured Webhook service.\ + \ This action allows users to generate a unique webhook URL that, when accessed,\ + \ returns specified content and content type. \n\n### Flow Description\n1. Initialize\ + \ the action and retrieve the base URL from the integration configuration.\n2.\ + \ Extract the required parameters: 'Default Content', 'Default Content Type',\ + \ and the optional 'Timeout'.\n3. Invoke the `WebhookManager` to send a POST request\ + \ to the webhook service to generate a new token with the provided configuration.\n\ + 4. Construct the full webhook URL using the returned UUID and the base URL.\n\ + 5. Add the resulting JSON (containing the token details and URL) to the action\ + \ output and terminate the action.\n\n### Parameters Description\n| Parameter\ + \ | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| Default\ + \ Content | string | Yes | Content to be presented upon the webhook URL click,\ + \ if successful. |\n| Default Content Type | string | Yes | Type of content to\ + \ be presented upon the new webhook URL click (e.g., text/html). |\n| Timeout\ + \ | string | No | Amount of seconds to wait before returning the response (intended\ + \ for testing timeouts). Max is 10. |" capabilities: can_create_case_comments: false can_create_insight: false @@ -27,12 +55,19 @@ Create Token: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates a new webhook token and a corresponding unique URL endpoint on the external - Webhook service. + Creates a new webhook token on the external webhook service. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a POST request to an external service to create a new webhook + token. It does not fetch data from external systems, nor does it modify internal + SOAR entities or case data. It only outputs the result of the creation process. categories: enrichment: false + reasoning: >- + The action creates a resource (webhook token) on an external system. It does + not fetch data for enrichment, nor does it modify internal SOAR data. Therefore, + it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -48,50 +83,74 @@ Create Token: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with or process any entities. Delete Token: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action deletes a token on an external service. This does not fit any of + the predefined categories (e.g., IOC management, identity management, ticketing, + or email operations). + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description + ### General description - The **Delete Token** action is designed to remove a specific webhook token from - the Webhook service. By deleting the token, the unique URL associated with it - becomes inactive and inaccessible, preventing further data from being received - or processed through that specific endpoint. This is typically used for cleanup - or to revoke access to a temporary webhook. + Deletes a specific webhook token from the Webhook service using the provided Token + ID. This action interacts with the external Webhook API to remove the token, rendering + the associated URL inaccessible. - ### Parameters + ### Parameters description - | Parameter Name | Description | Type | Mandatory | Notes | + | Parameter | Type | Mandatory | Description | - | :--- | :--- | :--- | :--- | :--- | + | --- | --- | --- | --- | - | Token ID | The unique identifier of the token to be deleted. | String | Yes - | This ID is used to construct the specific API endpoint for the deletion request. + | Token ID | string | Yes | The unique identifier of the webhook token to be deleted. | - ### Flow Description + ### Additional notes - 1. **Parameter Extraction**: The action retrieves the `Token ID` provided by the - user and strips any leading/trailing whitespace. + None. - 2. **Manager Initialization**: It initializes the `WebhookManager` using the base - URL defined in the integration's configuration. - 3. **External API Call**: The action invokes the `delete_token` method in the - manager, which sends an HTTP DELETE request to the external Webhook service's - endpoint (`/token/{token_id}`). + ### Flow description - 4. **Result Handling**: The action captures the HTTP status code from the response. - If the request is successful, it marks the execution as completed and returns - a success message. If an error occurs, it logs the error and reports a failure. + 1. Extract the `Token ID` parameter from the action configuration. + 2. Initialize the `WebhookManager` with the configured base URL. - ### Additional Notes + 3. Send a DELETE request to the external Webhook service to remove the specified + token. - This action does not process or interact with entities (such as IPs or Hostnames) - within the Google SecOps case; it operates strictly based on the provided `Token - ID` parameter. + 4. Return the deletion status and update the action result. capabilities: can_create_case_comments: false can_create_insight: false @@ -100,12 +159,20 @@ Delete Token: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Deletes a webhook token from the external Webhook service, which permanently - removes the token and makes the associated URL endpoint inaccessible. + Deletes a webhook token from the external Webhook service, rendering the associated + URL inaccessible. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a DELETE request to an external API to remove a token. It + does not fetch data, nor does it modify internal SOAR data (entities, insights, + etc.). categories: enrichment: false + reasoning: >- + The action performs a destructive operation (deletion) on an external system. + It does not fetch data for enrichment, nor does it modify internal SOAR data. + Therefore, it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -121,68 +188,51 @@ Delete Token: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with `siemplify.target_entities`. It operates on + a user-provided `Token ID` parameter. Get Webhook Response: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves historical webhook request data based on a token ID. This + aligns with the 'Search Events' category as it returns a collection of logs/telemetry. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: true + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description - - The **Get Webhook Response** action is designed to retrieve data from a specific - webhook URL endpoint (formatted as `{Base URL}/{Token ID}`). This action is particularly - useful for scenarios where a workflow needs to wait for an external trigger, such - as a user clicking a link or an external system sending a callback. It supports - asynchronous execution, allowing the SOAR platform to poll the endpoint until - specific conditions are met. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | **Pending Condition** | DDL | Yes | Determines the logic for ending the action. - `TimeFrame` waits for a specific duration before fetching data. `AwaitClick` polls - the endpoint and completes as soon as at least one request is detected. | - - | **TimeFrame** | String | Yes | The number of minutes to wait before the action - fetches the data and completes. This is only relevant when `Pending Condition` - is set to `TimeFrame`. | - - | **Responses To Retrieve** | DDL | Yes | Specifies whether to retrieve `All` - recorded requests for the token or only the `Latest` one. | - - | **Token ID** | String | Yes | The unique identifier for the webhook token to - monitor. | - - - ### Additional Notes - - - This action is **asynchronous**. It will remain in an 'In Progress' state until - the specified timeframe expires or a request is received (depending on the configuration). - - - The action automatically filters out requests generated by Slackbots (identified - via User-Agent) to prevent false positives in chat-based workflows. - - - ### Flow Description - - 1. **Initialization**: The action extracts the Token ID, the pending condition, - and the retrieval preference (All vs. Latest). - - 2. **Condition Check**: - - If **TimeFrame** is selected: The action calculates the elapsed time since - the first run. If the timeframe has not yet passed, it returns an `INPROGRESS` - status. Once the timeframe expires, it fetches the requests. - - If **AwaitClick** is selected: The action immediately checks for any requests - associated with the Token ID. If no requests are found, it returns `INPROGRESS`. - If requests are found, it proceeds to completion. - 3. **Data Retrieval**: The action calls the Webhook Manager to fetch request data - from the external service. - - 4. **Filtering**: The retrieved data is filtered to remove Slackbot-related entries. - If 'Latest' was selected, only the most recent request is kept. - - 5. **Completion**: The action outputs the retrieved JSON data and provides a summary - message indicating how many requests were found or if the timeout was reached. + Fetches webhook request data for a specific token ID. The action initializes a + WebhookManager and retrieves requests based on the provided token ID. It supports + two waiting conditions: 'TimeFrame' (waits for a specified duration) and 'AwaitClick' + (polls until a request is found). It filters out Slackbot requests and returns + the data as a JSON result. Parameters: 1. Pending Condition (ddl, mandatory): + Determines the waiting logic (TimeFrame or AwaitClick). 2. TimeFrame (string, + mandatory): Minutes to wait if TimeFrame is selected. 3. Responses To Retrieve + (ddl, mandatory): Whether to retrieve 'All' or 'Latest' requests. 4. Token ID + (string, mandatory): The identifier for the webhook token. capabilities: can_create_case_comments: false can_create_insight: false @@ -193,8 +243,13 @@ Get Webhook Response: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to retrieve webhook data. It does not modify + external systems or internal SOAR data. categories: - enrichment: true + enrichment: false + reasoning: >- + The action does not operate on entities, so it cannot be an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -210,42 +265,69 @@ Get Webhook Response: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not use target_entities. It uses a Token ID parameter provided + by the user. Ping: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action is a connectivity test ('Ping'). It does not perform any of the defined + actions such as enriching IOCs, updating tickets, or containing hosts. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description + Tests connectivity to the Webhook integration by sending a GET request to the + configured base URL. This action verifies that the integration is reachable and + properly configured. - The **Ping** action is a diagnostic tool used to verify the connectivity between - Google SecOps and the Webhook service. Its primary purpose is to ensure that the - integration is correctly configured and that the target service is reachable over - the network. + ### Parameters - ### Parameters Description - - There are no parameters for this action. It relies entirely on the integration's - global configuration. - + | Parameter | Type | Mandatory | Description | - ### Additional Notes + | :--- | :--- | :--- | :--- | - This action utilizes the **URL** parameter defined in the integration settings - to perform its check. It does not interact with any entities or alert data. + | URL | String | Yes | The base URL of the Webhook service to test connectivity + against. | ### Flow Description - 1. **Configuration Retrieval**: The action retrieves the base URL from the Webhook - integration configuration. + 1. Initialize the `SiemplifyAction` object. + + 2. Retrieve the `URL` configuration parameter from the integration settings. - 2. **Manager Initialization**: It initializes the `WebhookManager` with the provided - base URL. + 3. Instantiate the `WebhookManager` with the provided base URL. - 3. **Connectivity Check**: The action executes the `test_connectivity` method, - which performs an HTTP GET request to the base URL. + 4. Execute the `test_connectivity` method, which performs a GET request to the + base URL to verify the service is reachable. - 4. **Execution Result**: If the GET request returns a successful status code, - the action completes with a success message. If the request fails or an exception - occurs, it returns a failure message with the error details. + 5. Return the connectivity status (success or failure) and an appropriate message. capabilities: can_create_case_comments: false can_create_insight: false @@ -254,10 +336,18 @@ Ping: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null - fetches_data: false + fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to verify connectivity to the Webhook service. + It does not modify any external systems, update entities, or create insights. + It is a read-only connectivity check. categories: enrichment: false + reasoning: >- + The action is named 'Ping' and performs a connectivity test. According to the + provided instructions, 'Actions named Ping must not be categorized as enrichment + actions.' entity_usage: entity_types: [] filters_by_additional_properties: false @@ -273,3 +363,6 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with any entities. It is a global connectivity + test that does not reference the `target_entities` list. diff --git a/content/response_integrations/third_party/community/webhook/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/webhook/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..d9bce6fc6 --- /dev/null +++ b/content/response_integrations/third_party/community/webhook/resources/ai/integration_ai_description.yaml @@ -0,0 +1,21 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: false + reasoning: >- + The Webhook integration provides utility actions for creating, deleting, and retrieving + data from webhook endpoints. It functions as a generic HTTP request receiver and + testing tool. It does not perform security-specific operations such as threat + intelligence enrichment, host containment, identity management, or ticketing. + It does not interact with internal assets, users, or security logs in a way that + aligns with the definitions of SIEM, EDR, Network Security, or other provided + security categories. Consequently, it does not fit into any of the specified product + categories. + siem: false + threat_intelligence: false + vulnerability_management: false diff --git a/content/response_integrations/third_party/community/whois_xml_api/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/whois_xml_api/resources/ai/actions_ai_description.yaml index cc1ad8c50..007beb403 100644 --- a/content/response_integrations/third_party/community/whois_xml_api/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/whois_xml_api/resources/ai/actions_ai_description.yaml @@ -1,44 +1,71 @@ Enrich Entities: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves WHOIS registration data for domains and URLs, which provides + contextual threat intelligence. This matches the 'Enrich IOC' category. It does + not perform any other operations such as ticket management, containment, or + alert modification. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - Enriches Hostname and URL entities by retrieving domain registration information - from the WHOIS XML API. This action helps analysts understand the ownership and - registration history of a domain by pulling data such as registrant name, organization, - and contact details directly into the Google SecOps entity profile. + This action enriches Hostname and URL entities by retrieving WHOIS registration + data from the Whois XML API. It enhances the context of these entities within + the SOAR platform by populating their additional properties with registrant details, + aiding in threat investigation and attribution. - ### Parameters Description + ### Parameters | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | API Key | String | Yes | The API key used to authenticate with the WHOIS XML - API service. This is extracted from the integration configuration. | + | API Key | String | Yes | The API key required to authenticate with the Whois + XML API service. | ### Flow Description - 1. **Configuration Retrieval**: The action extracts the API Key from the integration's - configuration settings. + 1. **Initialization**: The action retrieves the API key from the integration configuration. - 2. **Entity Filtering**: It iterates through the target entities, selecting only - those that are either non-internal Hostnames or URLs. + 2. **Entity Filtering**: It iterates through the provided target entities, filtering + for `HOSTNAME` (excluding internal hosts) and `URL` entities. - 3. **External API Interaction**: For each eligible entity, the action sends a - GET request to the WHOIS XML API `WhoisService` endpoint using the entity's identifier - as the domain name. + 3. **Data Retrieval**: For each valid entity, it constructs a query and performs + a GET request to the Whois XML API to fetch registration information. - 4. **Data Extraction**: The action parses the JSON response to locate registrant - details within the `WhoisRecord`. + 4. **Entity Update**: If registrant details are found in the API response, the + action updates the entity's `additional_properties` with this data. - 5. **Internal Enrichment**: If registrant details are found, they are mapped to - the entity's `additional_properties`. - - 6. **Finalization**: The action updates the entities in Google SecOps with the - new metadata and attaches the raw JSON response to the action's execution results - for further review. + 5. **Finalization**: The action pushes the updated entity information back to + the SOAR platform and returns the count of successfully processed entities. capabilities: can_create_case_comments: false can_create_insight: false @@ -49,10 +76,20 @@ Enrich Entities: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates entity additional properties with registrant information (name, organization, - etc.) retrieved from the WHOIS XML API. + Updates entity 'additional_properties' with registrant details retrieved from + the Whois XML API. + reasoning: >- + The action performs a GET request to an external API (Whois XML API) to retrieve + data, satisfying the 'fetches_data' requirement. It does not modify any external + systems (can_mutate_external_data=false). It updates entity properties within + the SOAR platform using 'update_entities', which constitutes an internal mutation + (can_mutate_internal_data=true). categories: enrichment: true + reasoning: >- + The action fetches external data (WHOIS information) and updates internal entity + properties without modifying external systems or performing unauthorized internal + mutations. This aligns with the definition of an enrichment action. entity_usage: entity_types: - HOSTNAME @@ -70,51 +107,74 @@ Enrich Entities: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over 'siemplify.target_entities' and explicitly filters for + 'HOSTNAME' (where 'is_internal' is false) and 'URL' (mapped to 'DestinationURL') + entity types. Get Domain Details: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves domain registration details, which provides context and + threat intelligence for a domain indicator. This aligns with the 'Enrich IOC' + category. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description + Fetches domain registration and availability details from the Whois XML API. This + action retrieves comprehensive WHOIS data for a specified domain, which can be + used for threat intelligence and domain reputation analysis. - The **Get Domain Details** action retrieves comprehensive WHOIS information for - a specified domain using the WHOIS XML API. This action is designed to provide - security analysts with registration details, ownership information, and domain - status to assist in investigations and threat intelligence gathering. - - ### Parameters Description + ### Parameters | Parameter | Type | Mandatory | Description | - | :--- | :--- | :--- | :--- | + | --- | --- | --- | --- | - | **Domain Name** | String | Yes | The specific domain (e.g., google.com) to be - scanned for WHOIS information. | + | Domain Name | string | Yes | The domain to scan. | - | **Check availability** | Boolean | No | If set to `true`, the action will include - a check for the domain's availability in the response. Defaults to `false`. | + | Check availability | boolean | No | Whether to check domain availability. | ### Flow Description - 1. **Initialization**: The action extracts the API Key from the integration configuration - and retrieves the target domain and availability preference from the action parameters. + 1. Extract the API key from the integration configuration. - 2. **Request Construction**: It constructs a GET request URL for the WHOIS XML - API, incorporating the API key, the target domain, and the availability check - flag. + 2. Extract the `Domain Name` and `Check availability` parameters from the action + settings. - 3. **Data Retrieval**: The action performs a synchronous HTTP GET request to the - WHOIS XML API service. + 3. Construct the API request URL with the provided parameters. - 4. **Output Generation**: The resulting JSON data is processed and added to the - action's results in two formats: as a script result (for use in subsequent playbook - steps) and as an action JSON (for display in the context details view). + 4. Execute a GET request to the Whois XML API. + 5. Add the JSON response to the action result and context details. - ### Additional Notes - - This action operates independently of the alert's entity context; it requires - the domain to be explicitly provided as a parameter rather than iterating over - entities like IP or Domain objects found in the alert. + 6. End the action with a success message. capabilities: can_create_case_comments: false can_create_insight: false @@ -125,8 +185,16 @@ Get Domain Details: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to an external API (Whois XML API) to retrieve + domain information. It does not modify any external systems or internal case + data (entities, insights, etc.). categories: - enrichment: false + enrichment: true + reasoning: >- + The action fetches data from an external source (Whois XML API) and does not + modify any external or internal systems. It meets the criteria for an enrichment + action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -142,40 +210,80 @@ Get Domain Details: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over `siemplify.target_entities`. It extracts parameters + directly from the action configuration. Ping: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action is a connectivity check ('Ping') and does not perform any of the + defined operational tasks such as enriching IOCs, updating tickets, or containing + hosts. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description + This action verifies connectivity to the Whois XML API by performing a test request. + It ensures that the provided API key is valid and that the integration can successfully + communicate with the external service. + - The **Ping** action is designed to verify the connectivity between Google SecOps - and the **WHOIS XML API** service. It ensures that the provided API credentials - are valid and that the external service is reachable. + ### Flow Description + 1. **Extract Configuration**: The action retrieves the 'API Key' from the integration + configuration. - ### Parameters Description + 2. **Construct Request**: A test GET request is constructed using the provided + API key and a hardcoded domain ('google.com'). - There are no action-specific parameters for this action. It relies on the global - integration configuration for the **API Key**. + 3. **Execute Request**: The action sends the GET request to the Whois XML API + endpoint. + 4. **Validate Response**: The response is checked for authentication errors (e.g., + 'ApiKey authenticate failed'). - ### Flow Description + 5. **Finalize**: If the request is successful, the action ends with a success + status. - 1. **Configuration Retrieval**: The action extracts the `API Key` from the integration's - configuration settings. - 2. **Connectivity Test**: It performs a `GET` request to the WHOIS XML API endpoint, - querying a hardcoded domain (`google.com`) to test the connection. + ### Parameters - 3. **Authentication Validation**: The script checks the response body for specific - error messages indicating authentication failure. + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | - 4. **Result Reporting**: If the request is successful and no authentication errors - are found, the action completes with a "Successful Connection" status. + | API Key | String | Yes | The API key used to authenticate the request to the + Whois XML API. | ### Additional Notes - This action does not process any entities from the case; it is purely for administrative - connectivity testing. + This action is a diagnostic tool used to verify connectivity and authentication. + It does not perform any data enrichment or state changes. capabilities: can_create_case_comments: false can_create_insight: false @@ -186,8 +294,15 @@ Ping: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to verify connectivity. It does not modify + external systems, update entities, or create insights. It is a diagnostic action. categories: enrichment: false + reasoning: >- + The action is a 'Ping' action designed to verify connectivity. According to + the provided guidelines, Ping actions are explicitly excluded from being categorized + as enrichment actions. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -203,3 +318,6 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with target_entities or any entity-specific data. + It performs a static connectivity check. diff --git a/content/response_integrations/third_party/community/whois_xml_api/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/whois_xml_api/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..83643e15f --- /dev/null +++ b/content/response_integrations/third_party/community/whois_xml_api/resources/ai/integration_ai_description.yaml @@ -0,0 +1,18 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: false + reasoning: >- + The integration provides WHOIS data for domains and URLs, which is a core function + of threat intelligence enrichment. It helps analysts understand domain ownership + and reputation, which is a standard first step in investigating external indicators. + It does not perform any SIEM, EDR, Network Security, Email Security, IAM, Cloud + Security, ITSM, Vulnerability Management, Asset Inventory, or Collaboration functions. + siem: false + threat_intelligence: true + vulnerability_management: false diff --git a/content/response_integrations/third_party/community/workflow_tools/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/workflow_tools/resources/ai/actions_ai_description.yaml index 066eda885..d0c4cd7ba 100644 --- a/content/response_integrations/third_party/community/workflow_tools/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/workflow_tools/resources/ai/actions_ai_description.yaml @@ -1,8 +1,43 @@ Approval Request: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action modifies the state of an alert/case by moving it and assigning it + to a reviewer, which matches 'Update Alert'. It also sends a notification to + Slack, which matches 'Send Message'. It does not perform other listed actions. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: true + submit_file: false + uncontain_host: false + update_alert: true + update_email: false + update_identity: false + update_ticket: false ai_description: >- - The **Approval Request** action is designed to pause a workflow and require manual - intervention from a designated reviewer. It facilitates the approval process by - reassigning cases within Google SecOps and notifying stakeholders via Slack. + ### General Description + + This action manages workflow approvals by assigning cases to designated reviewers + and optionally moving alerts to new cases if they are grouped. It integrates with + the Google SecOps (Siemplify) API to perform case management tasks and sends notifications + to a configured Slack webhook. ### Parameters @@ -11,37 +46,26 @@ Approval Request: | :--- | :--- | :--- | :--- | - | **Move Alert If Grouped** | boolean | No | If set to `true` (default), and the - current alert is part of a case containing multiple alerts, the action will move - this specific alert into its own new case before assigning it to the reviewer. - If `false`, the entire case is assigned as-is. | + | Move Alert If Grouped | boolean | false | If true, moves the alert to a new + case if it is currently grouped with other alerts. | ### Flow Description - 1. **Configuration Extraction:** Retrieves integration-level settings including - API credentials, the target Siemplify/SecOps hostname, Slack webhook URL, and - the designated Approval Managers. + 1. Extracts configuration parameters including API credentials, Slack webhook, + and approval managers. - 2. **Grouping Logic:** Checks the `Move Alert If Grouped` parameter. If enabled - and the case contains more than one alert, it triggers an internal API call to - move the current alert into a newly created case. + 2. Determines if the alert needs to be moved to a new case based on the `Move + Alert If Grouped` parameter and the number of alerts in the case. - 3. **Case Assignment:** Reassigns the target case (either the original or the - newly created one) to the user specified as the 'Approval Manager'. + 3. If moving is required, calls the API to move the alert to a new case. - 4. **External Notification:** Sends a formatted message to a Slack channel via - a webhook, providing a direct link to the case awaiting approval. + 4. Assigns the case (or the new case) to the specified approval manager. - 5. **Result Reporting:** Returns a JSON object containing the original case ID, - any new case ID created, and the identities of the assigned managers. + 5. Sends a notification to the configured Slack webhook. - - ### Additional Notes - - - This action requires the 'Workflow Tools' integration to be configured with - valid API credentials for the SecOps instance itself to perform the case reassignment - and alert movement. + 6. Returns a JSON result containing the original case ID, new case ID (if applicable), + and reviewer information. capabilities: can_create_case_comments: false can_create_insight: false @@ -50,14 +74,24 @@ Approval Request: can_mutate_internal_data: true can_update_entities: false external_data_mutation_explanation: >- - Sends a notification message to an external Slack channel via a webhook to alert - reviewers of the pending approval request. + Moves the alert to a new case via an external API call and sends a notification + to Slack. fetches_data: true internal_data_mutation_explanation: >- - Reassigns the case owner to the designated Approval Manager and can move an - alert from one case to a new case using internal API calls. + Assigns the case to the approval manager using the internal SOAR API. + reasoning: >- + The action performs external API calls to move alerts and send Slack messages + (can_mutate_external_data=true). It also uses internal SOAR methods to assign + cases (can_mutate_internal_data=true). It fetches user profiles via an API call + (fetches_data=true). It modifies alert/case state by moving alerts and assigning + cases (can_modify_alert_data=true). It does not update entities, create insights, + or create case comments. categories: enrichment: false + reasoning: >- + The action is a workflow management tool that modifies case and alert state. + It does not fit the definition of an enrichment action as it does not retrieve + contextual data for entities to enrich their profiles. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -73,62 +107,91 @@ Approval Request: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action operates on the case and alert level using `siemplify.case.identifier` + and `siemplify.current_alert.identifier`. It does not iterate over `target_entities` + or use entity-specific identifiers. Approval Response: + action_product_categories: + add_alert_comment: true + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action adds a comment to the alert/case, matching 'Add Alert Comment'. It + also sends a message to Slack, matching 'Send Message'. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: true + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - The **Approval Response** action enables a formal approval workflow within Google - SecOps. It allows designated 'Approval Managers' to either approve or deny a pending - request. The action ensures security by verifying that the user executing the - action matches the authorized personnel or roles defined in the integration settings. - It provides a mechanism for human-in-the-loop decision-making within automated - playbooks. + The Approval Response action allows authorized users to approve or deny a workflow + request within the Google SecOps platform. It verifies the requesting user's authorization + against configured approval managers and, upon success, updates the workflow status, + logs the decision, and optionally adds comments to the case. It also provides + notifications via Slack. - ### Parameters Description + ### Flow Description - | Parameter | Type | Mandatory | Description | + 1. **Configuration Extraction**: Retrieves integration settings including API + credentials, Slack webhook URL, and authorized approval managers. - | :--- | :--- | :--- | :--- | + 2. **Authorization Check**: Validates if the `original_requesting_user` matches + the primary or secondary approval manager (or their roles). - | **Action Approved** | Boolean | Yes | Determines the outcome of the request. - Set to `True` to approve or `False` to deny. | + 3. **Decision Processing**: Based on the `Action Approved` parameter, it sets + the approval status and prepares a corresponding message. - | **Response Comments** | String | No | Optional notes or justification for the - decision. If provided, these are added as a case comment and included in the Slack - notification. | + 4. **Case Commenting**: If `Response Comments` are provided, it appends these + notes to the current case and alert. + 5. **Notification**: Sends the approval/denial status message to the configured + Slack webhook. - ### Flow Description + 6. **Result Reporting**: Finalizes the action with the execution status and result + JSON. - 1. **Authorization Check**: The action identifies the user currently executing - the task (`original_requesting_user`) and compares them against the configured - `Approval Manager` and `Secondary Approval Manager`. If a manager is defined as - a role (prefixed with `@`), the action queries the Google SecOps API to verify - the user's role membership. - 2. **Decision Processing**: Based on the `Action Approved` input, the action sets - the internal result state to approved or denied. + ### Parameters Description - 3. **Internal Documentation**: If `Response Comments` are provided, the action - adds them as a comment to the current case and alert using the `add_comment` method. + | Parameter | Type | Mandatory | Description | - 4. **External Notification**: A notification message containing the decision, - the reviewer's name, and any comments is sent to a configured Slack channel via - a webhook. + | :--- | :--- | :--- | :--- | - 5. **Result Reporting**: The action returns a JSON object summarizing the review - details (reason, reviewer, comments, approval status) and sets the action's final - status. + | Action Approved | boolean | Yes | Determines if the request is approved (True) + or denied (False). | + | Response Comments | string | No | Optional notes to be added to the case wall + upon approval or denial. | - ### Additional Notes - - If an unauthorized user attempts to run this action, it will fail with a `ValueError` - and send an unauthorized access alert to Slack. + ### Additional Notes - - The `Approval Manager` configuration can accept specific usernames or role names - (prefixed with `@`). + This action does not operate on specific entities; it functions at the case and + alert level. Authorization is strictly enforced; if the user is not authorized, + the action will fail. capabilities: can_create_case_comments: true can_create_insight: false @@ -137,13 +200,18 @@ Approval Response: can_mutate_internal_data: true can_update_entities: false external_data_mutation_explanation: >- - Sends a notification message to a Slack channel via a webhook to report the - approval or denial of a request. + Sends a notification message to a configured Slack webhook. fetches_data: true - internal_data_mutation_explanation: >- - Adds a comment to the case and alert if 'Response Comments' are provided. + internal_data_mutation_explanation: Adds a comment to the case wall. + reasoning: >- + The action queries the Siemplify API to verify user roles (fetches data). It + sends a message to an external Slack webhook (mutates external data). It adds + a comment to the case wall (mutates internal data/creates case comment). categories: enrichment: false + reasoning: >- + The action is a workflow/operational tool for approvals. It does not fetch context + about entities, so it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -159,29 +227,57 @@ Approval Response: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action operates on the case and alert context directly using `siemplify.case.identifier` + and `siemplify.current_alert.identifier`. It does not iterate over or filter + `target_entities`. Assign Case to Current User: - ai_description: "### General Description\nThe **Assign Case to Current User** action\ - \ is a workflow utility designed to automatically assign a Google SecOps case\ - \ and its current alert to the analyst who manually triggered the playbook action.\ - \ This is typically used at the beginning of a playbook to ensure that the person\ - \ investigating the case is officially recorded as the owner.\n\n### Parameters\ - \ Description\nThis action does not require any input parameters from the user\ - \ at runtime. It relies on the execution context to identify the requesting user.\n\ - \n### Additional Notes\n* **Manual Execution Required:** This action is specifically\ - \ designed for manual execution. If triggered by the 'System' user (e.g., via\ - \ an automated trigger without human intervention), the action will fail with\ - \ an error. \n* **Integration Configuration:** Requires the 'Workflow Tools' integration\ - \ to be configured with a valid Siemplify API Key, API Root, and Instance Hostname\ - \ to interact with the platform's internal API.\n\n### Flow Description\n1. **Configuration\ - \ Extraction:** The action retrieves the API credentials and connection details\ - \ for the Google SecOps instance from the integration settings.\n2. **Context\ - \ Identification:** It identifies the unique identifiers for the current case\ - \ and the active alert.\n3. **User Validation:** It retrieves the username of\ - \ the person who initiated the action (`original_requesting_user`). It checks\ - \ if the user is the 'System' user.\n4. **Assignment:** If the user is a valid\ - \ human analyst, it calls the internal API to assign the case and alert to that\ - \ specific user.\n5. **Completion:** The action logs the assignment and returns\ - \ the username as the result value." + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action updates the assignee of the case, which aligns with the 'Update Alert' + category (as it modifies alert/case metadata within the SecOps platform). + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: true + update_email: false + update_identity: false + update_ticket: false + ai_description: "### General Description\nAssigns the current case to the user who\ + \ triggered the playbook action. This action is designed to be placed at the start\ + \ of a playbook and executed when an analyst begins working on a case.\n\n###\ + \ Parameters Description\n| Parameter | Type | Mandatory | Description |\n| :---\ + \ | :--- | :--- | :--- |\n| Siemplify API Key | String | Yes | The API key used\ + \ to authenticate with the Siemplify API. |\n| Siemplify API Root | String | Yes\ + \ | The base URL for the Siemplify API. |\n| Siemplify Instance Hostname | String\ + \ | Yes | The hostname of the Siemplify instance. |\n\n### Additional Notes\n\ + - This action will fail if the requesting user is the \"System\" user. \n- This\ + \ playbook action must be set to manual execution to work, as it relies on the\ + \ `original_requesting_user` context.\n\n### Flow Description\n1. Extract configuration\ + \ parameters (API Key, API Root, Hostname).\n2. Identify the current case ID,\ + \ alert ID, and the user who triggered the action.\n3. Validate that the requesting\ + \ user is not the \"System\" user.\n4. Use the `WorkflowToolsManager` to assign\ + \ the case to the requesting user via the internal `siemplify.assign_case` method." capabilities: can_create_case_comments: false can_create_insight: false @@ -192,10 +288,16 @@ Assign Case to Current User: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: >- - Updates the ownership/assignment of the case and alert within Google SecOps - to the user who executed the action. + Updates the case assignee to the user who triggered the action. + reasoning: >- + The action modifies the internal state of the case by assigning it to a specific + user. It does not fetch external data or mutate external systems. It uses internal + SOAR methods to perform the assignment. categories: enrichment: false + reasoning: >- + The action is an operational task to assign a case, not an enrichment action. + It does not fetch data from external sources. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -211,60 +313,80 @@ Assign Case to Current User: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not process entities from the `target_entities` list. It operates + on the case and alert identifiers directly. Ping: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action performs a connectivity check and sends a test message to Slack. + Sending a message to Slack aligns with the 'Send Message' category. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: true + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description - - The **Ping** action is a diagnostic utility designed to verify the connectivity - and configuration of the Workflow Tools integration. It serves as a health check - to ensure that the Google SecOps (Siemplify) environment can communicate with - its own internal API and external services like Slack. - - - ### Parameters Description + This action performs a connectivity check and configuration validation for the + 'Workflow Tools' integration. It verifies API access by querying user profiles + and tests the Slack integration by sending a test message. - This action does not require any direct input parameters. It utilizes the following - integration configuration settings to perform its checks: + ### Parameters | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Siemplify API Key | String | Yes | The API key used to authenticate requests - to the Google SecOps internal API. | + | Siemplify API Key | String | Yes | API key for authentication. | - | Siemplify API Root | String | Yes | The base URL for the Google SecOps API. - | + | Siemplify API Root | String | Yes | Base URL for the API. | - | Siemplify Instance Hostname | String | Yes | The hostname of the current instance. - | + | Siemplify Instance Hostname | String | Yes | Hostname of the instance. | - | Slack Webhook URL | String | No | The URL used to send test messages to Slack. - If omitted, the Slack test is skipped. | + | Slack Webhook URL | String | No | URL for Slack notifications. | - | Approval Manager | String | Yes | A username or role (prefixed with @) to validate - against the user profile database. | + | Approval Manager | String | Yes | Primary reviewer name or role. | - | Secondary Approval Manager | String | No | An optional secondary username or - role to validate. | + | Secondary Approval Manager | String | No | Secondary reviewer name or role. + | ### Flow Description - 1. **Configuration Retrieval**: The action extracts necessary API keys, endpoints, - and manager identities from the integration's global settings. + 1. Extracts configuration parameters (API credentials, Slack webhook, and reviewer + details). + + 2. Initializes the `WorkflowToolsManager`. - 2. **Internal API Validation**: It initializes the `WorkflowToolsManager` and - performs a lookup for the configured 'Approval Manager' and 'Secondary Approval - Manager' using the `/api/external/v1/settings/GetUserProfiles` endpoint. This - confirms the API key and root URL are correct. + 3. Validates the provided reviewer and secondary reviewer against the SecOps user + profiles via API. - 3. **External Notification Test**: If a Slack Webhook URL is provided, the action - sends a test POST request to Slack to verify outbound connectivity. + 4. Sends a test message to the configured Slack webhook. - 4. **Execution Finalization**: The action completes with a success status if the - API queries and Slack notification (if applicable) are processed without exceptions. + 5. Logs the completion status. capabilities: can_create_case_comments: false can_create_insight: false @@ -272,13 +394,19 @@ Ping: can_mutate_external_data: true can_mutate_internal_data: false can_update_entities: false - external_data_mutation_explanation: >- - The action sends a test message to a Slack Webhook URL to verify connectivity, - which creates a new message entry in the external Slack channel. + external_data_mutation_explanation: Sends a test message to a Slack webhook. fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action fetches user profile data from the API (fetches_data=true) and sends + a test message to a Slack webhook (can_mutate_external_data=true). It does not + modify internal SOAR data or entities. categories: enrichment: false + reasoning: >- + The action is named 'Ping' and performs a connectivity check. According to the + guidelines, actions named 'Ping' must not be categorized as enrichment actions. + It does not perform any data enrichment on entities. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -294,3 +422,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over `target_entities` or use any entity-specific + identifiers. It operates based on configuration parameters provided in the integration + settings. diff --git a/content/response_integrations/third_party/community/workflow_tools/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/workflow_tools/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..5bb8cdd81 --- /dev/null +++ b/content/response_integrations/third_party/community/workflow_tools/resources/ai/integration_ai_description.yaml @@ -0,0 +1,23 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: true + edr: false + email_security: false + iam_and_identity_management: false + itsm: true + network_security: false + reasoning: >- + The 'workflow_tools' integration is designed for case management, workflow orchestration, + and human-in-the-loop processes. It qualifies for 'Collaboration' because it explicitly + implements approval workflows ('Approval Request' and 'Approval Response') and + sends notifications to Slack, which aligns with the requirement for human-in-the-loop + approval and SOC notification. It also qualifies for 'ITSM' because it manages + the investigation lifecycle by assigning cases to users and adding comments to + the case wall, which serves the purpose of documenting investigations and assigning + tasks. It does not perform functions related to SIEM, EDR, Network Security, Threat + Intelligence, Email Security, IAM, Cloud Security, Vulnerability Management, or + Asset Inventory. + siem: false + threat_intelligence: false + vulnerability_management: false diff --git a/content/response_integrations/third_party/community/zoom/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/zoom/resources/ai/actions_ai_description.yaml index 00000494c..76f0d43cd 100644 --- a/content/response_integrations/third_party/community/zoom/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/zoom/resources/ai/actions_ai_description.yaml @@ -1,10 +1,39 @@ Create Meeting: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action creates a meeting in Zoom. None of the provided categories (Enrichment, + Ticket, Alert, Identity, Containment, Email, File, etc.) match the functionality + of creating a meeting. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description - - Creates a scheduled or instant meeting in Zoom for a specified host. This action - allows users to automate the creation of Zoom meetings directly from Google SecOps, - specifying details such as topic, start time, duration, and recording preferences. + Creates a scheduled or instant meeting in Zoom. This action interacts with the + Zoom API to provision a new meeting based on the provided configuration parameters. ### Parameters @@ -13,47 +42,38 @@ Create Meeting: | :--- | :--- | :--- | :--- | - | Meeting Type | Dropdown | Yes | Defines if the meeting is 'Instant' or 'Scheduled'. + | Meeting Type | ddl | Yes | The type of the meeting: 'Instant' or 'Scheduled'. | - | Meeting Start Time | String | Yes | The start time in GMT (yyyy-mm-dd hh:mm:ss). - Used for scheduled meetings. | - - | Meeting Topic | String | Yes | The title or topic of the meeting. | + | Meeting Start Time | string | Yes | Meeting start time (required for scheduled + meetings). Format: GMT yyyy-mm-dd hh:mm:ss. | - | Auto Recording Type | Dropdown | Yes | Specifies if the meeting should be recorded - ('local', 'cloud', or 'none'). | + | Meeting Topic | string | Yes | The topic of the meeting. | - | Time Zone | String | Yes | The time zone for the meeting (e.g., 'America/New_York'). + | Auto Recording Type | ddl | Yes | Recording setting: 'local', 'cloud', or 'none'. | - | Meeting Duration | String | Yes | The duration of the meeting in minutes. | + | Time Zone | string | Yes | The time zone in Continent/Country format. | - | Host Email Address | String | Yes | The email address of the Zoom user who will - host the meeting. | + | Meeting Duration | string | Yes | The meeting duration in minutes. | + | Host Email Address | string | Yes | The email address of the meeting host. | - ### Flow Description - - 1. **Parameter Extraction**: Retrieves meeting details (topic, type, time, duration, - timezone, recording type, and host email) from the action inputs. - 2. **Authentication**: Initializes the Zoom Manager using OAuth or JWT credentials - provided in the integration configuration. + ### Flow - 3. **Meeting Creation**: Sends a POST request to the Zoom API endpoint (`/users/{host_email}/meetings`) - with the provided configuration payload. + 1. The action extracts the required parameters from the configuration. - 4. **Result Handling**: If the meeting is created successfully, it adds the 'join_url' - as a clickable link in the SOAR interface and returns the full meeting metadata - as a JSON result. + 2. It initializes the `ZoomManager` with the integration credentials. + 3. It calls the `create_meeting` method, which performs a POST request to the + Zoom API. - ### Additional Notes + 4. If the meeting is created successfully, the action adds the meeting URL as + a link to the result and attaches the full JSON response. - - The 'Meeting Start Time' is specifically required for 'Scheduled' meetings. - - - Ensure the 'Host Email Address' corresponds to a valid user in the Zoom account. + 5. If the creation fails, the action sets the execution state to failed and logs + the error. capabilities: can_create_case_comments: false can_create_insight: false @@ -62,12 +82,18 @@ Create Meeting: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates a new meeting record in the Zoom platform, which consumes API quota - and adds data to the Zoom account. + Creates a new meeting in the Zoom platform. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a POST request to the Zoom API to create a meeting, which + constitutes an external data mutation. It does not fetch data from external + systems, nor does it modify internal SOAR data, entities, or alert information. categories: enrichment: false + reasoning: >- + The action creates a meeting in an external system (Zoom). It does not fetch + data for enrichment purposes, so it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -83,16 +109,51 @@ Create Meeting: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not use or iterate over entities. It relies solely on parameters + provided in the action configuration. Create User: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action creates a new user in Zoom. None of the provided categories explicitly + cover 'Create User'. 'Update Identity' is for modifying existing accounts, not + creating new ones. Therefore, no category is selected. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - Creates a new user account in Zoom using the provided user details and license - type. This action is designed to automate the provisioning of Zoom users as part - of IT or security workflows. + This action creates a new user account within the Zoom platform. It allows administrators + to provision users by specifying their first name, last name, email address, and + license type. - ### Parameters + ### Parameters Description | Parameter | Type | Mandatory | Description | @@ -104,30 +165,32 @@ Create User: | Email | string | Yes | The email address of the user to be created. | - | User Type | ddl | Yes | The user license type. Supported values: 'Basic', 'Licensed', + | User Type | ddl | Yes | The license type for the user. Options: 'Basic', 'Licensed', 'On-prem'. | - ### Flow Description + ### Additional Notes - 1. **Parameter Extraction**: Retrieves the user's first name, last name, email, - and license type from the action parameters. + This action performs a check to see if the user already exists before attempting + creation. If the user already exists, the action will fail. The action returns + the details of the created user in the result JSON. - 2. **Pre-check**: Queries the Zoom API to check if a user with the specified email - already exists to prevent duplicate creation. - 3. **User Creation**: If the user does not exist, sends a POST request to the - Zoom `/users` endpoint with the specified user information. + ### Flow Description - 4. **Result Processing**: Captures the API response containing the new user's - details and attaches it to the action's JSON results. + 1. The action extracts the required parameters (First Name, Last Name, Email, + User Type) from the configuration. + 2. It initializes the ZoomManager using the provided integration credentials. - ### Additional Notes + 3. It attempts to fetch the user details using the provided email to check if + the user already exists. + + 4. If the user does not exist, it performs a POST request to the Zoom API to create + the new user with the specified details. - This action requires valid Zoom API credentials (either JWT or OAuth) to be configured - in the integration settings. If the user already exists, the action will fail - with a specific error message. + 5. If the creation is successful, it returns the user details in the action result; + otherwise, it reports a failure. capabilities: can_create_case_comments: false can_create_insight: false @@ -136,12 +199,19 @@ Create User: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates a new user account in the Zoom platform via a POST request to the /users - endpoint. + Creates a new user account in the Zoom platform. fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to check for user existence and a POST request + to create a user in Zoom. It does not modify internal SOAR data or entities, + nor does it update alert data or create insights. categories: enrichment: false + reasoning: >- + The action creates a user in an external system (Zoom). It is not an enrichment + action as it performs a mutation (creation) and does not primarily fetch data + for enrichment purposes (the fetch is a check for existence). entity_usage: entity_types: [] filters_by_additional_properties: false @@ -157,35 +227,89 @@ Create User: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not operate on SOAR entities. It takes input parameters directly + from the action configuration and does not iterate over `target_entities`. Delete User: - ai_description: "### General Description\nThe **Delete User** action permanently\ - \ removes a user from a Zoom account. This action is designed for administrative\ - \ cleanup or security response scenarios, such as offboarding or responding to\ - \ compromised accounts. It provides the capability to transfer the user's assets\u2014\ - including future meetings, webinars, and cloud recordings\u2014to another specified\ - \ user before the deletion is executed to prevent data loss.\n\n### Parameters\ - \ Description\n| Parameter | Type | Mandatory | Description |\n| :--- | :--- |\ - \ :--- | :--- |\n| **Deleted User Email** | String | Yes | The email address of\ - \ the user to be permanently deleted from Zoom. |\n| **Transfer Email** | String\ - \ | No | The email address of the recipient who will take ownership of the deleted\ - \ user's data. |\n| **Transfer Meeting** | Boolean | No | If set to true, transfers\ - \ all future scheduled meetings to the Transfer Email recipient. |\n| **Transfer\ - \ Recordings** | Boolean | No | If set to true, transfers all cloud recordings\ - \ to the Transfer Email recipient. |\n| **Transfer Webinar** | Boolean | No |\ - \ If set to true, transfers all future scheduled webinars to the Transfer Email\ - \ recipient. |\n\n### Additional Notes\n- The action includes a safety check:\ - \ it verifies the existence of recordings, webinars, and meetings before attempting\ - \ a transfer. If no data is found for a category, the transfer flag for that category\ - \ is automatically disabled to ensure API compatibility.\n- This action uses the\ - \ `delete` action type in the Zoom API, which is a permanent removal.\n\n### Flow\ - \ Description\n1. **Initialization**: Extracts the target user's email and transfer\ - \ configurations from the action parameters.\n2. **Data Verification**: Calls\ - \ the Zoom API to check if the user has any existing recordings, webinars, or\ - \ meetings that can be transferred.\n3. **Logic Optimization**: Adjusts the transfer\ - \ flags based on the actual presence of data to avoid unnecessary transfer requests.\n\ - 4. **Execution**: Sends a DELETE request to the Zoom `/users/{userId}` endpoint\ - \ with the specified transfer parameters.\n5. **Completion**: Returns a success\ - \ message and a JSON result indicating whether the user was successfully deleted." + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: true + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action deletes a user from Zoom, which is an identity management operation. + It removes the user's access and existence in the system, which aligns with + the 'Disable Identity' category. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: >- + Deletes a user permanently from Zoom. This action allows for the optional transfer + of the deleted user's meetings, recordings, and webinars to another specified + user. + + + ### Flow Description + + 1. Extracts the `Deleted User Email` and transfer preferences (meetings, recordings, + webinars) from the action parameters. + + 2. Checks if the user has any meetings, recordings, or webinars to transfer using + the Zoom API. + + 3. Performs a `DELETE` request to the Zoom API to remove the user, optionally + transferring their data to the specified `Transfer Email`. + + 4. Returns the deletion status in the action result. + + + ### Parameters + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | `Deleted User Email` | string | Yes | The email address of the user to be permanently + deleted. | + + | `Transfer Meeting` | boolean | No | If true, transfers future meetings scheduled + for the deleted user to the `Transfer Email`. | + + | `Transfer Recordings` | boolean | No | If true, transfers past recordings associated + with the deleted user to the `Transfer Email`. | + + | `Transfer Webinar` | boolean | No | If true, transfers future webinars scheduled + for the deleted user to the `Transfer Email`. | + + | `Transfer Email` | string | No | The email address of the user to whom the data + will be transferred. Required if any transfer option is set to true. | + + + ### Additional Notes + + If any of the transfer options (`Transfer Meeting`, `Transfer Recordings`, `Transfer + Webinar`) are set to true, the `Transfer Email` parameter should be provided to + specify the recipient of the transferred data. capabilities: can_create_case_comments: false can_create_insight: false @@ -194,12 +318,20 @@ Delete User: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Permanently deletes a user account from the Zoom platform and reassigns their - meetings, webinars, and recordings to another user. + Deletes the specified user account from Zoom and optionally transfers their + data (meetings, recordings, webinars) to another user. fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a DELETE request to the Zoom API to remove a user, which + constitutes an external data mutation. It also fetches data (lists meetings, + recordings, and webinars) to check for transfer eligibility before deletion. + It does not modify internal SOAR data or entities. categories: enrichment: false + reasoning: >- + The action is a destructive mutation (deletion) of an external identity, not + an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -215,54 +347,95 @@ Delete User: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not operate on `target_entities`. It uses the `Deleted User + Email` parameter to identify the user to be deleted. Enrich Entities: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: true + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves user profile information from Zoom and updates the entity + in the SOAR platform. This matches the 'Enrich Asset' category. It does not + match 'Enrich IOC' as it targets users, not indicators of compromise. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - Enriches User entities with detailed account information retrieved from Zoom. - This action identifies User entities within the case, queries the Zoom API for - their specific profile details, and maps the retrieved data back to the entity's - additional properties. It is primarily used to provide security analysts with - context regarding a user's Zoom account status, type, and other metadata during - an investigation. + This action enriches User entities by retrieving detailed profile information + from Zoom. It connects to the Zoom API using either JWT or OAuth credentials, + fetches user-specific data, and updates the entity's `additional_properties` within + the SOAR platform to provide analysts with context. - ### Parameters Description + ### Parameters - There are no action-specific parameters for this action. It relies on the global - integration configuration for authentication (JWT Token or OAuth credentials). + | Parameter | Type | Mandatory | Description | + | :--- | :--- | :--- | :--- | - ### Additional Notes + | JWT Token | String | No | Token used for JWT authentication. Either this or + OAuth credentials must be provided. | + + | Account ID | String | No | Account ID for OAuth authentication. | + + | Client ID | String | No | Client ID for OAuth authentication. | + + | Client Secret | String | No | Client Secret for OAuth authentication. | - * The action specifically targets entities of type `USER`. - * All retrieved data points are flattened and prefixed with 'Zoom' before being - added to the entity's properties to avoid naming collisions. + ### Additional Notes - * If a user is not found in Zoom, the action will skip that specific entity and - continue processing others. + Either the `JWT Token` or the set of OAuth parameters (`Account ID`, `Client ID`, + `Client Secret`) must be configured for the action to authenticate successfully + with Zoom. ### Flow Description - 1. **Authentication**: Initializes the Zoom Manager using either JWT or OAuth - credentials provided in the integration configuration. + 1. **Initialization**: The action initializes the `ZoomManager` using the provided + configuration parameters. + + 2. **Entity Iteration**: It iterates through all target entities provided in the + SOAR case. - 2. **Entity Filtering**: Iterates through the target entities and filters for - those with the `USER` entity type. + 3. **Filtering**: It filters the entities to process only those of type `USER`. - 3. **Data Retrieval**: For each valid User entity, it calls the Zoom API's `/users/{user_id}` - endpoint using the entity identifier (email). + 4. **Data Retrieval**: For each valid user entity, it calls the Zoom API to fetch + user details. - 4. **Data Transformation**: Flattens the resulting JSON response and adds the - 'Zoom' prefix to all keys. + 5. **Data Processing**: The retrieved user data is flattened and prefixed with + "Zoom" to ensure clarity. - 5. **Internal Update**: Updates the entity's `additional_properties` with the - transformed data and sets the `is_enriched` flag to `True`. + 6. **Entity Update**: The action updates the entity's `additional_properties` + with the Zoom data and marks the entity as enriched (`is_enriched = True`). - 6. **Finalization**: Updates the entities in Google SecOps and returns a JSON - result containing the raw data for all successfully enriched users. + 7. **Finalization**: It updates the entities in the SOAR platform and adds the + full JSON result to the action output. capabilities: can_create_case_comments: false can_create_insight: false @@ -273,10 +446,19 @@ Enrich Entities: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates the 'additional_properties' of User entities with Zoom profile data - and sets the 'is_enriched' attribute to true. + Updates entity additional_properties and sets the is_enriched flag to true within + the SOAR platform. + reasoning: >- + The action fetches user data from the Zoom API (fetches_data=true). It does + not modify external systems (can_mutate_external_data=false). It updates entity + properties within the SOAR platform (can_mutate_internal_data=true, can_update_entities=true). + It does not create insights, modify alert data, or create case comments. categories: enrichment: true + reasoning: >- + The action fetches data from an external source (Zoom) and updates internal + entity properties without modifying external state. This fits the definition + of an enrichment action. entity_usage: entity_types: - USERUNIQNAME @@ -293,26 +475,80 @@ Enrich Entities: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over `siemplify.target_entities` and explicitly filters for + `EntityTypes.USER`. Get Meeting Recording: - ai_description: "### General Description\nThe **Get Meeting Recording** action retrieves\ - \ metadata and the cloud sharing URL for a specific Zoom meeting recording stored\ - \ in the cloud. It allows users to programmatically access recording details using\ - \ a unique Meeting ID, facilitating investigations or automated workflows that\ - \ require access to recorded session data.\n\n### Parameters\n| Parameter | Type\ - \ | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| Meeting ID | String\ - \ | Yes | The unique identifier of the Zoom meeting recording to be retrieved.\ - \ |\n\n### Flow Description\n1. **Parameter Extraction**: The action extracts\ - \ the `Meeting ID` from the input parameters.\n2. **Authentication**: The action\ - \ initializes the `ZoomManager` using provided credentials (either OAuth or JWT)\ - \ to authenticate with the Zoom API.\n3. **API Request**: It performs a GET request\ - \ to the Zoom `/meetings/{meeting_id}/recordings` endpoint to fetch the recording\ - \ details.\n4. **Result Processing**: \n * Extracts the `share_url` from\ - \ the API response.\n * Adds the sharing URL as a clickable link in the Google\ - \ SecOps interface.\n * Attaches the full recording metadata as a JSON result\ - \ for downstream use.\n5. **Completion**: The action concludes by returning the\ - \ sharing URL as the primary result value.\n\n### Additional Notes\nThis action\ - \ only retrieves recordings that are stored in the Zoom Cloud. It does not support\ - \ local recordings." + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves specific meeting recording details from Zoom. It does not + match any of the specific categories like 'Enrich IOC', 'Create Ticket', or + 'Contain Host'. It is a data retrieval action that does not fit the defined + product categories. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: >- + Fetches meeting recording details from Zoom using a provided Meeting ID. This + action retrieves the recording information, including the share URL, and adds + it to the action results for the analyst to review. + + + ### Flow Description + + 1. The action initializes the `ZoomManager` using the configured integration credentials. + + 2. It extracts the `Meeting ID` parameter provided by the user. + + 3. It performs a GET request to the Zoom API to retrieve the recording details + for the specified meeting. + + 4. The action extracts the `share_url` from the response. + + 5. It adds the recording URL as a clickable link to the action result. + + 6. It adds the full JSON response containing the meeting recording details to + the action result. + + + ### Parameters + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Meeting ID | string | Yes | The ID of the desired meeting recording to fetch. + | + + + ### Additional Notes + + This action does not modify any external systems or internal case data. It is + a read-only operation designed to retrieve information. capabilities: can_create_case_comments: false can_create_insight: false @@ -323,8 +559,18 @@ Get Meeting Recording: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the Zoom API to retrieve meeting recording + details. It does not modify any external systems or internal case data. It adds + a link and JSON result to the action output, which is standard for action results + and does not constitute internal data mutation (like updating entities or creating + insights). categories: - enrichment: true + enrichment: false + reasoning: >- + The action fetches data from an external system (Zoom) but does not enrich any + entities or alerts. It does not update entities, create insights, or add case + comments. Therefore, it does not meet the criteria for an Enrichment Action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -340,50 +586,82 @@ Get Meeting Recording: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not operate on entities. It takes a 'Meeting ID' as a direct + input parameter to fetch data from the Zoom API. Ping: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action is a connectivity test ('Ping') and does not perform any of the defined + functional operations (e.g., enrichment, containment, ticketing). Therefore, + it does not match any of the product categories. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - The Ping action is designed to verify the connectivity between Google SecOps and - the Zoom API. It ensures that the provided credentials (either OAuth or JWT) are - valid and that the network path to the Zoom service is open. + This action tests the connectivity between the SOAR platform and the Zoom API. + It verifies that the provided credentials (either JWT or OAuth) are valid and + that the API is reachable. - ### Parameters Description + ### Flow Description + + 1. Initialize the `ZoomManager` using the provided configuration parameters (JWT + or OAuth credentials). - There are no action-specific parameters for this action. It utilizes the global - integration configuration parameters: + 2. Call the `test_connectivity()` method, which performs a GET request to the + Zoom API `/users` endpoint. - * **JWT Token**: Used for JWT-based authentication (legacy). + 3. If the request is successful, return a success message. - * **Account ID**: Used for OAuth-based authentication. + 4. If the request fails, catch the exception and return a failure message. - * **Client ID**: Used for OAuth-based authentication. - * **Client Secret**: Used for OAuth-based authentication. + ### Parameters Description + | Parameter | Type | Mandatory | Description | - ### Additional Notes + | --- | --- | --- | --- | - Either the JWT Token or the set of OAuth credentials (Account ID, Client ID, Client - Secret) must be configured in the integration settings for this action to function. - This action is primarily used for troubleshooting and initial setup verification. + | JWT Token | String | No | Used for JWT authentication. | + | Account ID | String | No | Used for OAuth authentication. | - ### Flow Description + | Client ID | String | No | Used for OAuth authentication. | - 1. **Initialize Manager**: The action initializes the ZoomManager using the credentials - provided in the integration configuration. + | Client Secret | String | No | Used for OAuth authentication. | - 2. **Authentication**: Depending on the configuration, it either sets the JWT - bearer token or performs an OAuth login flow to retrieve an access token. - 3. **Connectivity Test**: It executes a GET request to the Zoom `/users` endpoint - (requesting active users) to verify that the API responds successfully. + ### Additional Notes - 4. **Result Reporting**: If the request is successful, it returns a 'Connected - successfully' message. If any step fails (authentication or network), it reports - a failure with the specific error encountered. + Either the `JWT Token` or the combination of `Account ID`, `Client ID`, and `Client + Secret` must be configured for the action to run. capabilities: can_create_case_comments: false can_create_insight: false @@ -394,8 +672,15 @@ Ping: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to verify connectivity to the Zoom API. It + does not mutate external data, nor does it modify any internal SecOps data or + entities. categories: enrichment: false + reasoning: >- + The action is a connectivity test ('Ping'). According to the guidelines, Ping + actions are not categorized as enrichment actions, even if they fetch data. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -411,3 +696,6 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code does not iterate over `siemplify.target_entities` or perform any operations + on entities. It is a global connectivity test. diff --git a/content/response_integrations/third_party/community/zoom/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/zoom/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..f5082b734 --- /dev/null +++ b/content/response_integrations/third_party/community/zoom/resources/ai/integration_ai_description.yaml @@ -0,0 +1,21 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: true + itsm: false + network_security: false + reasoning: >- + The Zoom integration provides capabilities to manage user accounts, specifically + through the 'Create User' and 'Delete User' actions, and to enrich user entities + with profile information via the 'Enrich Entities' action. These operations directly + align with the 'IAM & Identity Management' category, which covers managing user + identities and retrieving user-related information. The integration does not interact + with logs, endpoints, network infrastructure, cloud infrastructure, or ticketing + systems, and therefore does not qualify for the other categories such as SIEM, + EDR, Network Security, Cloud Security, or ITSM. + siem: false + threat_intelligence: false + vulnerability_management: false diff --git a/content/response_integrations/third_party/partner/anyrun_sandbox/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/partner/anyrun_sandbox/resources/ai/actions_ai_description.yaml index eb6f35e5b..e003edba1 100644 --- a/content/response_integrations/third_party/partner/anyrun_sandbox/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/partner/anyrun_sandbox/resources/ai/actions_ai_description.yaml @@ -1,98 +1,106 @@ File Android Analysis: + action_product_categories: + add_alert_comment: true + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action submits a file to a sandbox for analysis ('Submit File'), extracts + IOCs from the report ('Enrich IOC'), and adds comments to the case ('Add Alert + Comment'). + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: true + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description - - This action performs automated file analysis using an Android Virtual Machine - within the ANY.RUN sandbox environment. It is designed to process file attachments - associated with a case, providing deep behavioral analysis, network activity monitoring, - and threat intelligence. The action submits the file to the ANY.RUN platform, - monitors the analysis progress, and retrieves comprehensive reports including - HTML summaries and identified Indicators of Compromise (IOCs). - + Performs Android file analysis using the ANY.RUN Sandbox. This action submits + a case attachment to the ANY.RUN Android sandbox for automated analysis, retrieves + the analysis report, and extracts indicators of compromise (IOCs). - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - | :--- | :--- | :--- | :--- | - - | Timeout In Seconds | String | No | Defines the duration for the analysis task. - Range: 10-660 seconds. Default is 240. | - - | Change to valid extension | Boolean | No | If enabled, automatically adjusts - the file extension to a valid format for analysis. | + ### Flow Description - | Command line | String | No | Optional command-line arguments to be passed to - the object during analysis. | + 1. Retrieves the attachment from the case. - | System's language | String | No | Sets the operating system language for the - sandbox (e.g., 'en-US', 'Brazil'). | + 2. Submits the file to the ANY.RUN Android sandbox for analysis with specified + configuration parameters (e.g., timeout, network settings, privacy type). - | User Tags | String | No | Custom tags to categorize the task in ANY.RUN. Max - 8 tags, 16 chars each. | + 3. Adds a comment to the case with a link to the interactive analysis. - | Analysis Privacy Type | DDL | No | Sets visibility of the analysis: public, - bylink, owner, or byteam. | + 4. Polls the sandbox for the task status. - | Network Connect | Boolean | No | Enables or disables network connectivity for - the analyzed file. | + 5. Retrieves the HTML analysis report and saves it as an attachment to the case + wall. - | Network Fakenet | Boolean | No | Enables the FakeNet feature to simulate network - services. | + 6. Extracts and summarizes suspicious or malicious IOCs found during analysis + and adds them as a comment to the case. - | Network Tor | Boolean | No | Routes sandbox traffic through the TOR network. - | - | Network Geo | String | No | Specifies the geolocation for TOR or proxy exit - nodes (e.g., 'US', 'AU'). | + ### Parameters Description - | Network Mitm | Boolean | No | Enables HTTPS Man-In-The-Middle proxy for traffic - inspection. | + | Parameter | Type | Mandatory | Description | - | Network Residential Proxy | Boolean | No | Uses a residential proxy for network - traffic. | + | :--- | :--- | :--- | :--- | - | Network Residential Proxy Geo | String | No | Specifies the geolocation for - the residential proxy. | + | Timeout In Seconds | string | No | Select task completion time. Size range: + 10-660 seconds. Default: 240. | + | Change to valid extension | boolean | No | Automatically change file extension + to valid. Default: true. | - ### Additional Notes + | Command line | string | No | Optional command-line arguments for the analyzed + object. | - - This action operates on the **first attachment** found in the Google SecOps - case. If no attachments are present, the action will fail. + | System's language | string | No | Operation system's language. Default: en-US. + | - - It requires a valid ANY.RUN Sandbox API Key to be configured in the integration - settings. + | User Tags | string | No | Add user tags. Default: secops-alert. | - - The action results in both a new attachment (HTML report) and case comments - (analysis link and IOC summary). + | Analysis Privacy Type | ddl | No | Privacy settings. Supports: bylink, byteam, + public, owner. Default: bylink. | + | Network Connect | boolean | No | Enable network connection. Default: true. | - ### Flow Description + | Network Fakenet | boolean | No | Enable FakeNet feature. Default: false. | - 1. **Initialization:** Retrieves the ANY.RUN API key and SSL configuration from - the integration settings. + | Network Tor | boolean | No | Enable TOR using. Default: false. | - 2. **Attachment Retrieval:** Fetches the first available attachment from the current - case context. + | Network Geo | string | No | TOR geolocation option. Default: fastest. | - 3. **Task Submission:** Submits the file to the ANY.RUN Android sandbox using - the specified environment, network, and privacy parameters. + | Network Mitm | boolean | No | Enable HTTPS MITM Proxy using. Default: false. + | - 4. **Interactive Link:** Immediately posts a case comment containing the URL to - the live interactive analysis in ANY.RUN. + | Network Residential Proxy | boolean | No | Residential proxy using. Default: + false. | - 5. **Status Monitoring:** Polls the ANY.RUN API to monitor the progress of the - analysis task. + | Network Residential Proxy Geo | string | No | Residential proxy geolocation + option. Default: fastest. | - 6. **Report Retrieval:** Once complete, downloads the HTML version of the analysis - report. - 7. **Internal Mutation (Attachment):** Saves the HTML report as a new attachment - on the Google SecOps case wall. + ### Additional Notes - 8. **IOC Processing:** Fetches IOC data; if suspicious or malicious indicators - are found, it formats and posts them as a summary comment in the case. + This action requires an API key for the ANY.RUN Sandbox to be configured in the + integration settings. It operates on case attachments and does not require specific + entity types to be present in the case. capabilities: can_create_case_comments: true can_create_insight: false @@ -101,14 +109,21 @@ File Android Analysis: can_mutate_internal_data: true can_update_entities: false external_data_mutation_explanation: >- - Creates a new sandbox analysis task and uploads a file to the ANY.RUN platform - for processing. + Submits a file to the ANY.RUN sandbox for analysis, creating a new task. fetches_data: true internal_data_mutation_explanation: >- - Adds comments to the case wall containing analysis links and IOC summaries, - and uploads the generated HTML report as a new case attachment. + Adds the analysis report as an attachment to the case wall and adds comments + to the case. + reasoning: >- + The action submits a file to the ANY.RUN sandbox (external mutation), polls + for status, retrieves the report, and extracts IOCs. It adds comments and attachments + to the case (internal mutation). categories: enrichment: false + reasoning: >- + The action creates a task in an external system (ANY.RUN), which constitutes + a mutation of external data. Therefore, it does not meet the criteria for an + Enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -124,110 +139,152 @@ File Android Analysis: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action operates on case attachments retrieved via `siemplify.get_attachments()`, + not on `target_entities`. Therefore, it does not run on any specific entity + types. File Linux Analysis: + action_product_categories: + add_alert_comment: true + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action submits a file to a sandbox for analysis, which matches the 'Submit + File' category. It also adds comments to the case, matching 'Add Alert Comment'. + It does not perform enrichment, blocking, or other listed operations. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: true + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - The **File Linux Analysis** action automates the submission of file attachments - to the ANY.RUN sandbox for behavioral analysis within a Linux environment (Ubuntu - or Debian). It allows security analysts to safely execute suspicious files, observe - their network activity, and retrieve detailed forensic reports directly within - Google SecOps. + This action performs automated file analysis by submitting case attachments to + the ANY.RUN sandbox. It allows analysts to execute files in a controlled Linux + environment to observe behavior, retrieve threat intelligence, and generate detailed + analysis reports. The action supports various configuration options, including + OS selection, network settings (e.g., Tor, Proxy), and privacy settings. - ### Parameters Description + ### Flow Description - | Parameter | Type | Mandatory | Description | + 1. **Initialization**: Extracts the ANY.RUN API key and configuration parameters + (e.g., OS version, network settings). - | :--- | :--- | :--- | :--- | + 2. **Attachment Retrieval**: Fetches the first available attachment from the current + case. - | **Env Os** | DDL | Yes | Specifies the Linux distribution for the analysis (ubuntu - or debian). | + 3. **Submission**: Submits the attachment to the ANY.RUN sandbox for analysis + using the specified configuration. - | **StartFolder** | DDL | No | The directory where the file will be placed (desktop, - home, downloads, temp). | + 4. **Monitoring**: Polls the sandbox task status until completion. - | **Run As Root** | Boolean | No | If true, executes the file with superuser privileges. - | + 5. **Reporting**: Retrieves the HTML analysis report and any identified Indicators + of Compromise (IOCs). - | **Timeout In Seconds** | String | No | Duration of the analysis (10 to 660 seconds). - Default is 240. | + 6. **Internal Update**: Saves the HTML report as an attachment to the case wall + and adds a comment containing the analysis link and a summary of identified IOCs. - | **Change to valid extension** | Boolean | No | Automatically renames the file - to a valid extension if necessary. | - | **Command line** | String | No | Optional arguments to pass to the file during - execution. | + ### Parameters Description - | **System's language** | String | No | The locale/language of the OS (e.g., 'en-US'). - | + | Parameter | Type | Mandatory | Description | - | **User Tags** | String | No | Custom tags for the ANY.RUN task (max 8 tags, - 16 chars each). | + | :--- | :--- | :--- | :--- | - | **Analysis Privacy Type** | DDL | No | Sets visibility of the task (public, - bylink, owner, byteam). | + | Env Os | ddl | Yes | The operating system version for the sandbox (e.g., ubuntu, + debian). | - | **Network Connect** | Boolean | No | Enables or disables internet access for - the VM. | + | StartFolder | ddl | No | The folder where the file will be placed (e.g., desktop, + home, downloads, temp). | - | **Network Fakenet** | Boolean | No | Enables FakeNet to simulate network services. + | Run As Root | boolean | No | If true, executes the file with superuser privileges. | - | **Network Tor** | Boolean | No | Routes traffic through the TOR network. | + | Timeout In Seconds | string | No | The duration to wait for task completion + (10-660 seconds). | - | **Network Geo** | String | No | Geolocation for TOR exit nodes (e.g., 'US'). - | + | Change to valid extension | boolean | No | Automatically renames the file to + a valid extension if necessary. | - | **Network Mitm** | Boolean | No | Enables HTTPS Man-In-The-Middle proxying. + | Command line | string | No | Optional command-line arguments for the file execution. | - | **Network Residential Proxy** | Boolean | No | Uses a residential proxy for - network traffic. | + | System's language | string | No | The locale identifier for the sandbox OS (e.g., + en-US). | - | **Network Residential Proxy Geo** | String | No | Geolocation for the residential - proxy. | + | User Tags | string | No | Tags to associate with the analysis task. | + | Analysis Privacy Type | ddl | No | Privacy settings for the analysis (public, + bylink, owner, byteam). | - ### Additional Notes + | Network Connect | boolean | No | Enables network connectivity for the sandbox. + | - - This action requires at least one attachment to be present in the Google SecOps - case. It processes the first attachment found. + | Network Fakenet | boolean | No | Enables the FakeNet feature. | - - The action provides a direct link to the interactive ANY.RUN session in the - case comments. + | Network Tor | boolean | No | Enables TOR for network traffic. | + | Network Geo | string | No | Geolocation for TOR traffic. | - ### Flow Description + | Network Mitm | boolean | No | Enables HTTPS MITM Proxy. | - 1. **Attachment Retrieval:** Fetches the first available attachment from the current - case. + | Network Residential Proxy | boolean | No | Enables residential proxy usage. + | - 2. **Sandbox Submission:** Uploads the file to ANY.RUN using the Linux connector - with the configured OS and network parameters. + | Network Residential Proxy Geo | string | No | Geolocation for residential proxy. + | - 3. **Task Monitoring:** Polls the ANY.RUN API to monitor the status of the analysis. - 4. **Report Retrieval:** Once complete, it downloads the HTML analysis report - and extracts Indicators of Compromise (IOCs). + ### Additional Notes - 5. **Case Enrichment:** Saves the HTML report to the Case Wall and adds comments - containing the task URL and a summary of malicious/suspicious IOCs. + This action operates on case attachments rather than specific entities. It requires + a valid ANY.RUN API key configured in the integration settings. capabilities: can_create_case_comments: true can_create_insight: false can_modify_alert_data: false - can_mutate_external_data: true + can_mutate_external_data: false can_mutate_internal_data: true can_update_entities: false - external_data_mutation_explanation: >- - Creates a new analysis task and uploads a file to the ANY.RUN sandbox environment. + external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Adds comments to the case and uploads the HTML analysis report as an attachment - to the case wall. + Adds an HTML analysis report as an attachment to the case wall and appends comments + with analysis results and IOCs. + reasoning: >- + The action submits a file to an external sandbox (ANY.RUN) for analysis, which + is a 'Submit File' operation. It fetches the resulting report and IOCs (fetches_data=true). + It does not mutate external production systems (e.g., blocking/quarantine). + It mutates internal SOAR data by adding attachments to the case wall and adding + comments to the case. categories: enrichment: false + reasoning: >- + The action is primarily a 'Submit File' operation. While it retrieves data, + it creates a task in an external system (ANY.RUN), which violates the 'External + State Preservation' rule for enrichment actions. Therefore, it is not classified + as an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -243,15 +300,51 @@ File Linux Analysis: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action operates on case attachments retrieved via `siemplify.get_attachments()`. + It does not iterate over or filter `target_entities`. File Windows Analysis: + action_product_categories: + add_alert_comment: true + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action submits a file to a sandbox for analysis, which matches the 'Submit + File' category. It also adds comments to the case, matching 'Add Alert Comment'. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: true + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - Performs automated malware analysis of file attachments using ANY.RUN's Windows - sandbox environment. This action allows security analysts to submit suspicious - files directly from a Google SecOps case to ANY.RUN, where they are executed in - a controlled virtual machine to observe behavior, network activity, and potential - threats. + This action performs a file analysis using the ANY.RUN Windows sandbox. It retrieves + a file attachment from the current case, submits it to the ANY.RUN sandbox for + automated analysis with configurable environment settings, and then processes + the results. The action provides visibility into the file's behavior by adding + a link to the interactive analysis, saving the full HTML report as a case attachment, + and summarizing any suspicious or malicious indicators (IOCs) found during the + analysis as a case comment. ### Parameters Description @@ -260,89 +353,85 @@ File Windows Analysis: | :--- | :--- | :--- | :--- | - | Environment Version | DDL | No | Specifies the Windows OS version (7, 10, or - 11). Default is 10. | + | Environment Version | ddl | No | OS version for the sandbox environment. Supports + 7, 10, 11. | - | Environment Bitness | DDL | No | Specifies the OS architecture (32 or 64 bit). - Default is 64. | + | Environment Bitness | ddl | No | OS bitness for the sandbox environment. Supports + 32, 64. | - | Environment Type | DDL | No | Selects the environment preset. 'development' - is only for Windows 10 x64; 'complete' is required for others. | + | Environment Type | ddl | No | Environment preset type. Use 'development' for + Windows 10 x64, otherwise 'complete'. | - | File Force Elevation | Boolean | No | If true, forces the file to execute with - administrative privileges (PE files only). | + | File Force Elevation | boolean | No | If true, executes the file with elevated + privileges (for PE files). | - | StartFolder | DDL | No | The directory where the file will be executed (e.g., - temp, desktop, downloads). | + | StartFolder | ddl | No | The folder where the file will be executed. Supports + desktop, home, downloads, appdata, temp, windows, root. | - | Timeout In Seconds | String | No | The duration of the analysis task (10-660 - seconds). Default is 240. | + | Timeout In Seconds | string | No | Task completion time. Range: 10-660 seconds. + | - | Change to valid extension | Boolean | No | Automatically corrects the file extension - to match the file type. | + | Change to valid extension | boolean | No | If true, automatically changes the + file extension to a valid one. | - | Command line | String | No | Optional arguments to pass to the file during execution. - | + | Command line | string | No | Optional command-line arguments for the analyzed + file. | - | System's language | String | No | Sets the OS locale (e.g., 'en-US'). | + | System's language | string | No | The OS language (e.g., 'en-US'). | - | User Tags | String | No | Custom tags for the ANY.RUN task (max 8 tags, 16 chars - each). | + | User Tags | string | No | User-defined tags for the task. | - | Analysis Privacy Type | DDL | No | Sets visibility of the task (public, bylink, - owner, byteam). | + | Analysis Privacy Type | ddl | No | Privacy settings for the analysis. Supports: + bylink, byteam, public, owner. | - | Network Connect | Boolean | No | Enables or disables network connectivity for - the sandbox. | + | Network Connect | boolean | No | If true, enables network connectivity during + analysis. | - | Network Fakenet | Boolean | No | Enables the FakeNet feature to simulate network - services. | + | Network Fakenet | boolean | No | If true, enables the FakeNet feature. | - | Network Tor | Boolean | No | Routes sandbox traffic through the TOR network. - | + | Network Tor | boolean | No | If true, enables TOR usage. | - | Network Geo | String | No | Specifies the TOR exit node location (e.g., 'US'). - | + | Network Geo | string | No | TOR geolocation option (e.g., US, AU). | - | Network Mitm | Boolean | No | Enables HTTPS Man-In-The-Middle proxy for traffic - inspection. | + | Network Mitm | boolean | No | If true, enables HTTPS MITM proxy. | - | Network Residential Proxy | Boolean | No | Uses a residential proxy for the - sandbox connection. | + | Network Residential Proxy | boolean | No | If true, enables residential proxy + usage. | - | Network Residential Proxy Geo | String | No | Specifies the residential proxy - location. | + | Network Residential Proxy Geo | string | No | Residential proxy geolocation + option (e.g., US, AU). | ### Additional Notes - * This action does not run on specific entities (like IP or Hostname) but instead - processes **attachments** associated with the current case. + - The action requires at least one file attachment to be present in the case to + execute successfully. - * At least one attachment must be present in the case for the action to execute - successfully. + - The action interacts with the ANY.RUN API to submit files and retrieve reports. ### Flow Description - 1. **Attachment Retrieval:** The action fetches the first available attachment - from the Google SecOps case. + 1. **Configuration Extraction**: Retrieves the API key and proxy settings from + the integration configuration. + + 2. **Attachment Retrieval**: Fetches the file attachment from the current case. + + 3. **File Submission**: Submits the file to the ANY.RUN sandbox using the provided + environment and network parameters. - 2. **Task Submission:** It uploads the file to the ANY.RUN API, creating a new - Windows analysis task with the configured environment and network settings. + 4. **Comment Generation**: Adds a case comment containing a link to the interactive + analysis on the ANY.RUN platform. - 3. **Monitoring:** The action polls the ANY.RUN service to monitor the status - of the analysis. + 5. **Status Polling**: Polls the sandbox for the analysis task status until completion. - 4. **Reporting:** Once complete, it retrieves the full HTML analysis report and - saves it as a new attachment to the case wall. + 6. **Report Processing**: Retrieves the HTML analysis report and saves it as a + case wall attachment. - 5. **IOC Extraction:** It fetches identified Indicators of Compromise (IOCs) and - posts a summary comment to the case wall, highlighting suspicious or malicious - findings. + 7. **IOC Extraction**: Identifies suspicious or malicious IOCs from the report + and appends them to the case as a summary comment. - 6. **Verdict:** The action concludes by providing the final analysis verdict (e.g., - Malicious, Suspicious, Clean) as the action result. + 8. **Verdict Return**: Returns the final analysis verdict to the user. capabilities: can_create_case_comments: true can_create_insight: false @@ -351,14 +440,23 @@ File Windows Analysis: can_mutate_internal_data: true can_update_entities: false external_data_mutation_explanation: >- - Creates a new sandbox analysis task and uploads a file to the ANY.RUN platform - for processing. + Submits a file to the ANY.RUN sandbox for analysis, creating a new analysis + task. fetches_data: true internal_data_mutation_explanation: >- - Adds comments to the case wall containing analysis links and IOC summaries, - and saves the HTML analysis report as a case attachment. + Adds analysis reports as attachments to the case wall and appends comments with + analysis links and IOC summaries. + reasoning: >- + The action interacts with the ANY.RUN sandbox to submit a file for analysis + (can_mutate_external_data=true). It fetches the analysis report and IOCs (fetches_data=true). + It modifies the internal case by adding comments and attachments (can_mutate_internal_data=true, + can_create_case_comments=true). It does not update entities or create insights. categories: enrichment: false + reasoning: >- + The action is a 'Submit File' action. It performs an active analysis by submitting + a file to an external sandbox, which creates a task. It is not an enrichment + action because it creates a task in an external system. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -374,64 +472,56 @@ File Windows Analysis: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action operates on case attachments retrieved via `siemplify.get_attachments()`, + not on `target_entities`. Therefore, it does not use any entity types. Ping: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action is a connectivity test (Ping) and does not perform any functional + operations such as enrichment, containment, or ticket management. Therefore, + it does not match any of the defined product categories. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description - - Tests the connectivity between Google SecOps and the ANY.RUN Sandbox service. - This action is used to verify that the integration is correctly configured and - can successfully communicate with the ANY.RUN API. - - - ### Parameters Description - - This action does not take any action-specific parameters. It relies on the following - integration configuration parameters: - - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | ANYRUN Sandbox API KEY | String | Yes | The API key used to authenticate with - the ANY.RUN Sandbox service. | - - | Verify SSL | Boolean | No | If enabled, the action will verify the SSL certificate - of the ANY.RUN API. | - - | Enable proxy | Boolean | No | If enabled, the action will use the configured - proxy to connect to the ANY.RUN API. | - - | Proxy host | String | No | The hostname or IP address of the proxy server. Required - if 'Enable proxy' is true. | - - | Proxy port | String | No | The port of the proxy server. Required if 'Enable - proxy' is true. | - - - ### Additional Notes - - - This is a standard 'Ping' action used for troubleshooting connectivity and credential - issues. - - - The action will fail if the API key is invalid or if the network connection - (including proxy settings) is misconfigured. - - - ### Flow Description - - 1. **Configuration Extraction**: The action retrieves the API key, SSL verification - setting, and proxy configuration from the integration's global settings. - - 2. **Proxy Validation (Optional)**: If the 'Enable proxy' setting is true, the - action attempts to validate the proxy connection using the provided host and port. - - 3. **Authorization Check**: The action makes a request to the ANY.RUN Sandbox - API to verify the validity of the provided API key. - - 4. **Result Reporting**: If the authorization check is successful, the action - logs a success message and completes. If an error occurs (e.g., authentication - failure or network timeout), the action logs the error and fails. + General description: This action tests the connectivity between the SOAR platform + and the ANYRUN Sandbox service. It validates the provided API key and, if configured, + verifies the proxy connection settings. Parameters description: 1. ANYRUN Sandbox + API KEY (String, Mandatory): The API key used for authentication. 2. Verify SSL + (Boolean, Optional): Whether to verify SSL certificates. 3. Enable proxy (Boolean, + Optional): Whether to use a proxy. 4. Proxy host (String, Optional): The proxy + server hostname. 5. Proxy port (String, Optional): The proxy server port. Additional + notes: The 'Proxy host' and 'Proxy port' parameters are required if 'Enable proxy' + is set to true. Flow description: 1. The action extracts the configuration parameters. + 2. If 'Enable proxy' is enabled, it validates the proxy connection using the provided + host and port. 3. It then validates the API key by calling the ANYRUN Sandbox + authorization endpoint. 4. Finally, it logs the success or failure of the connection + and terminates the action. capabilities: can_create_case_comments: false can_create_insight: false @@ -442,8 +532,16 @@ Ping: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a connectivity check to the ANYRUN Sandbox service by validating + the API key and optionally checking proxy settings. It does not fetch contextual + data, mutate external systems, or modify internal SOAR data. categories: enrichment: false + reasoning: >- + The action is named 'Ping' and is a connectivity test. According to the provided + rules, actions named 'Ping' must not be categorized as enrichment actions. It + does not fetch data or perform any other enrichment tasks. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -459,15 +557,50 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over or interact with any entities. It is a standalone + utility action for testing connectivity. URL Android Analysis: + action_product_categories: + add_alert_comment: true + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action submits a URL to the ANY.RUN sandbox for analysis, which creates + a new task record in the external system. This matches the 'Submit File' category. + It also adds comments to the case with the analysis results, matching 'Add Alert + Comment'. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: true + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - The **URL Android Analysis** action submits one or more URLs to the ANY.RUN Sandbox - for automated analysis using an Android virtual machine. This action is designed - to observe the behavior of URLs in a mobile environment, providing detailed threat - intelligence, including HTML reports, Indicators of Compromise (IOCs), and a final - analysis verdict. + Performs URL analysis using an Android VM in the ANY.RUN sandbox. This action + submits a URL for dynamic analysis, monitors the task status, retrieves the analysis + report, and extracts identified IOCs. It provides visibility into potentially + malicious URLs by executing them in a controlled environment. ### Parameters Description @@ -476,68 +609,66 @@ URL Android Analysis: | :--- | :--- | :--- | :--- | - | **Url** | String | Yes | The URL(s) to be analyzed. Defaults to `[Entity.Identifier]`. - Multiple URLs can be provided as a comma-separated list. | + | Url | string | Yes | The destination URL(s) to analyze. Can be provided as a + direct URL or an entity identifier. | - | **Timeout In Seconds** | String | No | The duration for the analysis task, ranging - from 10 to 660 seconds. Default is 120. | + | Timeout In Seconds | string | No | Task completion time (10-660 seconds). Default + is 120. | - | **Command line** | String | No | Optional command-line arguments for the analyzed + | Command line | string | No | Optional command-line arguments for the analyzed object. | - | **System's language** | String | No | The operating system's locale or country - name (e.g., 'en-US'). | - - | **User Tags** | String | No | Custom tags to categorize the task in ANY.RUN - (max 8 tags, 16 chars each). | + | System's language | string | No | Operation system's language (e.g., 'en-US'). + | - | **Analysis Privacy Type** | DDL | No | Privacy level for the task: `public`, - `bylink`, `owner`, or `byteam`. Default is `bylink`. | + | User Tags | string | No | User tags for the task. | - | **Network Connect** | Boolean | No | Enables network connectivity for the analysis - VM. Default is `true`. | + | Analysis Privacy Type | ddl | No | Privacy settings (public, bylink, owner, + byteam). Default is 'bylink'. | - | **Network Fakenet** | Boolean | No | Enables the FakeNet feature to simulate - network services. | + | Network Connect | boolean | No | Enable network connection. Default is 'true'. + | - | **Network Tor** | Boolean | No | Routes VM traffic through the TOR network. + | Network Fakenet | boolean | No | Enable FakeNet feature. Default is 'false'. | - | **Network Geo** | String | No | Geolocation for TOR or proxy exit nodes (e.g., - 'US', 'AU'). | + | Network Tor | boolean | No | Enable TOR. Default is 'false'. | - | **Network Mitm** | Boolean | No | Enables HTTPS MITM Proxy for traffic inspection. - | + | Network Geo | string | No | TOR geolocation option. Default is 'fastest'. | + + | Network Mitm | boolean | No | Enable HTTPS MITM Proxy. Default is 'false'. | - | **Network Residential Proxy** | Boolean | No | Uses a residential proxy for - the analysis. | + | Network Residential Proxy | boolean | No | Enable residential proxy. Default + is 'false'. | - | **Network Residential Proxy Geo** | String | No | Geolocation for the residential - proxy. | + | Network Residential Proxy Geo | string | No | Residential proxy geolocation + option. Default is 'fastest'. | ### Flow Description - 1. **Setup**: Extracts API credentials and configuration settings for the ANY.RUN - Sandbox. + 1. Extracts configuration (API key, SSL settings) and action parameters (URL, + timeout, network settings). + + 2. Connects to the ANY.RUN sandbox using the provided credentials. + + 3. Submits the URL for analysis. + + 4. Adds a comment to the case with the link to the interactive analysis. - 2. **Task Submission**: Submits the target URL(s) to the ANY.RUN API to initiate - an Android-based analysis task. + 5. Monitors the task status until completion. - 3. **Interactive Link**: Immediately adds a case comment with a link to the live - interactive analysis on the ANY.RUN platform. + 6. Downloads the HTML analysis report and saves it as a case wall attachment. - 4. **Status Polling**: Monitors the task status until the analysis is complete. + 7. Retrieves identified IOCs and adds them as a comment. - 5. **Report Retrieval**: Downloads the final analysis report in HTML format and - attaches it to the Google SecOps Case Wall. + 8. Retrieves the final analysis verdict and adds it as a comment. - 6. **IOC Extraction**: Retrieves detected Indicators of Compromise (IOCs). If - any are classified as suspicious or malicious, a summary is added to the case - comments. - 7. **Final Verdict**: Fetches the final analysis verdict and adds a concluding - comment to the case with the analysis status. + ### Additional Notes + + The action requires an API key for the ANY.RUN sandbox. The 'Url' parameter is + mandatory and can be provided as a direct URL or an entity identifier. capabilities: can_create_case_comments: true can_create_insight: false @@ -546,51 +677,24 @@ URL Android Analysis: can_mutate_internal_data: true can_update_entities: false external_data_mutation_explanation: >- - Submits a URL to the ANY.RUN sandbox, which creates a new analysis task/resource - on the external platform. + Submits a URL to the ANY.RUN sandbox for analysis, which creates a new task + record in the external system. fetches_data: true internal_data_mutation_explanation: >- - Adds multiple comments to the case and saves the analysis report as an attachment - to the case wall. + Adds analysis reports as case wall attachments and adds comments to the case + with analysis results and IOCs. + reasoning: >- + The action submits a URL to the ANY.RUN sandbox for analysis (mutating external + data), monitors the task status, retrieves the analysis report, and extracts + identified IOCs (fetches data). It also adds comments to the case and saves + the report as a case wall attachment (mutating internal data). categories: enrichment: false + reasoning: >- + The action creates a task in an external sandbox (mutating external data), so + it cannot be an Enrichment action. entity_usage: - entity_types: - - ADDRESS - - ALERT - - APPLICATION - - CHILDHASH - - CHILDPROCESS - - CLUSTER - - CONTAINER - - CREDITCARD - - CVE - - CVEID - - DATABASE - - DEPLOYMENT - - DESTINATIONDOMAIN - - DOMAIN - - EMAILSUBJECT - - EVENT - - FILEHASH - - FILENAME - - GENERICENTITY - - HOSTNAME - - IPSET - - MacAddress - - PARENTHASH - - PARENTPROCESS - - PHONENUMBER - - POD - - PROCESS - - SERVICE - - SOURCEDOMAIN - - THREATACTOR - - THREATCAMPAIGN - - THREATSIGNATURE - - DestinationURL - - USB - - USERUNIQNAME + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -604,112 +708,106 @@ URL Android Analysis: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code extracts the 'Url' parameter directly using `extract_action_param`. + It does not iterate over `siemplify.target_entities` or perform any entity-specific + filtering logic. Therefore, it does not run on entities. URL Linux Analysis: - ai_description: >- - ### General Description - - Submits one or more URLs to the ANY.RUN Sandbox for automated analysis using a - Linux virtual machine. This action allows security analysts to safely investigate - suspicious URLs in a controlled environment, providing detailed reports on network - activity, file modifications, and threat indicators. - - - ### Parameters Description - - | Parameter | Description | Type | Mandatory | - - | :--- | :--- | :--- | :--- | - - | Url | The destination URL(s) to analyze. Supports a comma-separated list of - URLs. Defaults to the identifier of the entity in scope. | String | Yes | - - | Machine Os | The Linux operating system version to use for the analysis. Supported - values: `ubuntu`, `debian`. | DDL | Yes | - - | Browser | The web browser to use for the analysis. Supported values: `Google - Chrome`, `Mozilla Firefox`. | DDL | Yes | - - | Timeout In Seconds | The duration of the analysis task in the sandbox. Range: - 10-660 seconds. Default is 120. | String | No | - - | Command line | Optional command-line arguments to be passed to the analyzed - object. | String | No | - - | System's language | The language/locale of the sandbox operating system (e.g., - 'en-US' or 'Brazil'). | String | No | - - | User Tags | Custom tags to associate with the analysis task. Max 8 unique tags, - 16 characters each. | String | No | - - | Analysis Privacy Type | Privacy level for the analysis task. Supported values: - `public`, `bylink`, `owner`, `byteam`. | DDL | No | - - | Network Connect | Enables or disables network connectivity within the sandbox. - | Boolean | No | - - | Network Fakenet | Enables the FakeNet feature to simulate network services. - | Boolean | No | - - | Network Tor | Enables the use of the TOR network for analysis. | Boolean | No - | - - | Network Geo | Specifies the TOR geolocation (e.g., 'US', 'AU'). Default is 'fastest'. - | String | No | - - | Network Mitm | Enables an HTTPS MITM (Man-In-The-Middle) proxy. | Boolean | - No | - - | Network Residential Proxy | Enables the use of a residential proxy. | Boolean - | No | - - | Network Residential Proxy Geo | Specifies the residential proxy geolocation - (e.g., 'US', 'AU'). Default is 'fastest'. | String | No | - - - ### Flow Description - - 1. **Initialization**: The action extracts the ANY.RUN API key and SSL verification - settings from the integration configuration. - - 2. **URL Parsing**: It retrieves the `Url` parameter and splits it by commas to - handle multiple URLs in a single execution. - - 3. **Task Submission**: For each URL, it initiates a Linux-based analysis task - in ANY.RUN using the specified OS, browser, and network configuration parameters. - - 4. **Interactive Link**: A comment is added to the Google SecOps case containing - a direct link to the interactive analysis task on the ANY.RUN platform. - - 5. **Monitoring**: The action polls the ANY.RUN API to monitor the status of the - analysis task until completion. - - 6. **Report Retrieval**: Once finished, it downloads the full HTML analysis report - and attaches it to the Case Wall. - - 7. **IOC Summary**: It fetches the Indicator of Compromise (IOC) report. If any - malicious or suspicious indicators are found, it adds a summary comment to the - case. - - 8. **Verdict**: Finally, it retrieves the analysis verdict and adds a concluding - comment with the final status of the URL analysis. + action_product_categories: + add_alert_comment: true + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action submits a URL for analysis, which matches the 'Submit File' category + (as it submits an object for analysis). It also returns threat intelligence + (IOCs) for the indicator, matching 'Enrich IOC'. Finally, it adds comments to + the case, matching 'Add Alert Comment'. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: true + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: "### General Description\nThis action submits a URL to the ANY.RUN\ + \ sandbox for analysis on a Linux VM. It retrieves the analysis report (HTML)\ + \ and identified indicators of compromise (IOCs), saves the report as an attachment\ + \ to the case wall, and adds comments with the analysis link and a summary of\ + \ identified malicious or suspicious indicators.\n\n### Flow Description\n1. **Configuration\ + \ Extraction**: Extracts the ANY.RUN API key and SSL verification settings from\ + \ the integration configuration.\n2. **Parameter Extraction**: Extracts the target\ + \ URL(s) and analysis options (OS, browser, network settings, etc.) from the action\ + \ parameters.\n3. **Sandbox Submission**: For each URL, initializes the `SandboxConnector`\ + \ and submits the URL for analysis on a Linux VM.\n4. **Reporting**: \n - Adds\ + \ a comment to the case with the link to the interactive ANY.RUN analysis.\n \ + \ - Waits for the task status.\n - Retrieves the analysis report in HTML\ + \ format and saves it as an attachment to the case wall.\n - Retrieves the\ + \ IOC report and adds a summary comment to the case.\n - Adds a final comment\ + \ with the overall analysis verdict.\n\n### Parameters Description\n| Parameter\ + \ | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| Url | string\ + \ | Yes | The destination URL(s) to analyze. Defaults to `[Entity.Identifier]`.\ + \ |\n| Machine Os | ddl | Yes | The operating system version for the sandbox (e.g.,\ + \ ubuntu, debian). |\n| Browser | ddl | Yes | The browser to use for analysis\ + \ (e.g., Google Chrome, Mozilla Firefox). |\n| Timeout In Seconds | string | No\ + \ | The task completion time (10-660 seconds). |\n| Command line | string | No\ + \ | Optional command-line arguments for the analyzed object. |\n| System's language\ + \ | string | No | The OS language (e.g., 'en-US'). |\n| User Tags | string | No\ + \ | User tags for the task. |\n| Analysis Privacy Type | ddl | No | Privacy settings\ + \ for the analysis (public, bylink, owner, byteam). |\n| Network Connect | boolean\ + \ | No | Enable network connection. |\n| Network Fakenet | boolean | No | Enable\ + \ FakeNet feature. |\n| Network Tor | boolean | No | Enable TOR usage. |\n| Network\ + \ Geo | string | No | TOR geolocation option. |\n| Network Mitm | boolean | No\ + \ | Enable HTTPS MITM Proxy. |\n| Network Residential Proxy | boolean | No | Enable\ + \ residential proxy. |\n| Network Residential Proxy Geo | string | No | Residential\ + \ proxy geolocation option. |\n\n### Additional Notes\n- The action processes\ + \ multiple URLs if provided as a comma-separated string.\n- The action relies\ + \ on the `ANYRUN-Sandbox` integration configuration for API credentials and proxy\ + \ settings." capabilities: can_create_case_comments: true can_create_insight: false can_modify_alert_data: false - can_mutate_external_data: true + can_mutate_external_data: false can_mutate_internal_data: true can_update_entities: false - external_data_mutation_explanation: >- - Creates a new analysis task resource in the ANY.RUN sandbox environment for - every URL submitted. + external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Adds multiple comments to the case and attaches an HTML analysis report to the - case wall. + The action adds comments and saves HTML reports as attachments to the case wall + within Google SecOps. + reasoning: >- + The action fetches analysis reports and IOC data from the ANY.RUN sandbox (fetches_data=true). + It does not mutate external security controls (can_mutate_external_data=false). + It performs internal mutations by adding comments and saving attachments to + the case wall (can_mutate_internal_data=true, can_create_case_comments=true). + It does not update entities, create insights, or modify alert data. categories: - enrichment: false + enrichment: true + reasoning: >- + The action is an enrichment action because it proactively fetches analysis data + (reports, IOCs) from an external sandbox and adds this context to the case via + comments and attachments. It does not mutate external systems (e.g., blocking) + and only performs allowed internal mutations (adding comments/attachments). entity_usage: - entity_types: [] + entity_types: + - DestinationURL filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -723,113 +821,142 @@ URL Linux Analysis: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action uses the 'Url' parameter, which defaults to '[Entity.Identifier]'. + It processes the URL provided, which corresponds to the 'DestinationURL' entity + type. URL Windows Analysis: + action_product_categories: + add_alert_comment: true + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action submits a URL to a sandbox for analysis, which matches the 'Submit + File' category (as it is an analysis submission). It also adds comments to the + case, matching 'Add Alert Comment'. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: true + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - Submits URLs to the ANY.RUN Sandbox for automated and interactive analysis using - a Windows Virtual Machine. This action allows security analysts to safely execute - and observe the behavior of suspicious links in a controlled environment, providing - detailed reports on network activity, process execution, and threat indicators. - - - ### Parameters Description + This action performs URL analysis using a Windows VM in the ANY.RUN Sandbox. It + submits a specified URL for interactive analysis, retrieves the resulting report + (HTML) and any identified indicators of compromise (IOCs), and updates the case + with the analysis results, including a link to the interactive report, a summary + of malicious/suspicious IOCs, and the full analysis report as a case wall attachment. - | Parameter | Type | Mandatory | Description | - | :--- | :--- | :--- | :--- | + ### Flow Description - | Url | String | Yes | The destination URL(s) to analyze. Supports comma-separated - values. Defaults to the entity identifier. | + 1. **Configuration Extraction**: Extracts the ANY.RUN API key, SSL verification + settings, and proxy configuration. - | Browser | DDL | Yes | The browser used for the analysis (Microsoft Edge, Google - Chrome, Mozilla Firefox, Internet Explorer). | + 2. **Parameter Extraction**: Extracts the target URL(s) and analysis options (browser, + timeout, network settings, etc.) from the action parameters. - | Timeout In Seconds | String | No | Task completion time (10-660 seconds). Default - is 120. | + 3. **Analysis Submission**: Iterates through the provided URLs and submits each + to the ANY.RUN Sandbox for analysis using the `SandboxConnector`. - | Command line | String | No | Optional command-line arguments for the analyzed - object. | + 4. **Case Commenting**: Adds a comment to the case containing a link to the interactive + ANY.RUN analysis task. - | System's language | String | No | Operation system's language (e.g., 'en-US' - or 'Brazil'). | + 5. **Report Retrieval**: Fetches the analysis report in HTML format and saves + it as a case wall attachment. - | User Tags | String | No | Custom tags for the task (max 8 unique tags, 16 characters - each). | + 6. **IOC Processing**: Retrieves IOCs from the analysis report and adds a summary + comment to the case if any suspicious or malicious indicators are found. - | Analysis Privacy Type | DDL | No | Privacy settings for the analysis (public, - bylink, owner, byteam). | + 7. **Verdict Logging**: Retrieves and logs the final analysis verdict to the case. - | Network Connect | Boolean | No | Enable network connection during analysis. - | - | Network Fakenet | Boolean | No | Enable FakeNet feature to simulate network - services. | + ### Parameters Description - | Network Tor | Boolean | No | Enable TOR for network traffic. | + | Parameter | Type | Mandatory | Description | - | Network Geo | String | No | TOR geolocation option (e.g., US, AU). | + | :--- | :--- | :--- | :--- | - | Network Mitm | Boolean | No | Enable HTTPS MITM Proxy for traffic inspection. - | + | Url | string | Yes | The destination URL(s) to analyze. | - | Network Residential Proxy | Boolean | No | Use a residential proxy for the analysis. - | + | Browser | ddl | Yes | The browser to use for analysis (e.g., Microsoft Edge, + Google Chrome). | - | Network Residential Proxy Geo | String | No | Residential proxy geolocation - option. | + | Timeout In Seconds | string | No | Task completion time (10-660 seconds). | + | Command line | string | No | Optional command-line arguments for the analyzed + object. | - ### Additional Notes + | System's language | string | No | The operating system's language (e.g., 'en-US'). + | - - The action can process multiple URLs simultaneously if they are provided as - a comma-separated list in the `Url` parameter. + | User Tags | string | No | User tags for the task. | - - While the action is designed to work with URL entities via the `[Entity.Identifier]` - placeholder, it processes the input as a string and does not directly modify entity - attributes. + | Analysis Privacy Type | ddl | No | Privacy settings (e.g., public, bylink). + | + | Network Connect | boolean | No | Enable network connection. | - ### Flow Description + | Network Fakenet | boolean | No | Enable FakeNet feature. | - 1. **Initialization**: Retrieves the API key and SSL verification settings from - the integration configuration. + | Network Tor | boolean | No | Enable TOR usage. | - 2. **Input Parsing**: Extracts the target URL(s) from the action parameters. + | Network Geo | string | No | TOR geolocation option. | - 3. **Task Submission**: For each URL, it initiates a Windows-based analysis task - in the ANY.RUN sandbox using the specified browser, timeout, and network configurations. + | Network Mitm | boolean | No | Enable HTTPS MITM Proxy. | - 4. **Interactive Link**: Immediately adds a case comment containing a direct link - to the ANY.RUN interactive analysis session. + | Network Residential Proxy | boolean | No | Enable residential proxy. | - 5. **Monitoring**: Polls the ANY.RUN API to monitor the status of the analysis - task. + | Network Residential Proxy Geo | string | No | Residential proxy geolocation + option. | - 6. **Report Retrieval**: Once the analysis is complete, it fetches the full HTML - report and attaches it to the Google SecOps Case Wall. - 7. **IOC Extraction**: Retrieves identified Indicators of Compromise (IOCs) and - posts a summary of suspicious or malicious findings as a case comment. + ### Additional Notes - 8. **Final Verdict**: Fetches the final analysis verdict and status, adding them - as a concluding comment to the case. + - The action does not iterate over `siemplify.target_entities` directly; it extracts + the URL from the action parameters. If the `Url` parameter is set to `[Entity.Identifier]`, + it will use the entity identifier as the URL. capabilities: can_create_case_comments: true can_create_insight: false can_modify_alert_data: false - can_mutate_external_data: true + can_mutate_external_data: false can_mutate_internal_data: true can_update_entities: false - external_data_mutation_explanation: >- - Submits a URL to the ANY.RUN sandbox to initiate a new interactive analysis - task, which creates a new job/record in the external ANY.RUN environment. + external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Adds multiple case comments containing analysis links, IOC summaries, and verdicts. - It also saves and attaches the HTML analysis report to the case wall. + Adds comments to the case and saves the analysis report as a case wall attachment. + reasoning: >- + The action submits a URL to the ANY.RUN sandbox for analysis, which involves + fetching the analysis report and IOCs. It mutates internal data by adding comments + and attachments to the case. It does not mutate external security controls (e.g., + blocking an IP). categories: enrichment: false + reasoning: >- + The action is a sandbox submission task, not a simple enrichment task. It performs + a complex analysis workflow rather than just fetching reputation data. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -845,3 +972,8 @@ URL Windows Analysis: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action extracts the URL from the action parameters rather than iterating + over `siemplify.target_entities`. Therefore, it does not directly process entities + in the SOAR sense, even though the parameter might be populated by an entity + identifier. diff --git a/content/response_integrations/third_party/partner/anyrun_sandbox/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/partner/anyrun_sandbox/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..ad10dd145 --- /dev/null +++ b/content/response_integrations/third_party/partner/anyrun_sandbox/resources/ai/integration_ai_description.yaml @@ -0,0 +1,21 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: false + reasoning: >- + The anyrun_sandbox integration is primarily a Threat Intelligence tool. Its core + functionality involves submitting files and URLs to an external sandbox environment + to perform dynamic analysis. The expected outcome of these actions is the retrieval + of threat intelligence, such as analysis reports, risk scores, and extracted Indicators + of Compromise (IOCs), which helps analysts confirm if an alert is a True Positive. + It does not perform SIEM log searching, EDR host containment, network blocking, + or identity management. Therefore, it aligns strictly with the Threat Intelligence + category. + siem: false + threat_intelligence: true + vulnerability_management: false diff --git a/content/response_integrations/third_party/partner/anyrun_ti_feeds/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/partner/anyrun_ti_feeds/resources/ai/actions_ai_description.yaml index 02fb019a4..37ea0526a 100644 --- a/content/response_integrations/third_party/partner/anyrun_ti_feeds/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/partner/anyrun_ti_feeds/resources/ai/actions_ai_description.yaml @@ -1,59 +1,78 @@ Ping: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action is a connectivity test (Ping) and does not perform any of the defined + product category operations such as enrichment, containment, or ticket management. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description + Tests connectivity to the ANY.RUN TI Feeds service. This action verifies that + the provided API credentials and network configuration (including optional proxy + settings) allow for successful communication with the ANY.RUN API. - The **Ping** action is a diagnostic tool designed to verify the connectivity between - Google SecOps and the ANY.RUN TI Feeds service. It ensures that the provided API - key is valid and that the network configuration (including optional proxy settings) - allows for successful communication with the ANY.RUN API. + ### Parameters - ### Parameters Description - - | Parameter Name | Type | Mandatory | Description | + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | ANYRUN TI Feeds API key | String | Yes | The API key used to authenticate requests - to the ANY.RUN TI Feeds service. | + | ANYRUN TI Feeds API key | String | Yes | The API key used to authenticate with + the ANY.RUN service. | - | Verify SSL | Boolean | No | If enabled, the action will verify the SSL certificate - of the ANY.RUN API endpoint. | + | Verify SSL | Boolean | No | Whether to verify SSL certificates during the connection. + | - | Enable proxy | Boolean | No | If enabled, the action will attempt to route the - connection through a proxy server. | + | Enable proxy | Boolean | No | Whether to route the connection through a proxy + server. | | Proxy host | String | No | The hostname or IP address of the proxy server. Required - if 'Enable proxy' is true. | + if 'Enable proxy' is enabled. | | Proxy port | String | No | The port number of the proxy server. Required if - 'Enable proxy' is true. | - - - ### Additional Notes - - - This action does not process any entities and is strictly used for configuration - validation. - - - If 'Enable proxy' is selected, both 'Proxy host' and 'Proxy port' must be correctly - configured in the integration settings. + 'Enable proxy' is enabled. | ### Flow Description - 1. **Parameter Extraction:** The action retrieves the API key, SSL verification - preference, and proxy settings from the integration configuration. + 1. The action extracts the required configuration parameters, including the API + key and network settings. + + 2. If 'Enable proxy' is selected, the action validates the proxy configuration + by attempting a connection to the proxy host. - 2. **Proxy Validation (Optional):** If proxying is enabled, the action first attempts - to establish a connection to the ANY.RUN service through the specified proxy host - and port. + 3. The action initializes the ANY.RUN FeedsConnector using the provided API key + and SSL verification settings. - 3. **Authorization Check:** The action initializes a connection to the ANY.RUN - TI Feeds API and executes a `check_authorization` call to validate the API key. + 4. It executes a connectivity check (authorization test) against the ANY.RUN service. - 4. **Result Reporting:** If the authorization is successful, the action completes - with a success message. If any step fails (e.g., network timeout, invalid key, - proxy error), it catches the exception and reports a failure status. + 5. The action logs the success or failure of the connection and terminates with + the appropriate execution state. capabilities: can_create_case_comments: false can_create_insight: false @@ -64,8 +83,15 @@ Ping: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a connectivity check (Ping) to verify API access. It does + not fetch contextual data, mutate external systems, or modify internal SOAR + data. categories: enrichment: false + reasoning: >- + The action is a 'Ping' connectivity test. According to the guidelines, actions + named 'Ping' must not be categorized as enrichment actions. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -81,3 +107,6 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with any entities; it is a global connectivity + test. diff --git a/content/response_integrations/third_party/partner/anyrun_ti_feeds/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/partner/anyrun_ti_feeds/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..70d7c540b --- /dev/null +++ b/content/response_integrations/third_party/partner/anyrun_ti_feeds/resources/ai/integration_ai_description.yaml @@ -0,0 +1,21 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: false + reasoning: >- + The integration is designed to synchronize threat intelligence indicators (IPs, + URLs, and Domains) from the ANY.RUN sandbox into Google SecOps DataTables. Its + primary purpose is to provide security teams with up-to-date threat data to enhance + detection and investigation capabilities. This aligns directly with the Threat + Intelligence category, which focuses on providing indicators and reputation data + to confirm if an alert is a True Positive. The integration does not perform SIEM + log searching, EDR host analysis, network blocking, or other operational tasks, + so it does not qualify for those categories. + siem: false + threat_intelligence: true + vulnerability_management: false diff --git a/content/response_integrations/third_party/partner/anyrun_ti_feeds/resources/ai/jobs_ai_description.yaml b/content/response_integrations/third_party/partner/anyrun_ti_feeds/resources/ai/jobs_ai_description.yaml new file mode 100644 index 000000000..5f8c528dd --- /dev/null +++ b/content/response_integrations/third_party/partner/anyrun_ti_feeds/resources/ai/jobs_ai_description.yaml @@ -0,0 +1,36 @@ +ANYRUN TI Feeds: + ai_description: >- + ### General Description + + The ANY.RUN TI Feeds job synchronizes threat intelligence indicators (IPs, URLs, + and Domains) from the ANY.RUN platform into Google SecOps DataTables. This process + ensures that security teams have access to up-to-date threat data for detection + and investigation purposes. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Feed Fetch Depth | String | Yes | Specify feed fetch depth in days. | + + + ### Flow Description + + 1. Authenticates with the ANY.RUN API and Google SecOps using provided credentials. + + 2. Iterates through the configured indicator categories (IP, URL, Domain). + + 3. For each category, checks for the existence of the corresponding DataTable + in Google SecOps. + + 4. Deletes the existing DataTable if it exists to ensure a clean state. + + 5. Creates a new DataTable with the appropriate schema. + + 6. Fetches indicators from ANY.RUN's TAXII/STIX feed, filtered by the specified + Feed Fetch Depth. + + 7. Bulk uploads the retrieved indicators into the Google SecOps DataTable. diff --git a/content/response_integrations/third_party/partner/anyrun_ti_lookup/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/partner/anyrun_ti_lookup/resources/ai/actions_ai_description.yaml index 9b5471260..bc8f3b7a4 100644 --- a/content/response_integrations/third_party/partner/anyrun_ti_lookup/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/partner/anyrun_ti_lookup/resources/ai/actions_ai_description.yaml @@ -1,58 +1,82 @@ ANYRUN TI Lookup: + action_product_categories: + add_alert_comment: true + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves threat intelligence (verdict, summary) for indicators, + matching 'Enrich IOC'. It also adds comments to the case, matching 'Add Alert + Comment'. It does not perform any other listed actions. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description + Performs threat intelligence lookups against the ANY.RUN service for specified + entities or raw queries. This action retrieves intelligence data, such as threat + levels and summaries, and provides visibility into potential threats. - Performs threat intelligence lookups using the ANY.RUN TI Lookup service. This - action allows users to query for specific entities (IPs, Domains, URLs, Processes, - Filehashes) or provide a raw ANY.RUN query string to retrieve detailed threat - analysis. The results include threat levels (Malicious, Suspicious, Unknown) and - full JSON reports. + ### Flow Description - ### Parameters Description + 1. **Initialization**: Extracts configuration parameters including 'Lookup Depth', + 'Query', 'Identifiers', and 'Types'. - | Parameter | Description | Type | Mandatory | + 2. **Query Processing**: If a raw 'Query' is provided, the action performs a direct + lookup against the ANY.RUN service. - | :--- | :--- | :--- | :--- | + 3. **Entity Processing**: If no raw query is provided, the action parses the 'Identifiers' + and 'Types' parameters. It iterates through the provided entities, mapping them + to supported types (IP, Domain, URL, Hash, Process). - | Lookup Depth | Specify the number of days from the current date for which you - want to lookup. | String | Yes | + 4. **Data Retrieval**: For each valid entity or query, the action connects to + the ANY.RUN service to fetch intelligence data. - | Query | Raw query with necessary filters. Supports condition concatenation with - AND, OR, NOT and Parentheses (). | String | No | + 5. **Reporting**: The action adds a summary comment to the case and saves the + full JSON report as an attachment to the case wall. - | Identifiers | The target case entity identifiers. | String | Yes | - | Types | The target case entity types. | String | Yes | + ### Parameters Description + | Parameter | Type | Mandatory | Description | - ### Additional Notes + | :--- | :--- | :--- | :--- | - The action requires either a raw query or a list of entity identifiers and types. - If the 'Query' parameter is provided, the action will prioritize it and perform - a lookup based on the query string. If 'Query' is empty, the action will iterate - through the provided entities and perform lookups for supported types (Address, - IPSet, DestinationURL, Domain, Process, and Filehash). + | Lookup Depth | string | Yes | Specify the number of days from the current date + for which you want to lookup. | + | Query | string | No | Raw query with necessary filters. Supports condition concatenation + with AND, OR, NOT and Parentheses (). | - ### Flow Description + | Identifiers | string | Yes | The target case entity identifiers. | - 1. **Parameter Extraction**: Retrieve action parameters (Lookup Depth, Query, - Identifiers, Types) and integration settings (API Key, SSL verification). + | Types | string | Yes | The target case entity types. | - 2. **Lookup Mode Selection**: Check if a raw query is provided. If so, proceed - with query lookup; otherwise, process the list of entities. - 3. **API Interaction**: For the query or each supported entity, call the ANY.RUN - TI Lookup API to fetch intelligence data. + ### Additional Notes - 4. **Internal Data Updates**: For each successful lookup: - - Add a comment to the case with a direct link to the ANY.RUN portal. - - Save the complete JSON intelligence report as an attachment to the case - wall. - - Calculate a verdict based on the threat level score. - 5. **Summary Reporting**: Aggregate the results for all processed items into a - summary table and add it as a final comment to the case. + Either a 'Query' or a combination of 'Identifiers' and 'Types' must be provided + for the action to execute successfully. capabilities: can_create_case_comments: true can_create_insight: false @@ -63,9 +87,21 @@ ANYRUN TI Lookup: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Adds lookup URLs and summary reports as comments and case wall attachments. + The action adds comments to the case and saves JSON attachments to the case + wall. + reasoning: >- + The action fetches threat intelligence data from an external service (ANY.RUN) + via GET requests (fetches_data=true). It does not modify external systems (can_mutate_external_data=false). + It performs internal mutations by adding comments to the case and saving attachments + to the case wall (can_mutate_internal_data=true). It does not update entity + fields or create insights (can_update_entities=false, can_create_insight=false). + It adds case comments (can_create_case_comments=true). categories: - enrichment: false + enrichment: true + reasoning: >- + The action is designed to fetch threat intelligence data (enrichment) and does + not modify external systems. It performs allowed internal mutations (adding + comments and attachments). Therefore, it qualifies as an enrichment action. entity_usage: entity_types: - ADDRESS @@ -78,7 +114,7 @@ ANYRUN TI Lookup: filters_by_alert_identifier: false filters_by_case_identifier: false filters_by_creation_time: false - filters_by_entity_type: true + filters_by_entity_type: false filters_by_identifier: false filters_by_is_artifact: false filters_by_is_enriched: false @@ -87,29 +123,63 @@ ANYRUN TI Lookup: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action processes entities provided via the 'Identifiers' and 'Types' parameters. + It maps these to supported types defined in the configuration: ADDRESS, IPSET, + DestinationURL, DOMAIN, PROCESS, and FILEHASH. It does not filter entities by + internal attributes like creation time or modification time. Ping: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action is a connectivity test (Ping) for the ANY.RUN TI Lookup service. + It does not perform any enrichment, containment, or ticket management. It does + not match any of the defined product categories. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description: Tests the connectivity between Google SecOps and the - ANY.RUN TI Lookup service to ensure the integration is correctly configured and - can successfully communicate with the ANY.RUN API. ### Parameters Description: - 1. ANYRUN TI Lookup API KEY (String, Mandatory): The API key required to authenticate - requests to the ANY.RUN TI Lookup service. 2. Verify SSL (Boolean, Optional): - If enabled, the action will verify the SSL certificate of the ANY.RUN API endpoint. - 3. Enable proxy (Boolean, Optional): If enabled, the action will attempt to connect - through the specified proxy server. 4. Proxy host (String, Optional): The hostname - or IP address of the proxy server. Required if 'Enable proxy' is true. 5. Proxy - port (String, Optional): The port number of the proxy server. Required if 'Enable - proxy' is true. ### Additional Notes: This action does not process any entities - or modify any data. If 'Enable proxy' is selected, both 'Proxy host' and 'Proxy - port' must be provided. ### Flow Description: 1. Configuration Extraction: The - action retrieves the API key, SSL verification preference, and proxy settings - from the integration configuration. 2. Proxy Validation (Optional): If proxying - is enabled, the action first tests the connection through the specified proxy - host and port. 3. Authorization Check: The action uses the LookupConnector to - perform an authorization check against the ANY.RUN API using the provided API - key. 4. Result Reporting: If the check is successful, a completion message is - returned. If any step fails (e.g., invalid API key, network timeout), the action - fails and logs the error details. + General Description: This action tests the connectivity between the Google SecOps + environment and the ANY.RUN TI Lookup service. It validates the provided API key + and, if configured, the proxy settings to ensure the integration is properly set + up and reachable. Parameters: | Parameter | Type | Mandatory | Description | | + --- | --- | --- | --- | | ANYRUN TI Lookup API KEY | String | Yes | The API key + used to authenticate with the ANY.RUN service. | | Verify SSL | Boolean | No | + Whether to verify SSL certificates during the connection. | | Enable proxy | Boolean + | No | Whether to route the connection through a proxy. | | Proxy host | String + | No | The hostname or IP address of the proxy server. Required if 'Enable proxy' + is true. | | Proxy port | String | No | The port number of the proxy server. Required + if 'Enable proxy' is true. | Additional Notes: Either the proxy configuration + (Proxy host and Proxy port) must be provided if 'Enable proxy' is set to true, + or the action will fail. Flow Description: 1. Initialize the Siemplify action. + 2. Extract the configuration parameters (API key, SSL verification, proxy settings). + 3. If 'Enable proxy' is enabled, validate the proxy host and port, then test connectivity + through the proxy. 4. If 'Enable proxy' is disabled, test connectivity directly + to the ANY.RUN service using the provided API key. 5. Log the success or failure + of the connectivity test and terminate the action. capabilities: can_create_case_comments: false can_create_insight: false @@ -120,8 +190,15 @@ Ping: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a connectivity test (Ping) to the ANY.RUN service. It does + not fetch contextual data, mutate external or internal data, or interact with + entities. categories: enrichment: false + reasoning: >- + The action is a Ping action, which is explicitly excluded from being an enrichment + action per the instructions. It does not fetch contextual data. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -137,3 +214,6 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with the target_entities attribute. It is a standalone + connectivity test. diff --git a/content/response_integrations/third_party/partner/anyrun_ti_lookup/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/partner/anyrun_ti_lookup/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..a1ce70dd5 --- /dev/null +++ b/content/response_integrations/third_party/partner/anyrun_ti_lookup/resources/ai/integration_ai_description.yaml @@ -0,0 +1,22 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: false + reasoning: >- + The anyrun_ti_lookup integration is designed specifically to enrich Indicators + of Compromise (IOCs) such as IP addresses, domains, URLs, and file hashes by querying + the ANY.RUN threat intelligence service. This aligns perfectly with the Threat + Intelligence category, as it provides risk scores, threat context, and verdict + data to help analysts confirm if an alert is a True Positive. The integration + does not perform SIEM log analysis, EDR host-level actions, network security blocking, + email management, IAM operations, cloud security monitoring, ITSM ticket management, + vulnerability scanning, asset inventory lookups, or collaboration/human-in-the-loop + workflows. + siem: false + threat_intelligence: true + vulnerability_management: false diff --git a/content/response_integrations/third_party/partner/censys/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/partner/censys/resources/ai/actions_ai_description.yaml index 8c9c3fb52..e28aa6fd1 100644 --- a/content/response_integrations/third_party/partner/censys/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/partner/censys/resources/ai/actions_ai_description.yaml @@ -1,54 +1,88 @@ Enrich Certificates: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves threat intelligence (certificate details) for an indicator + (FILEHASH), which matches the 'Enrich IOC' category. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - This action retrieves comprehensive information about SSL/TLS certificates using - the Censys Platform API. It identifies certificates by their SHA-256 fingerprint - and provides detailed intelligence including issuer, subject, validity periods, - and Subject Alternative Names (SANs). + This action enriches FILEHASH entities (specifically SSL/TLS certificate fingerprints) + using the Censys Platform API. It retrieves comprehensive certificate intelligence, + including issuer, subject, validity periods, and Subject Alternative Names (SANs), + and updates the entity's profile within the SOAR platform. - ### Parameters Description + ### Flow Description - | Parameter | Type | Mandatory | Description | + 1. **Initialization**: The action retrieves integration parameters (API Key, Organization + ID, Verify SSL) and initializes the Censys API manager. - | :--- | :--- | :--- | :--- | + 2. **Entity Extraction**: It identifies all FILEHASH entities in the current scope. - | N/A | N/A | N/A | This action does not have any input parameters. It relies - on the global integration configuration (API Key, Organization ID, and Verify - SSL). | + 3. **Validation**: It filters the entities to ensure the certificate IDs (SHA-256 + fingerprints) are in the correct 64-character hexadecimal format. + 4. **API Interaction**: It performs a batch request to the Censys API to fetch + enrichment data for the valid certificate IDs. - ### Additional Notes + 5. **Data Processing**: For each successfully retrieved certificate, it parses + the response, removes any existing enrichment data, and updates the entity's `additional_properties` + with the new intelligence. - This action specifically targets FILEHASH entities. The identifiers must be valid - SHA-256 fingerprints (64 hex characters). If an entity identifier is not a valid - fingerprint, it will be skipped. + 6. **Entity Update**: It updates the entities in the SOAR platform and marks them + as enriched. + 7. **Result Reporting**: It returns a summary message and the raw JSON results + of the enrichment. - ### Flow Description - 1. **Initialization**: The action initializes the Censys API manager using the - integration's global configuration. + ### Parameters Description - 2. **Entity Selection**: It identifies all `FILEHASH` entities within the current - scope. + | Parameter | Type | Mandatory | Description | - 3. **Validation**: It validates that the entity identifiers are valid SHA-256 - fingerprints (exactly 64 hexadecimal characters). + | :--- | :--- | :--- | :--- | - 4. **API Request**: It performs a batch POST request to the Censys `/v3/global/asset/certificate` - endpoint. + | API Key | String | Yes | The API key used to authenticate with the Censys platform. + | - 5. **Data Processing**: For each matching certificate found, it extracts metadata - such as Subject DN, Issuer DN, Common Name, and Validity dates. + | Organization Id | String | Yes | The Organization ID associated with the Censys + account. | - 6. **Internal Update**: It clears any existing Censys enrichment data on the entity, - updates the entity's additional properties with the new data, and marks the entity - as enriched. + | Verify SSL | Boolean | Yes | Whether to verify SSL certificates when making + API requests. | - 7. **Completion**: The action returns a summary message and the full raw JSON - results for the case wall. + + ### Additional Notes + + This action specifically targets FILEHASH entities. If no valid FILEHASH entities + are found, the action will terminate without making API calls. capabilities: can_create_case_comments: false can_create_insight: false @@ -59,10 +93,16 @@ Enrich Certificates: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates entity additional properties with certificate metadata (e.g., issuer, - subject, validity) and sets the 'is_enriched' attribute to true. + Updates entity additional properties and sets the is_enriched flag to true. + reasoning: >- + The action fetches certificate intelligence from Censys and updates the entity's + internal properties within the SOAR platform. It does not modify external systems. categories: enrichment: true + reasoning: >- + The action fetches data from an external source (Censys) and updates internal + entity properties. It does not mutate external systems or perform restricted + internal actions, thus qualifying as an enrichment action. entity_usage: entity_types: - FILEHASH @@ -71,7 +111,7 @@ Enrich Certificates: filters_by_case_identifier: false filters_by_creation_time: false filters_by_entity_type: true - filters_by_identifier: false + filters_by_identifier: true filters_by_is_artifact: false filters_by_is_enriched: false filters_by_is_internal: false @@ -79,15 +119,51 @@ Enrich Certificates: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action specifically targets FILEHASH entities. It filters them by type and + validates the identifier format (SHA-256 fingerprint). Enrich IPs: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: true + enrich_ioc: true + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves threat intelligence and contextual metadata for IP addresses + from Censys. This aligns with 'Enrich IOC' (reputation/intelligence) and 'Enrich + Asset' (contextual metadata for a resource). It does not perform any other actions + like ticketing, blocking, or alert management. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - Enriches IP Address entities using the Censys Platform API. This action retrieves - comprehensive intelligence about internet-facing infrastructure, including active - services, open ports, protocols, SSL/TLS certificates, known vulnerabilities, - and geographic location data. It is designed to help security teams understand - the attack surface exposure of specific IP addresses. + This action enriches IP Address entities using the Censys Platform API. It retrieves + comprehensive intelligence about internet-facing infrastructure, including services, + ports, protocols, certificates, vulnerabilities, and location data. This data + is then mapped to the entity's additional properties to assist security teams + in understanding their attack surface exposure. ### Parameters Description @@ -96,46 +172,32 @@ Enrich IPs: | :--- | :--- | :--- | :--- | - | At Time | String | No | An RFC3339 formatted timestamp (e.g., `2024-01-15T00:00:00Z`) - used to retrieve historical host data from a specific point in time. If omitted, - the most recent data is returned. | - - - ### Additional Notes - - - This action specifically targets `ADDRESS` entities. Other entity types in the - scope will be ignored. - - - The action performs a batch request to Censys for all valid IP addresses found - in the scope to optimize API usage. - - - Existing Censys-specific enrichment data on the entity is cleared before new - data is applied to ensure accuracy. + | At Time | string | No | RFC3339 Timestamp to view all requested hosts at a specific + point in time. Ensure that you suffix the date with T00:00:00Z or a specific time. + | ### Flow Description 1. **Initialization**: The action initializes the Censys API manager using the - integration's API Key and Organization ID. - - 2. **Entity Filtering**: It identifies all `ADDRESS` entities within the current - SOAR scope. + configured API Key and Organization ID. - 3. **Validation**: It validates the format of the IP addresses and the optional - `At Time` timestamp parameter. + 2. **Entity Retrieval**: It retrieves all IP Address entities from the current + case scope. - 4. **API Request**: A POST request is sent to the Censys `/v3/global/asset/host` - endpoint with the list of valid IP addresses. + 3. **Validation**: It filters the retrieved entities to ensure only valid IP addresses + are processed. - 5. **Data Processing**: For each IP found in the Censys database, the action parses - the response into a structured data model, extracting fields such as ASN, location, - service counts, and threat labels. + 4. **Data Fetching**: It calls the Censys API to fetch host intelligence for the + valid IP addresses, optionally using the provided 'At Time' parameter for historical + data. - 6. **Internal Mutation**: It updates the entity's `additional_properties` with - the retrieved intelligence and sets the `is_enriched` flag to `true`. + 5. **Enrichment**: For each IP, it parses the API response, removes any existing + Censys enrichment data, and updates the entity's `additional_properties` with + the new intelligence. - 7. **Completion**: The action returns a summary message indicating how many IPs - were successfully enriched, not found, or failed to process. + 6. **Finalization**: It updates the entities in the SOAR platform and returns + a summary message and JSON results. capabilities: can_create_case_comments: false can_create_insight: false @@ -146,10 +208,18 @@ Enrich IPs: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates entity additional properties with Censys enrichment data and sets the - 'is_enriched' flag to true. + Updates entity additional_properties with enrichment data retrieved from Censys. + reasoning: >- + The action fetches data from the Censys API (fetches_data=true). It updates + entity properties within the SOAR platform (can_update_entities=true, can_mutate_internal_data=true). + It does not perform any actions that change the state of external systems (can_mutate_external_data=false). + It does not create insights, modify alert data, or create case comments. categories: enrichment: true + reasoning: >- + The action fetches data from an external source (Censys) and updates internal + entity data. It does not mutate external systems or perform unauthorized internal + mutations. Therefore, it qualifies as an enrichment action. entity_usage: entity_types: - ADDRESS @@ -166,50 +236,84 @@ Enrich IPs: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code uses the `get_ip_entities` helper function, which iterates over `siemplify.target_entities` + and filters specifically for `EntityTypes.ADDRESS`. No other entity types are + processed. Enrich Web Properties: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: true + enrich_ioc: true + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves contextual metadata (services, certificates, vulnerabilities) + for web properties (IPs/Domains). This matches 'Enrich IOC' and 'Enrich Asset' + expected outcomes. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - Enriches IP Address and Domain entities using the Censys Platform API to retrieve - detailed web property intelligence. The action identifies assets by combining - hostnames or IP addresses with specific ports to provide context on web-facing - services, including HTTP/HTTPS configurations, SSL/TLS certificates, and detected - software technologies. + ### General Description + Enriches web property entities (IPs and Domains) using the Censys Platform API. + This action retrieves detailed intelligence about web-facing assets, including + HTTP/HTTPS services, certificates, technologies, and security configurations. - ### Parameters - | Parameter | Type | Mandatory | Default | Description | + ### Parameters Description - | :--- | :--- | :--- | :--- | :--- | + | Parameter | Type | Mandatory | Description | - | Port | String | Yes | 80, 443 | A comma-separated list of ports associated with - the domain or hostname (e.g., '80, 443, 8080'). | + | :--- | :--- | :--- | :--- | - | At Time | String | No | N/A | An RFC3339 formatted timestamp (e.g., '2023-10-01T00:00:00Z') - used to retrieve historical data for the requested hosts at a specific point in - time. | + | Port | string | Yes | Comma-separated ports associated with the domain or hostname + (e.g., "80, 443"). | + + | At Time | string | No | RFC3339 Timestamp to view all requested hosts at a specific + point in time. | ### Flow Description - 1. **Parameter Extraction:** Retrieves the list of ports and the optional historical - timestamp from the action configuration. + 1. Extract integration parameters (API Key, Organization ID, SSL verification). + + 2. Extract action parameters (Ports, optional At Time). + + 3. Identify valid `ADDRESS` and `DOMAIN` entities from the case. - 2. **Entity Filtering:** Identifies valid `ADDRESS` (IP) and `DOMAIN` entities - within the current SOAR scope. + 4. Validate entities and parse the provided ports. - 3. **Identifier Construction:** For every valid entity, it generates a unique - web property identifier for each specified port (e.g., `1.1.1.1:80`, `example.com:443`). + 5. Construct web property IDs (e.g., `hostname:port`). - 4. **External API Query:** Performs a bulk lookup via the Censys API to fetch - enrichment data for all constructed web property identifiers. + 6. Query the Censys API for enrichment data. - 5. **Internal Data Update:** For each successful match, it clears existing Censys - enrichment data for that specific port, updates the entity's additional properties - with new metadata (software, certificates, scan times), and marks the entity as - enriched. + 7. Update entity `additional_properties` with retrieved data (e.g., services, + certificates, vulnerabilities). - 6. **Result Reporting:** Updates the entities in the SOAR platform and returns - a JSON result containing the full raw data for each enriched property. + 8. Update entities in the SOAR platform. + + 9. Return JSON results. capabilities: can_create_case_comments: false can_create_insight: false @@ -220,12 +324,18 @@ Enrich Web Properties: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates entity additional properties with web property details such as service - information, software versions, and certificate fingerprints. It also sets the - 'is_enriched' flag to true and clears previous enrichment values for the specific - ports being processed to ensure data freshness. + Updates entity `additional_properties` with enrichment data retrieved from Censys. + reasoning: >- + The action fetches data from the Censys API (fetches_data=true). It does not + mutate external systems (can_mutate_external_data=false). It updates entity + properties (can_mutate_internal_data=true, can_update_entities=true). It does + not create insights, modify alert data, or create case comments. categories: enrichment: true + reasoning: >- + The action fetches data from an external source (Censys) to enrich entities. + It does not mutate external systems. It only updates entity properties. This + fits the definition of an enrichment action. entity_usage: entity_types: - ADDRESS @@ -243,68 +353,89 @@ Enrich Web Properties: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action retrieves entities using `get_web_property_entities`, which filters + for `ADDRESS` and `DOMAIN` types. It does not filter by other attributes like + creation time or identifier. Get Host History: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves historical event data for a host, which aligns with the + 'Search Events' category. It does not perform enrichment on entities, update + alerts, or mutate external systems. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: true + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description + Retrieves the historical event data for a specific host (IP address) from the + Censys platform. This action allows users to track infrastructure changes, service + modifications, and scan history over a defined time range. - This action retrieves the event history for a specific host (IP address) from - the Censys platform. It allows security analysts to view historical scan data, - track infrastructure changes over time, and identify when specific services were - added, modified, or removed. The action is particularly useful for forensic investigations - and monitoring the evolution of an asset's exposure. + ### Flow Description - ### Parameters Description + 1. Extracts the `Host ID`, `Start Time`, and `End Time` parameters from the action + configuration. - | Parameter | Type | Mandatory | Description | + 2. Validates the `Host ID` as a valid IP address and ensures `Start Time` and + `End Time` are valid RFC3339 timestamps. - | :--- | :--- | :--- | :--- | + 3. Initializes the `APIManager` to interact with the Censys API. - | **Host ID** | string | Yes | The IP address of the host for which you want to - retrieve the history. | + 4. Performs a GET request to the Censys `/v3/global/asset/host/{host_id}/timeline` + endpoint, utilizing time-based pagination to retrieve the full history. - | **Start Time** | string | Yes | The beginning of the timeline range. Must be - a valid RFC3339 string (e.g., `2025-01-01T00:00:00Z`). This should be chronologically - earlier than the End Time. | + 5. Handles potential partial data scenarios if pagination is interrupted, logging + warnings and collecting available data. - | **End Time** | string | Yes | The end of the timeline range. Must be a valid - RFC3339 string (e.g., `2025-01-02T00:00:00Z`). This should be chronologically - later than the Start Time and earlier than the current time. | + 6. Adds the raw JSON response to the action results and constructs a data table + of events for display in the UI. - ### Flow Description - - 1. **Parameter Extraction and Validation**: The action extracts the Host ID, Start - Time, and End Time. It validates that the Host ID is a valid IP address and that - both timestamps conform to the RFC3339 standard. + ### Parameters Description - 2. **API Initialization**: It initializes the Censys API Manager using the provided - integration credentials (API Key and Organization ID). + | Parameter | Type | Mandatory | Description | - 3. **Data Retrieval**: The action performs a series of paginated `GET` requests - to the Censys Host Timeline endpoint. It automatically handles time-based pagination - using the `scanned_to` cursor provided by the API. + | :--- | :--- | :--- | :--- | - 4. **Pagination Limits**: To ensure performance, the action retrieves a maximum - of 1,000 records or performs up to 10 pagination calls. It also monitors the total - payload size to prevent exceeding system limits. + | Host ID | string | Yes | The IP address of the host to retrieve history for. + | - 5. **Data Modeling**: Each retrieved event is processed through the `HostHistoryEventModel`, - which parses resource types (e.g., service scans, DNS resolutions, WHOIS updates) - and generates direct links to the Censys platform for historical viewing. + | Start Time | string | Yes | The start of the timeline (RFC3339 format). Must + be earlier than the End Time. | - 6. **Result Output**: The full event history is attached as a JSON result. Additionally, - a data table named "Host History Events" is created to display the first 1,000 - events directly in the SOAR interface. + | End Time | string | Yes | The end of the timeline (RFC3339 format). Must be + earlier than the current time. | ### Additional Notes - - If the API returns a partial data error during pagination, the action will still - return the events collected up to that point along with a warning message. - - - The action implements a chronological-to-reverse-chronological mapping to align - user input with the Censys API's internal timeline logic. + - The action enforces a maximum record threshold and will display a warning if + results are truncated or if further exploration is required on the Censys platform. capabilities: can_create_case_comments: false can_create_insight: false @@ -315,8 +446,17 @@ Get Host History: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the Censys API to retrieve host history + data (fetches_data=true). It does not modify any external systems (can_mutate_external_data=false) + or internal Google SecOps data (can_mutate_internal_data=false). It does not + update entities, create insights, or modify alert data. categories: - enrichment: true + enrichment: false + reasoning: >- + The action retrieves historical event data from Censys. It does not update entities, + create insights, or add case comments. Therefore, it does not meet the criteria + for an Enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -332,26 +472,72 @@ Get Host History: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over `siemplify.target_entities` or use entity-specific + identifiers to perform its task. It takes the `Host ID` as a direct input parameter. Get Rescan Status: - ai_description: "### General Description\nRetrieves the current status of a scan\ - \ in Censys using its unique Scan ID. This action is primarily used to monitor\ - \ the progress of scans initiated via the 'Initiate Rescan' action. It supports\ - \ asynchronous execution, allowing the playbook to poll until the scan reaches\ - \ a terminal state (Completed or Failed).\n\n### Parameters Description\n\n| Parameter\ - \ | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| Scan ID\ - \ | String | Yes | The unique identifier of the tracked scan. |\n\n### Additional\ - \ Notes\nThis action does not run on entities. It is a utility for process monitoring\ - \ and is designed to be used in an asynchronous loop within a playbook to wait\ - \ for scan results to become available.\n\n### Flow Description\n1. **Parameter\ - \ Extraction**: Retrieves the `Scan ID` from the input parameters and validates\ - \ that it is not empty.\n2. **API Interaction**: Connects to the Censys API and\ - \ calls the GET endpoint for the specific scan ID.\n3. **Status Evaluation**:\ - \ Analyzes the API response to check for the presence and value of the `completed`\ - \ field.\n4. **Execution State Management**: \n - If the `completed` field\ - \ is missing, the action returns an `IN_PROGRESS` state.\n - If `completed`\ - \ is `True`, the action returns `COMPLETED`.\n - If `completed` is `False`,\ - \ the action returns `FAILED`.\n5. **Data Output**: Adds the full API response\ - \ as a JSON result for use in subsequent playbook steps." + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves the status of a scan from the Censys platform. It does + not match any of the defined categories such as 'Enrich IOC', 'Enrich Asset', + 'Create Ticket', or 'Get Alert Information' as it is specific to scan status + monitoring. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: >- + Retrieves the current status of a scan from Censys using a provided Scan ID. This + action allows users to monitor the progress of previously initiated scans and + determine when results are available. + + + ### Parameters + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Scan ID | string | Yes | The unique identifier of the tracked scan. | + + + ### Flow Description + + 1. Extract the `Scan ID` parameter from the action configuration. + + 2. Initialize the `APIManager` with the integration's API key and organization + ID. + + 3. Call the Censys API to fetch the status of the scan associated with the provided + `Scan ID`. + + 4. Parse the API response to determine the scan's execution state (Completed, + In Progress, or Failed). + + 5. Return the status and result to the SOAR platform. capabilities: can_create_case_comments: false can_create_insight: false @@ -362,8 +548,17 @@ Get Rescan Status: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the Censys API to retrieve the status of + a scan. It does not modify any external systems, nor does it update internal + entities or create insights. It simply fetches data and returns it to the SOAR + platform. categories: enrichment: false + reasoning: >- + The action does not fetch context about entities or alerts, nor does it update + entities. It is a status check for a specific scan ID, which does not meet the + criteria for an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -379,65 +574,86 @@ Get Rescan Status: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not operate on entities. It takes a 'Scan ID' as a direct input + parameter. Initiate Rescan: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action initiates a rescan on the Censys platform. It does not match any + of the provided categories (Enrichment, Containment, Ticket, etc.). + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description - - This action initiates a live rescan for a specific host service or web origin - on the Censys platform. It allows users to trigger an immediate update of Censys's - data for a particular IP/Port or Hostname/Port combination. The action returns - a `tracked_scan_id`, which can be used to monitor the progress and eventual results - of the scan. + Initiates a live rescan for a known host service or web origin on the Censys platform. + This action triggers an on-demand scan of a specific IP/domain and port to validate + infrastructure and track changes. The scan may take several minutes to complete, + and the action returns a scan ID that can be used to monitor the scan's status. - ### Parameters Description + ### Parameters | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | **IOC Type** | DDL | Yes | Specifies the type of target to rescan. Options are - 'Service' (for IP-based services) or 'Web Origin' (for hostname-based services). - | - - | **IOC Value** | String | Yes | The target identifier. This should be an IP address - if 'IOC Type' is 'Service', or a domain/hostname if 'IOC Type' is 'Web Origin'. - | - - | **Port** | String | Yes | The port associated with the service (e.g., 443). - Valid range is 1 to 65535. Default is '443'. | + | IOC Type | ddl | Yes | The type of IOC to rescan (Service or Web Origin). | - | **Protocol** | String | No | The name of the service protocol (e.g., 'http', - 'ssh'). This is **mandatory** if 'IOC Type' is set to 'Service'. | + | IOC Value | string | Yes | The IP address or domain name to initiate a rescan + for. | - | **Transport Protocol** | DDL | No | The transport layer protocol (e.g., TCP, - UDP). Default is 'Unknown'. | - - - ### Additional Notes + | Port | string | Yes | The port associated with the IP or domain (1-65535). | - - If 'IOC Type' is 'Service', the 'IOC Value' must be a valid IP address and the - 'Protocol' parameter must be provided. + | Protocol | string | No | The service protocol (Required for Service IOC Type). + | - - The scan may take several minutes to complete on the Censys side. + | Transport Protocol | ddl | No | The transport protocol (Unknown, TCP, UDP, ICMP, + QUIC) (Required for Service IOC Type). | ### Flow Description - 1. **Parameter Extraction:** The action retrieves the target details (Type, Value, - Port, Protocol) from the user input. + 1. The action extracts the configuration parameters (API Key, Organization ID, + Verify SSL) and the action-specific parameters (IOC Type, IOC Value, Port, Protocol, + Transport Protocol). + + 2. It validates the provided parameters, ensuring the port is within the valid + range and that required fields for the selected IOC Type are present. - 2. **Validation:** It validates that the port is a valid integer and, if the type - is 'Service', ensures the value is a valid IP and a protocol is specified. + 3. It initializes the Censys API Manager. - 3. **API Request:** The action sends a POST request to the Censys `/v3/global/scans/rescan` - endpoint with the target configuration. + 4. It sends a POST request to the Censys API (`/v3/global/scans/rescan`) to initiate + the rescan. - 4. **Response Processing:** It parses the API response to extract the `tracked_scan_id`, - creation time, and task count. + 5. It captures the response, which includes a `tracked_scan_id`. - 5. **Completion:** The action outputs the scan ID and status message, providing - the raw JSON response for further automation steps. + 6. It adds the full JSON response to the action results and returns a status message + containing the scan ID and creation time if available. capabilities: can_create_case_comments: false can_create_insight: false @@ -446,12 +662,18 @@ Initiate Rescan: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Initiates a new live rescan task on the Censys platform for the specified target, - which creates a new scan job in the external system. - fetches_data: true + Initiates a live rescan of a host service or web origin on the Censys platform. + fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a POST request to the Censys API to initiate a rescan. It + does not fetch contextual data for enrichment, update entities, or modify internal + case data. It triggers an external process on the Censys platform. categories: enrichment: false + reasoning: >- + The action triggers an external process (rescan) and does not retrieve contextual + data for enrichment. It does not meet the criteria for an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -467,27 +689,81 @@ Initiate Rescan: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action uses parameters provided in the action configuration (IOC Value, + Port, etc.) rather than iterating over `siemplify.target_entities`. Therefore, + it does not run on entities. Ping: - ai_description: "### General Description\nThe **Ping** action is a diagnostic utility\ - \ used to verify the connectivity between the Google SecOps SOAR platform and\ - \ the Censys API. It ensures that the integration is correctly configured with\ - \ valid credentials and that the SOAR server can communicate with the Censys platform\ - \ over the network.\n\n### Parameters Description\nThis action does not have any\ - \ input parameters. It relies entirely on the integration's global configuration\ - \ parameters:\n* **API Key**: The credential used for authentication.\n* **Organization\ - \ Id**: The specific Censys organization identifier.\n* **Verify SSL**: A boolean\ - \ flag determining whether to validate SSL certificates during the connection.\n\ - \n### Flow Description\n1. **Parameter Extraction**: The action retrieves the\ - \ `API Key`, `Organization Id`, and `Verify SSL` settings from the integration\ - \ configuration.\n2. **Manager Initialization**: It initializes the `APIManager`\ - \ with the retrieved credentials and settings.\n3. **Connectivity Test**: The\ - \ action calls the `test_connectivity` method, which executes a `GET` request\ - \ to the Censys organization endpoint (`/v3/accounts/organizations/{organization_id}`).\n\ - 4. **Status Evaluation**: \n * If the API call is successful, the action concludes\ - \ with a success message and a positive connectivity result.\n * If an exception\ - \ occurs (e.g., 401 Unauthorized, 404 Not Found, or network timeout), the error\ - \ is caught, logged, and the action returns a failure message with a negative\ - \ connectivity result." + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action performs a connectivity test (Ping) to the Censys API. It does not + match any of the provided product categories (e.g., Enrich IOC, Contain Host, + etc.). + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: >- + Tests connectivity to the Censys platform to verify that the integration can successfully + authenticate and communicate with the Censys API. This action performs a simple + connectivity test and returns the status of the connection. + + + ### Flow Description + + 1. The action extracts the required configuration parameters: API Key, Organization + ID, and Verify SSL. + + 2. It initializes the `APIManager` using these credentials. + + 3. It executes a connectivity test by making a GET request to the Censys API. + + 4. The action returns a success or failure message based on the API response. + + + ### Parameters + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | API Key | String | Yes | The API key used for authenticating with the Censys + platform. | + + | Organization Id | String | Yes | The Organization ID associated with the Censys + account. | + + | Verify SSL | Boolean | Yes | Whether to verify SSL certificates when connecting + to the Censys API. | + + + ### Additional Notes + + This action does not perform any data retrieval or modification beyond verifying + connectivity. capabilities: can_create_case_comments: false can_create_insight: false @@ -498,8 +774,15 @@ Ping: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to verify connectivity to the Censys API. + It does not modify any external or internal data, nor does it update entities + or create insights. categories: enrichment: false + reasoning: >- + The action is a 'Ping' action, which is explicitly excluded from being an enrichment + action per the provided instructions. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -515,3 +798,5 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with or process any entities. diff --git a/content/response_integrations/third_party/partner/censys/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/partner/censys/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..0c31d8046 --- /dev/null +++ b/content/response_integrations/third_party/partner/censys/resources/ai/integration_ai_description.yaml @@ -0,0 +1,21 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: false + reasoning: >- + The Censys integration is primarily a Threat Intelligence and Vulnerability Management + tool. It provides enrichment for external indicators (IPs, Domains, Certificates) + by retrieving comprehensive intelligence such as services, ports, and vulnerabilities, + which directly supports the 'Threat Intelligence' category for confirming True + Positives and the 'Vulnerability Management' category by identifying potential + exposures and vulnerabilities on internet-facing assets. It does not perform SIEM + log ingestion, EDR host containment, network blocking, cloud configuration management, + ITSM ticketing, internal asset inventory management, or collaboration tasks. + siem: false + threat_intelligence: true + vulnerability_management: true diff --git a/content/response_integrations/third_party/partner/clarotyxdome/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/partner/clarotyxdome/resources/ai/actions_ai_description.yaml index 5c5fb5b5b..f99073c3e 100644 --- a/content/response_integrations/third_party/partner/clarotyxdome/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/partner/clarotyxdome/resources/ai/actions_ai_description.yaml @@ -1,32 +1,81 @@ AddVulnerabilities: - ai_description: "### General Description\nEnriches entities with vulnerability information\ - \ retrieved from Claroty xDome. This action maps Google SecOps entities (such\ - \ as IP addresses, MAC addresses, or specific xDome UIDs) to devices managed within\ - \ the xDome platform. Once a device is identified, the action fetches all associated\ - \ vulnerability relations, including CVE IDs, risk scores, and remediation recommendations,\ - \ and attaches this data to the entity within the case.\n\n### Parameters Description\n\ - | Parameter | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n\ - | xdomeHost | string | Yes | The base URL for the Claroty xDome instance (e.g.,\ - \ `https://example.xdome.claroty.com`). |\n| xdomeApiToken | string | Yes | The\ - \ API token used for authenticating requests to the Claroty xDome API. |\n| Verify\ - \ SSL | boolean | No | If set to `true`, the action validates the SSL certificate\ - \ of the xDome host. Defaults to `true`. |\n\n### Additional Notes\n- The action\ - \ identifies devices by checking if the entity identifier matches an IP address\ - \ (IPv4/IPv6) or a MAC address pattern. \n- If the identifier is a string of 32-40\ - \ hexadecimal characters/hyphens, it is treated directly as an xDome Device UID.\n\ - - The action updates the `is_vulnerable` property of the entity based on whether\ - \ any vulnerabilities are found.\n\n### Flow Description\n1. **Configuration Extraction**:\ - \ Retrieves the xDome host, API token, and SSL verification settings.\n2. **Entity\ - \ Identification**: Iterates through all target entities in the case. For each\ - \ entity, it determines if the identifier is a UID, an IP, or a MAC address.\n\ - 3. **Device Lookup**: If the identifier is not a UID, the action queries the xDome\ - \ `/api/v1/devices/` endpoint to find the corresponding device UID.\n4. **Vulnerability\ - \ Retrieval**: Uses the device UID to query the `/api/v1/device_vulnerability_relations/`\ - \ endpoint to fetch detailed vulnerability data.\n5. **Internal Enrichment**:\ - \ Updates the entity's `additional_properties` with the vulnerability list, count,\ - \ and device UID. It also sets the `is_enriched` flag to `true`.\n6. **Entity\ - \ Update**: Commits the enriched data back to the Google SecOps case for all successfully\ - \ processed entities." + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: true + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves contextual metadata (vulnerabilities) for a device/asset, + which aligns with the 'Enrich Asset' category. It does not perform IOC enrichment + (which typically refers to file hashes or malicious IPs) or any other listed + containment/ticketing actions. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: >- + ### General Description + + This action enriches entities (such as IP addresses, MAC addresses, or device + UIDs) with vulnerability information retrieved from the Claroty xDome platform. + It identifies the corresponding device in xDome and fetches associated vulnerability + data, including CVE IDs, risk scores, and remediation recommendations, updating + the entity's profile within the SOAR platform. + + + ### Parameters + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | xdomeHost | string | Yes | Base URL for the Claroty xDome instance. | + + | xdomeApiToken | string | Yes | API token for authenticating to the Claroty xDome + API. | + + | Verify SSL | string | No | Enable to validate SSL certificates for xDome API + connections. | + + + ### Flow Description + + 1. **Configuration Extraction**: The action retrieves the `xdomeHost`, `xdomeApiToken`, + and `Verify SSL` settings. + + 2. **Entity Iteration**: The action iterates through all provided target entities. + + 3. **Device Identification**: For each entity, it checks if the identifier is + a UID. If not, it attempts to resolve the entity (IP or MAC) to a device UID using + the Claroty xDome API. + + 4. **Vulnerability Retrieval**: Once a device UID is obtained, the action queries + the Claroty xDome API for all vulnerabilities associated with that device. + + 5. **Entity Enrichment**: The retrieved vulnerability data (including counts, + scores, and descriptions) is added to the entity's `additional_properties`. + + 6. **Update**: The action updates the enriched entities in the SOAR platform and + adds the results to the action output. capabilities: can_create_case_comments: false can_create_insight: false @@ -37,47 +86,24 @@ AddVulnerabilities: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates entity additional properties with vulnerability data and sets the is_enriched - flag to true. + Updates entity additional properties with vulnerability data and sets the enriched + status. + reasoning: >- + The action fetches vulnerability data from an external API (Claroty xDome) and + updates the internal SOAR entities with this information. It does not modify + the state of the external Claroty xDome system (no POST/PUT/DELETE that changes + external data). It performs internal mutations by updating entity properties. categories: enrichment: true + reasoning: >- + The action is an enrichment action because it fetches data from an external + source (Claroty xDome) and updates internal entity data without modifying any + external system state. entity_usage: entity_types: - ADDRESS - - ALERT - - APPLICATION - - CHILDHASH - - CHILDPROCESS - - CLUSTER - - CONTAINER - - CREDITCARD - - CVE - - CVEID - - DATABASE - - DEPLOYMENT - - DESTINATIONDOMAIN - - DOMAIN - - EMAILSUBJECT - - EVENT - - FILEHASH - - FILENAME - - GENERICENTITY - HOSTNAME - - IPSET - MacAddress - - PARENTHASH - - PARENTPROCESS - - PHONENUMBER - - POD - - PROCESS - - SERVICE - - SOURCEDOMAIN - - THREATACTOR - - THREATCAMPAIGN - - THREATSIGNATURE - - DestinationURL - - USB - - USERUNIQNAME filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -91,53 +117,90 @@ AddVulnerabilities: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action iterates over all target entities. It attempts to resolve identifiers + (IP, MAC, UID) to devices. It does not filter the input list by type, so it + supports all entity types, though it specifically processes ADDRESS, MacAddress, + and generic identifiers. EnrichAlerts: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: true + reasoning: >- + The action retrieves alert information from Claroty xDome (`get_alert_information`) + and updates the current alert's metadata and security results within the SOAR + platform (`update_alert`). + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: true + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - Enriches the current Google SecOps alert with detailed metadata from a specific - Claroty xDome alert. This action retrieves comprehensive alert information, including - classification, timing, and status, and maps it to the alert's properties. Crucially, - it extracts MITRE ATT&CK (Enterprise or ICS) tactics and techniques from Claroty - and populates the corresponding security result fields in Google SecOps to improve - threat context. + This action enriches a Google SecOps alert by retrieving detailed information + from a Claroty xDome alert. It fetches specific alert metadata, including MITRE + ATT&CK tactics and techniques, and updates the current Google SecOps alert's properties + and security results to provide better context for analysts. - ### Parameters Description + ### Flow Description - | Parameter | Type | Mandatory | Description | + 1. **Configuration Extraction**: The action retrieves the Claroty xDome API host + and authentication token from the integration configuration. - | :--- | :--- | :--- | :--- | + 2. **Parameter Extraction**: The action extracts the `clarotyAlertId` parameter + provided by the user. - | clarotyAlertId | string | Yes | The unique identifier of the alert in Claroty - xDome that you wish to retrieve data for. | + 3. **Data Retrieval**: The action performs a POST request to the Claroty xDome + API (`/api/v1/alerts/`) to fetch the alert details matching the provided ID. + 4. **Alert Enrichment**: If the alert is found, the action updates the current + Google SecOps alert's `additional_properties` with the retrieved Claroty alert + data. - ### Flow Description + 5. **MITRE Mapping**: The action maps MITRE ATT&CK tactics and techniques (ICS + or Enterprise) from the Claroty alert to the Google SecOps alert's `security_result` + field. + + 6. **Result Reporting**: The retrieved alert data is added to the action result + JSON, and a status message is returned. - 1. **Configuration Retrieval:** The action fetches the Claroty xDome host and - API token from the integration settings. - 2. **Data Retrieval:** It sends a POST request to the Claroty xDome API to query - for the specific alert ID provided in the parameters. + ### Parameters Description - 3. **Property Mapping:** If the alert is found, the action iterates through predefined - Claroty fields (e.g., alert_class, category, status) and adds them to the Google - SecOps alert's `additional_properties` with a 'Claroty_' prefix. + | Parameter | Type | Mandatory | Description | - 4. **MITRE Enrichment:** The action extracts MITRE Enterprise or ICS technique/tactic - names and IDs from the Claroty data and updates the `security_result` object of - the current alert. + | :--- | :--- | :--- | :--- | - 5. **Completion:** The action returns the raw JSON result of the alert and updates - the action status based on whether the enrichment was successful. + | `clarotyAlertId` | string | Yes | The unique alert ID from Claroty xDome to + be retrieved and used for enrichment. | ### Additional Notes - This action specifically targets the alert object itself rather than individual - entities within the alert. It requires the integration to be configured with valid - `xdomeHost` and `xdomeApiToken` values. + This action does not require any specific entity types to run, as it operates + on the current alert context. capabilities: can_create_case_comments: false can_create_insight: false @@ -148,11 +211,19 @@ EnrichAlerts: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates the current alert's additional properties with Claroty alert metadata - and modifies the security result fields (tactic, tactic_id, technique, technique_id) - with MITRE information. + Updates the current alert's `additional_properties` and `security_result` (MITRE + info) within Google SecOps. + reasoning: >- + The action fetches alert data from an external API (Claroty xDome). It then + modifies the current alert's `additional_properties` and `security_result` fields + within the SOAR platform. It does not mutate external data, create insights, + or add case comments. categories: - enrichment: false + enrichment: true + reasoning: >- + The action fetches data from an external source (Claroty xDome) and updates + the internal alert's metadata. It does not mutate external systems. This fits + the definition of an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -168,51 +239,93 @@ EnrichAlerts: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action operates on the `siemplify.current_alert` object directly and does + not iterate over or filter `target_entities`. EnrichXDomeAssetInformation: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: true + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves contextual metadata (device category, manufacturer, risk + score, vulnerabilities) for assets (IPs/MACs). This aligns with the 'Enrich + Asset' category. It does not perform IOC reputation lookups (Enrich IOC), nor + does it perform containment or ticketing operations. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - Enriches IP Address and MAC Address entities with detailed asset information and - vulnerability data retrieved from Claroty xDome. This action helps security analysts - understand the context of an asset, including its manufacturer, device type, risk - score, and known vulnerabilities, directly within the Google SecOps platform. + This action enriches asset information by querying the Claroty xDome platform. + It retrieves detailed device metadata and vulnerability information for entities + identified as IP or MAC addresses. The action updates the entity's profile within + the SOAR platform with the retrieved data, providing analysts with context regarding + the device's category, manufacturer, risk score, and associated vulnerabilities. - ### Parameters Description + ### Flow Description - | Parameter | Description | Type | Mandatory | + 1. **Configuration Extraction**: The action retrieves the `xdomeHost` and `xdomeApiToken` + from the integration configuration. - | :--- | :--- | :--- | :--- | + 2. **Entity Filtering**: It iterates through the target entities, processing only + those with the type `ADDRESS` or `MACADDRESS`. - | xdomeHost | The base URL for the Claroty xDome instance (e.g., `https://example.xdome.claroty.com`). - | String | Yes | + 3. **Device Query**: For each valid entity, it performs a POST request to the + Claroty xDome API (`/api/v1/devices/`) to fetch device details based on the IP + or MAC address. - | xdomeApiToken | The API token used for authenticating requests to the Claroty - xDome API. | String | Yes | + 4. **Vulnerability Query**: If a device is found, it performs a second POST request + to the Claroty xDome API (`/api/v1/device_vulnerability_relations/`) to retrieve + associated vulnerabilities using the device's unique identifier (UID). + 5. **Data Enrichment**: The retrieved device and vulnerability data are compacted + and added to the entity's `additional_properties`. - ### Flow Description + 6. **Entity Update**: The action updates the entities in the SOAR platform and + marks them as enriched. - 1. **Entity Validation**: The action iterates through the target entities and - filters for those of type `ADDRESS` (IP) or `MacAddress`. - 2. **Identifier Parsing**: It uses regular expressions to verify if the entity - identifier is a valid IPv4, IPv6, or MAC address. + ### Parameters Description - 3. **Device Lookup**: For each valid entity, it performs a POST request to the - Claroty xDome `/api/v1/devices/` endpoint to find matching active (non-retired) - devices. + | Parameter | Type | Mandatory | Description | - 4. **Vulnerability Retrieval**: If a device is found, the action uses the device's - unique ID (`uid`) to query the `/api/v1/device_vulnerability_relations/` endpoint - for associated vulnerabilities. + | :--- | :--- | :--- | :--- | + + | `xdomeHost` | string | Yes | Base URL for the Claroty xDome instance. | - 5. **Data Enrichment**: The action compiles asset details (e.g., `device_category`, - `risk_score`, `manufacturer`) and a summary of the top 5 vulnerabilities. + | `xdomeApiToken` | string | Yes | API token for authenticating to the Claroty + xDome instance. | - 6. **Internal Update**: The compiled data is added to the entity's `additional_properties` - (prefixed with `Claroty_`), the entity is marked as enriched, and the changes - are saved back to Google SecOps. + + ### Additional Notes + + - The action only processes entities of type `ADDRESS` or `MACADDRESS`. + + - If no matching device is found in Claroty xDome, the entity is not enriched. capabilities: can_create_case_comments: false can_create_insight: false @@ -223,10 +336,19 @@ EnrichXDomeAssetInformation: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates entity additional properties with asset details and vulnerability information - retrieved from Claroty xDome. + Updates entity `additional_properties` and sets the `is_enriched` flag to true. + reasoning: >- + The action fetches device and vulnerability data from an external system (Claroty + xDome) via API calls. It updates the entity's `additional_properties` within + the SOAR platform, which constitutes an internal mutation, but does not modify + external system state, create insights, or add case comments. categories: enrichment: true + reasoning: >- + The action fetches data from an external source (Claroty xDome) to enrich entities. + It does not mutate external systems. It modifies internal entity data (which + is an allowed internal mutation for enrichment actions). Therefore, it is classified + as an enrichment action. entity_usage: entity_types: - ADDRESS @@ -244,52 +366,54 @@ EnrichXDomeAssetInformation: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over `siemplify.target_entities` and explicitly checks if + the entity type is `EntityTypes.ADDRESS` or `EntityTypes.MACADDRESS`. It processes + these specific types and filters out others. Ping: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action is a connectivity test (Ping) and does not perform any of the defined + product category operations (e.g., enrichment, containment, ticket management). + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description - - Tests the connectivity between Google SecOps and the Claroty xDome instance using - the provided configuration parameters. This action ensures that the API host is - reachable and the provided API token is valid by performing a minimal API call. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | xdomeHost | String | Yes | The base URL of the Claroty xDome instance (e.g., - https://example.xdome.claroty.com). | - - | xdomeApiToken | String | Yes | The API token used for authentication with Claroty - xDome. | - - | Verify SSL | Boolean | No | If enabled, the action will verify the SSL certificate - of the Claroty xDome host. Defaults to False if not specified. | - - - ### Flow Description - - 1. **Parameter Extraction**: The action retrieves the host URL, API token, and - SSL verification preference from the integration configuration using the `extract_configuration_param` - utility. - - 2. **Connectivity Test**: It constructs a POST request to the `/api/v1/alerts/` - endpoint of the Claroty xDome API. The request includes a minimal payload (`offset: - 0`, `limit: 1`) to verify that the credentials have permission to query data without - retrieving a large dataset. - - 3. **Response Handling**: The action checks the HTTP response status. If the request - is successful, it returns a success message and sets the execution state to completed. - If an exception occurs (e.g., network error, invalid credentials), it logs the - error and returns a failure status. - - - ### Additional Notes - - - This action does not process any entities and is intended solely for configuration - validation and health checks of the integration. + General description: This action tests the connectivity between the SOAR platform + and the Claroty xDome API. It verifies that the provided host URL and API token + are valid by attempting to retrieve a sample alert from the system. Parameters: + | Parameter | Type | Mandatory | Description | | --- | --- | --- | --- | | xdomeHost + | String | Yes | The base URL of the Claroty xDome instance. | | xdomeApiToken + | String | Yes | The API token for authentication. | | Verify SSL | Boolean | + No | Whether to verify SSL certificates. | Flow description: 1. Extract the configuration + parameters (Host, API Token, SSL verification) from the integration settings. + 2. Construct the API endpoint URL for the alerts resource. 3. Send a POST request + to the Claroty xDome API to verify the connection. 4. Return a success or failure + message based on the API response. capabilities: can_create_case_comments: false can_create_insight: false @@ -300,8 +424,15 @@ Ping: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a connectivity test (Ping) by sending a POST request to + the Claroty xDome API. It does not fetch contextual data for entities, nor does + it mutate external or internal data. categories: enrichment: false + reasoning: >- + The action is a 'Ping' action, which is explicitly excluded from being an enrichment + action per the guidelines. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -317,3 +448,5 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with any entities. diff --git a/content/response_integrations/third_party/partner/clarotyxdome/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/partner/clarotyxdome/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..4ede364fa --- /dev/null +++ b/content/response_integrations/third_party/partner/clarotyxdome/resources/ai/integration_ai_description.yaml @@ -0,0 +1,24 @@ +product_categories: + asset_inventory: true + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: false + reasoning: >- + The clarotyxdome integration is designed to enrich Google SecOps alerts and entities + with data from the Claroty xDome platform. The actions 'AddVulnerabilities' and + 'EnrichXDomeAssetInformation' specifically retrieve device metadata (such as manufacturer + and category) and vulnerability data (including CVEs and risk scores) for assets + identified by IP or MAC addresses. This functionality directly aligns with the + 'Vulnerability Management' category, as it helps analysts determine if an asset + is susceptible to specific exploits, and the 'Asset Inventory' category, as it + provides critical context about internal assets. The integration does not perform + SIEM log ingestion, EDR process-level analysis, network security blocking, threat + intelligence reputation lookups for IOCs, email security, IAM management, cloud + security, ITSM ticketing, or collaboration tasks. + siem: false + threat_intelligence: false + vulnerability_management: true diff --git a/content/response_integrations/third_party/partner/cyjax_threat_intelligence/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/partner/cyjax_threat_intelligence/resources/ai/actions_ai_description.yaml new file mode 100644 index 000000000..1f5dddb37 --- /dev/null +++ b/content/response_integrations/third_party/partner/cyjax_threat_intelligence/resources/ai/actions_ai_description.yaml @@ -0,0 +1,392 @@ +Domain monitor: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves domain monitoring data from the Cyjax API based on search + parameters. This matches the 'Search Events' category, as it returns a collection + of telemetry data. It does not match enrichment categories because it does not + operate on specific entities. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: true + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: >- + Retrieves domain monitoring information from Cyjax, tracking brands against newly + registered global domains and certificate transparency logs (CTL). This action + queries the Cyjax API based on provided search parameters (Query, Since, Until) + and returns a structured list of domain monitor results. The results are displayed + in a data table and provided as raw JSON output. Parameters: Query (string, optional): + A query string to search for a domain or part of it. Since (string, optional): + The start date time in ISO8601 format. Until (string, optional): The end date + time in ISO8601 format. Flow: 1. Extracts configuration (API token, SSL verification) + and action parameters (Query, Since, Until). 2. Validates date parameters. 3. + Initializes the Cyjax API client. 4. Queries the Cyjax Domain Monitor endpoint + with pagination support. 5. Processes the retrieved domain data into a structured + format. 6. Adds a data table to the action results and returns the raw JSON output. + capabilities: + can_create_case_comments: false + can_create_insight: false + can_modify_alert_data: false + can_mutate_external_data: false + can_mutate_internal_data: false + can_update_entities: false + external_data_mutation_explanation: null + fetches_data: true + internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the Cyjax API to retrieve domain monitoring + data. It does not modify external systems or internal SOAR data (entities, insights, + etc.). It simply displays the results in a table and JSON format. + categories: + enrichment: false + reasoning: >- + The action does not operate on entities (no target_entities usage), so it cannot + be an enrichment action. It is a standalone search action. + entity_usage: + entity_types: [] + filters_by_additional_properties: false + filters_by_alert_identifier: false + filters_by_case_identifier: false + filters_by_creation_time: false + filters_by_entity_type: false + filters_by_identifier: false + filters_by_is_artifact: false + filters_by_is_enriched: false + filters_by_is_internal: false + filters_by_is_pivot: false + filters_by_is_suspicious: false + filters_by_is_vulnerable: false + filters_by_modification_time: false + reasoning: >- + The code does not iterate over siemplify.target_entities or use any entity-specific + logic. It is a standalone search action. +Enrich IOCs: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves reputation and threat intelligence (GeoIP, ASN, Sightings) + for indicators of compromise. This aligns with the 'Enrich IOC' category. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: "### General Description\nThe **Enrich IOCs** action retrieves threat\ + \ intelligence data for Indicators of Compromise (IOCs) using the Cyjax API. It\ + \ fetches contextual information such as GeoIP, ASN, and sighting details for\ + \ various entity types (e.g., Domain, Email, Hostname, FileHash, IP, URL, CVE).\ + \ The action updates the entity's profile within the SOAR platform with this enrichment\ + \ data, marks the entity as enriched, and provides a summary table of the results.\n\ + \n### Parameters\n| Parameter | Type | Mandatory | Description |\n| :--- | :---\ + \ | :--- | :--- |\n| API Token | String | Yes | The API token used for authentication\ + \ with the Cyjax service. |\n| Verify SSL | Boolean | No | If enabled, verifies\ + \ the SSL certificate for API requests. Defaults to False. |\n\n### Flow Description\n\ + 1. **Initialization**: The action retrieves the integration configuration (API\ + \ Token, Verify SSL) and initializes the Cyjax API client.\n2. **Entity Retrieval**:\ + \ It retrieves all target entities associated with the current case.\n3. **Enrichment**:\ + \ For each entity, the action performs a GET request to the Cyjax `/indicator-of-compromise/enrichment`\ + \ endpoint.\n4. **Data Processing**: \n - If enrichment data is found, it parses\ + \ the response (GeoIP, ASN, Sightings).\n - It removes any existing Cyjax-specific\ + \ enrichment data from the entity.\n - It updates the entity's `additional_properties`\ + \ with the new enrichment data and sets `is_enriched` to True.\n5. **Update**:\ + \ The action updates the enriched entities in the SOAR platform.\n6. **Reporting**:\ + \ It adds a data table containing the enrichment results to the action output\ + \ and returns a status message." + capabilities: + can_create_case_comments: false + can_create_insight: false + can_modify_alert_data: false + can_mutate_external_data: false + can_mutate_internal_data: true + can_update_entities: true + external_data_mutation_explanation: null + fetches_data: true + internal_data_mutation_explanation: >- + Updates entity `additional_properties` with enrichment data and sets `is_enriched` + to True. + reasoning: >- + The action fetches threat intelligence data from the Cyjax API (GET requests) + and updates the entities within the SOAR platform with the retrieved enrichment + data. It does not mutate external systems, modify alert data, or create insights/comments. + categories: + enrichment: true + reasoning: >- + The action fetches data from an external source (Cyjax) and updates internal + entity attributes. It does not mutate external systems or perform forbidden + internal mutations. It is a valid enrichment action. + entity_usage: + entity_types: + - ADDRESS + - CVE + - DOMAIN + - FILEHASH + - HOSTNAME + - DestinationURL + - USERUNIQNAME + filters_by_additional_properties: false + filters_by_alert_identifier: false + filters_by_case_identifier: false + filters_by_creation_time: false + filters_by_entity_type: false + filters_by_identifier: false + filters_by_is_artifact: false + filters_by_is_enriched: false + filters_by_is_internal: false + filters_by_is_pivot: false + filters_by_is_suspicious: false + filters_by_is_vulnerable: false + filters_by_modification_time: false + reasoning: >- + The action retrieves all target entities from the case using `get_entity_objects` + and iterates through them to perform enrichment. It does not apply any filtering + logic based on entity attributes (like type, creation time, etc.) within the + script, so it is considered to run on all supported entity types. +List Data Breaches: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action fetches data breach records from the Cyjax API based on search parameters. + This matches the 'Search Events' category as it retrieves historical telemetry + data. It does not perform enrichment on entities, nor does it mutate external + or internal systems. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: true + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: >- + ### General Description + + This action retrieves a list of data breaches from the Cyjax platform based on + optional search criteria. It allows users to filter results by a query string + and a specific date range, providing visibility into compromised credentials. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | --- | --- | --- | --- | + + | Query | string | No | A query string to search for an email address or part + of it. | + + | Since | string | No | The start date time in ISO8601 format (e.g., 2026-02-09T15:01:39Z). + | + + | Until | string | No | The end date time in ISO8601 format (e.g., 2026-02-09T15:01:39Z). + | + + + ### Additional Notes + + The action automatically handles pagination up to a limit of 1000 records. If + the limit is reached, a note is added to the output message. + + + ### Flow Description + + 1. Extracts configuration parameters (Query, Since, Until). + + 2. Validates the provided date range. + + 3. Initializes the Cyjax API client. + + 4. Queries the Cyjax API for data breaches, handling pagination automatically. + + 5. Processes the retrieved data into a structured format. + + 6. Displays the results in a data table within the case and returns the raw JSON + output. + capabilities: + can_create_case_comments: false + can_create_insight: false + can_modify_alert_data: false + can_mutate_external_data: false + can_mutate_internal_data: false + can_update_entities: false + external_data_mutation_explanation: null + fetches_data: true + internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the Cyjax API to retrieve data breach records + (fetches_data=true). It does not perform any POST/PUT/DELETE operations (can_mutate_external_data=false). + It does not modify any internal case data, entities, or insights (can_mutate_internal_data=false). + categories: + enrichment: false + reasoning: >- + The action is not an enrichment action because it does not operate on entities + or alerts to gather supplemental context. It is a standalone search action that + retrieves data breach records. + entity_usage: + entity_types: [] + filters_by_additional_properties: false + filters_by_alert_identifier: false + filters_by_case_identifier: false + filters_by_creation_time: false + filters_by_entity_type: false + filters_by_identifier: false + filters_by_is_artifact: false + filters_by_is_enriched: false + filters_by_is_internal: false + filters_by_is_pivot: false + filters_by_is_suspicious: false + filters_by_is_vulnerable: false + filters_by_modification_time: false + reasoning: >- + The action does not iterate over or utilize `siemplify.target_entities`. It + performs a standalone search against the Cyjax API based on provided parameters, + therefore it does not operate on any specific entity types. +Ping: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action is a connectivity test ('Ping') and does not perform any of the defined + functional operations such as enrichment, containment, ticketing, or alert management. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: "### General Description\nThis action tests the connectivity between\ + \ the Google SecOps SOAR platform and the Cyjax API. It validates the provided\ + \ integration configuration (API Token and SSL verification settings) to ensure\ + \ the SOAR platform can successfully communicate with the Cyjax service.\n\n###\ + \ Parameters Description\nThere are no action-specific parameters. The action\ + \ utilizes the integration configuration parameters defined in the Cyjax integration\ + \ settings:\n\n| Parameter | Type | Mandatory | Description |\n| :--- | :--- |\ + \ :--- | :--- |\n| API Token | String | Yes | The authentication token used to\ + \ access the Cyjax API. |\n| Verify SSL | Boolean | No | Whether to verify SSL\ + \ certificates when making API requests. Defaults to False. |\n\n### Flow Description\n\ + 1. **Initialization**: The action initializes the `SiemplifyAction` and retrieves\ + \ the integration configuration (API Token and Verify SSL) using `get_integration_params`.\n\ + 2. **Manager Instantiation**: An `APIManager` instance is created using the retrieved\ + \ credentials.\n3. **Connectivity Test**: The action calls the `ping()` method,\ + \ which performs a GET request to the Cyjax API endpoint (`/indicator-of-compromise`).\n\ + 4. **Result Handling**: \n - If the API returns a successful response, the\ + \ action logs the success and sets the execution result to True.\n - If an\ + \ exception occurs (e.g., unauthorized access, network error), the action logs\ + \ the error and sets the execution result to False.\n5. **Completion**: The action\ + \ terminates, reporting the connectivity status." + capabilities: + can_create_case_comments: false + can_create_insight: false + can_modify_alert_data: false + can_mutate_external_data: false + can_mutate_internal_data: false + can_update_entities: false + external_data_mutation_explanation: null + fetches_data: true + internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the Cyjax API to verify connectivity. It + does not modify any external systems, update internal entities, or create insights. + It is a utility action for connectivity testing. + categories: + enrichment: false + reasoning: >- + The action is a connectivity test ('Ping'). Per the instructions, actions named + 'Ping' must not be categorized as enrichment actions, even if they fetch data. + entity_usage: + entity_types: [] + filters_by_additional_properties: false + filters_by_alert_identifier: false + filters_by_case_identifier: false + filters_by_creation_time: false + filters_by_entity_type: false + filters_by_identifier: false + filters_by_is_artifact: false + filters_by_is_enriched: false + filters_by_is_internal: false + filters_by_is_pivot: false + filters_by_is_suspicious: false + filters_by_is_vulnerable: false + filters_by_modification_time: false + reasoning: >- + The action does not interact with or process any entities. It is a global connectivity + test. diff --git a/content/response_integrations/third_party/partner/cyjax_threat_intelligence/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/partner/cyjax_threat_intelligence/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..fbb3ade24 --- /dev/null +++ b/content/response_integrations/third_party/partner/cyjax_threat_intelligence/resources/ai/integration_ai_description.yaml @@ -0,0 +1,21 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: false + reasoning: >- + The integration is primarily focused on providing threat intelligence capabilities. + The 'Enrich IOCs' action directly aligns with the 'Threat Intelligence' category + by fetching reputation data, sightings, and contextual information for various + indicators (IPs, Hashes, Domains, URLs). The 'Domain monitor' and 'List Data Breaches' + actions provide additional intelligence gathering capabilities, which further + support this classification. The integration does not perform SIEM log analysis, + EDR host-level investigation, network blocking, identity management, or ITSM ticketing + functions. Therefore, it is classified exclusively under Threat Intelligence. + siem: false + threat_intelligence: true + vulnerability_management: false diff --git a/content/response_integrations/third_party/partner/cylusone/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/partner/cylusone/resources/ai/actions_ai_description.yaml index 0f4115761..106d020a7 100644 --- a/content/response_integrations/third_party/partner/cylusone/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/partner/cylusone/resources/ai/actions_ai_description.yaml @@ -1,54 +1,74 @@ EnrichAssetInformation: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: true + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves contextual metadata (asset information) for an IP address + and updates the entity. This matches the 'Enrich Asset' category. It does not + perform threat intelligence lookups (reputation/prevalence) in the traditional + sense of 'Enrich IOC', though it enriches an IP. 'Enrich Asset' is the most + accurate description. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - Enriches IP Address entities with detailed asset information retrieved from the - CylusOne platform. This action is designed to provide security analysts with deeper - context regarding network assets by fetching metadata such as MAC addresses, associated - IP lists, and custom asset properties. The retrieved data is mapped directly to - the entity's additional properties within Google SecOps, facilitating better informed - incident response. + This action enriches IP address entities with asset information retrieved from + the CylusOne platform. It queries the CylusOne API to obtain detailed asset metadata + for a given IP address, flattens the retrieved properties, and updates the entity's + additional properties within the SOAR platform. ### Parameters Description - There are no action-specific parameters for this action. It relies on the global - integration configuration (Base URL, API Key, and Verify SSL). + There are no action-specific parameters. The action relies on global integration + configuration parameters (Base URL, API Key, and Verify SSL) to establish connectivity + with the CylusOne platform. - ### Flow Description - - 1. **Initialization**: The action initializes the CylusOne API manager using the - integration's global configuration parameters. - - 2. **Entity Filtering**: It iterates through all target entities in the current - context, specifically filtering for those of type `ADDRESS` (IP Address). - - 3. **Validation**: Each IP address is validated against a standard IPv4 regex - pattern to ensure API compatibility. + ### Additional Notes - 4. **Data Retrieval**: For each valid IP, the action performs a GET request to - the CylusOne `/rest/v1/assets/by-ip` endpoint. + This action is designed to be used for asset enrichment. It does not perform threat + intelligence lookups (e.g., reputation scores) and does not modify any external + systems. - 5. **Data Transformation**: If an asset is found, the action flattens the response - data. Custom properties are prefixed with `Cylus_prop_`, and list-based fields - (like MACs) are converted into comma-separated strings. - 6. **Internal Update**: The processed enrichment data is added to the entity's - `additional_properties` dictionary, and the entity's `is_enriched` status is set - to `True`. + ### Flow Description - 7. **Finalization**: The action updates the entities in the Google SecOps platform - and returns a JSON object containing the enrichment results for all processed - identifiers. + 1. The action iterates through all target entities provided in the case. + 2. It filters for entities of type `ADDRESS` and validates their format. - ### Additional Notes + 3. For each valid IP, it queries the CylusOne API to retrieve associated asset + details. - - This action only supports IPv4 addresses. + 4. The retrieved asset data is flattened and formatted into key-value pairs. - - If an asset is not found in CylusOne for a specific IP, the action will report - a failure for that specific entity but continue processing others. + 5. The action updates the entity's `additional_properties` with this new information + and marks the entity as enriched. capabilities: can_create_case_comments: false can_create_insight: false @@ -59,10 +79,18 @@ EnrichAssetInformation: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates entity additional properties with asset metadata from CylusOne and sets - the 'is_enriched' flag to true for successful lookups. + Updates the entity's additional_properties and sets the is_enriched flag to + true. + reasoning: >- + The action fetches asset data from an external API (CylusOne) and updates the + internal entity properties within the SOAR platform. It does not modify external + systems or create insights/comments. categories: enrichment: true + reasoning: >- + The action fetches data from an external source and updates internal entity + properties without modifying external systems. This meets the criteria for an + enrichment action. entity_usage: entity_types: - ADDRESS @@ -79,49 +107,74 @@ EnrichAssetInformation: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over `siemplify.target_entities` and explicitly checks `entity.entity_type + == EntityTypes.ADDRESS`. Ping: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action is a connectivity test (Ping) and does not perform any of the defined + product category actions (e.g., enrichment, containment, ticket management). + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - Tests the connectivity between Google SecOps and the CylusOne platform. This action - verifies that the provided Base URL and API Key are correct and that the network - connection is functional. + Tests the connectivity to the CylusOne platform. This action validates the provided + API credentials and ensures the integration can successfully communicate with + the CylusOne API endpoint. ### Parameters Description - There are no action-specific parameters for this action. It relies entirely on - the integration's global configuration parameters: + | Parameter | Type | Mandatory | Description | - * **Base URL**: The root URL of the CylusOne API. + | :--- | :--- | :--- | :--- | - * **Cylus API Key**: The API key used for authentication. + | Base URL | String | Yes | The base URL of the CylusOne API. | - * **Verify SSL**: Boolean flag indicating whether to verify the SSL certificate - of the CylusOne server. + | Cylus API Key | String | Yes | The API key used for authentication. | + | Verify SSL | Boolean | No | Whether to verify SSL certificates during API requests. + | - ### Flow Description - - 1. **Parameter Extraction**: Retrieves the integration's configuration parameters - (Base URL, API Key, and SSL verification setting) using utility functions. - - 2. **API Initialization**: Initializes the `ApiManager` with the retrieved credentials - and session headers. - 3. **Connectivity Test**: Executes the `test_connectivity` method, which performs - a GET request to a sample asset endpoint (`/rest/v1/assets/by-ip`) using a placeholder - IP address to verify authentication and network reachability. + ### Flow Description - 4. **Result Reporting**: Returns a success status if the API responds with a valid - status code (200 or 404). If the request fails (e.g., 401 Unauthorized, 403 Forbidden, - or connection timeout), it captures the error and reports a failure. + 1. The action extracts the integration parameters (Base URL, API Key, Verify SSL) + from the configuration. + 2. It initializes the `ApiManager` with these parameters. - ### Additional Notes + 3. It calls the `test_connectivity` method, which sends a GET request to the CylusOne + API to verify the connection. - This is a standard health check action. Per system rules, actions named 'Ping' - are not categorized as enrichment actions. + 4. The action returns a success or failure status based on the API response. capabilities: can_create_case_comments: false can_create_insight: false @@ -130,10 +183,17 @@ Ping: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null - fetches_data: true + fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a connectivity test (Ping) to the CylusOne platform. It + does not fetch contextual data for entities, nor does it mutate any external + or internal systems. categories: enrichment: false + reasoning: >- + The action is a 'Ping' action, which is explicitly excluded from being an enrichment + action per the instructions. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -149,3 +209,6 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with any entities; it performs a global connectivity + test. diff --git a/content/response_integrations/third_party/partner/cylusone/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/partner/cylusone/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..60f8a5eb5 --- /dev/null +++ b/content/response_integrations/third_party/partner/cylusone/resources/ai/integration_ai_description.yaml @@ -0,0 +1,21 @@ +product_categories: + asset_inventory: true + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: false + reasoning: >- + The integration provides an action 'EnrichAssetInformation' which retrieves detailed + asset metadata for IP addresses from the CylusOne Rail OT Cybersecurity platform. + This functionality directly aligns with the Asset Inventory category, which is + defined by the ability to retrieve information about internal assets such as ownership + and business criticality. The integration does not perform threat intelligence + lookups (reputation/prevalence), nor does it provide SIEM-like log searching, + EDR-like host containment, or network security blocking capabilities based on + the provided actions. Therefore, it is classified solely as Asset Inventory. + siem: false + threat_intelligence: false + vulnerability_management: false diff --git a/content/response_integrations/third_party/partner/cyware_intel_exchange/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/partner/cyware_intel_exchange/resources/ai/actions_ai_description.yaml index 9b11dd3c5..dad6a9f9a 100644 --- a/content/response_integrations/third_party/partner/cyware_intel_exchange/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/partner/cyware_intel_exchange/resources/ai/actions_ai_description.yaml @@ -1,11 +1,42 @@ Add IOCs to Allowed list: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: true + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action adds indicators to an allowed list in an external system (Cyware). + This directly matches the 'Add IOC To Allowlist' category. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - The **Add IOCs to Allowed list** action allows users to whitelist specific indicators - within the Cyware Intel Exchange (CTIX) platform. This is typically used to prevent - known-safe indicators from triggering alerts or being flagged as malicious in - future intelligence cycles. + This action adds indicators of compromise (IOCs) to the allowed list (whitelist) + within the Cyware Intel Exchange platform. It allows analysts to mark specific + indicators as trusted, preventing future security alerts or false positives for + these items. ### Parameters Description @@ -14,41 +45,33 @@ Add IOCs to Allowed list: | :--- | :--- | :--- | :--- | - | **IOC Type** | DDL | Yes | Specifies the type of the indicators being added - (e.g., `ipv4-addr`, `domain-name`, `file`). This must match the type of the entities - being processed. | + | IOC Type | ddl | Yes | The type of indicator (e.g., ipv4-addr, domain-name). + | - | **Reason** | String | Yes | Provides a justification or context for why these - indicators are being added to the allowed list. | + | Reason | string | Yes | The reason for adding the indicators to the allowed + list. | - ### Flow Description + ### Additional Notes - 1. **Parameter Extraction**: The action retrieves the `IOC Type` and `Reason` - from the user input. + If no entities are found in the case, the action completes without performing + any API calls. - 2. **Entity Collection**: It identifies all entities currently associated with - the case context. - 3. **API Interaction**: The action sends a bulk `POST` request to the Cyware `allowed_indicators` - endpoint, containing the list of entity identifiers, the specified type, and the - reason. + ### Flow Description - 4. **Result Processing**: It parses the response from Cyware, which details how - many indicators were newly created, how many already existed in the list, and - if any were considered invalid. + 1. Retrieve integration configuration (Base URL, credentials). - 5. **Output**: The action provides a summary message of the operation's success - and attaches the full JSON response for further review. + 2. Extract action parameters (`IOC Type`, `Reason`). + 3. Retrieve target entities from the case. - ### Additional Notes + 4. If entities are present, send a request to the Cyware API to add these indicators + to the allowed list. - - This action performs a mutation on the external Cyware system by modifying its - whitelist configuration. + 5. Process the API response to identify newly added, existing, or invalid indicators. - - If no entities are found in the context, the action will complete successfully - with a message stating no entities were processed. + 6. Log the results and update the action result with the API response. capabilities: can_create_case_comments: false can_create_insight: false @@ -57,12 +80,18 @@ Add IOCs to Allowed list: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Adds the provided indicator values to the Cyware Intel Exchange allowed list - (whitelist) with a specified reason. + Adds indicators to the allowed list in Cyware Intel Exchange. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a POST request to an external system (Cyware) to add indicators + to an allowed list. It does not fetch data, nor does it modify internal SOAR + data (entities, insights, etc.). categories: enrichment: false + reasoning: >- + The action is a mutation action (adding to an allowlist) and does not fetch + data for enrichment. Therefore, it is not an enrichment action. entity_usage: entity_types: - ADDRESS @@ -113,15 +142,50 @@ Add IOCs to Allowed list: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code calls `get_entities(siemplify)`, which retrieves all target entities + from the case. It does not filter by type or other properties in the script + itself (the `IOC Type` parameter is passed to the API, but the script processes + all entities found in the case). Therefore, it supports all entity types. Add Note to IOCs: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action adds a note to an IOC in the Cyware Intel Exchange. This does not + match any of the predefined categories (e.g., it is not an enrichment action, + nor does it modify alerts, tickets, or blocklists). + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - The **Add Note to IOCs** action allows users to attach descriptive notes or structured - JSON data to existing threat intelligence objects (IOCs) within the Cyware Intel - Exchange platform. This action is primarily used to document analyst findings, - add context from external tools, or update the status of an indicator within the - threat intelligence lifecycle. + This action adds a note to an existing threat data object (IOC) within the Cyware + Intel Exchange platform. It allows analysts to attach contextual information or + metadata to indicators, facilitating better threat intelligence management. ### Parameters Description @@ -130,46 +194,28 @@ Add Note to IOCs: | :--- | :--- | :--- | :--- | - | **Note Type** | String | Yes | Specifies the category or type of the note being - added (e.g., `threatdata`). | - - | **Note** | String | Yes | The actual content of the note. This can be plain - text or a JSON string. | - - | **Is the Note in Json format** | Boolean | No | If set to `true`, the action - validates that the `Note` parameter contains valid JSON before sending it to Cyware. + | Note Type | string | Yes | The category or type of the note (e.g., 'threatdata'). | + | Note | string | Yes | The content of the note to be added. | - ### Flow Description - - 1. **Initialization**: The action retrieves connection details (Base URL, Access - ID, Secret Key) and input parameters from the configuration. - - 2. **Entity Identification**: It collects the identifiers of all entities currently - attached to the Google SecOps case. + | Is the Note in Json format | boolean | No | Set to true if the provided note + content is in JSON format. | - 3. **Bulk Lookup**: It queries Cyware Intel Exchange using a bulk lookup endpoint - to map the case entity identifiers to their corresponding internal Cyware Indicator - IDs. - 4. **Note Submission**: For every entity successfully matched to a Cyware indicator, - the action sends a POST request to the `/ingestion/notes/` endpoint to create - and attach the specified note. + ### Flow Description - 5. **Result Reporting**: The action provides a summary of which IOCs were successfully - updated and includes the raw API responses in the JSON results for downstream - playbook use. + 1. Extract parameters: `Note`, `Note Type`, and `Is the Note in Json format`. + 2. Retrieve target entities from the current case. - ### Additional Notes + 3. Perform a bulk lookup in Cyware Intel Exchange to resolve entity identifiers + to internal object IDs. - - If an entity is not found in Cyware Intel Exchange, it is skipped and reported - as missing. + 4. For each successfully resolved indicator, send a POST request to add the specified + note. - - If the **Is the Note in Json format** parameter is enabled but the input provided - in the **Note** field is not valid JSON, the action will fail with a specific - error message. + 5. Return the execution status and details of the operation. capabilities: can_create_case_comments: false can_create_insight: false @@ -178,12 +224,17 @@ Add Note to IOCs: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates new note records in the Cyware Intel Exchange platform associated with - specific threat indicators. + Adds a note to an indicator in the Cyware Intel Exchange. fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action fetches data (lookup_iocs) and mutates external data (add_note_to_indicator). + It does not mutate internal data, update entities, create insights, or modify + alert data. categories: enrichment: false + reasoning: >- + The action mutates external data (adds a note), so it is not an enrichment action. entity_usage: entity_types: - ADDRESS @@ -234,14 +285,50 @@ Add Note to IOCs: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code uses `get_entities(siemplify)` to retrieve all `target_entities` from + the case without filtering by type. Therefore, it supports all entity types. Create Intel in Cyware Intel Exchange: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action creates an intelligence record in an external system (Cyware Intel + Exchange). It does not match any of the provided categories (Enrich IOC, Create + Ticket, etc.). + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - This action creates new intelligence records (indicators) in Cyware Intel Exchange - (CTIX) for entities found in the current Google SecOps context. It allows users - to submit indicators with specific metadata such as TLP, confidence scores, and - tags, and then monitors the creation process until completion. + This action creates a new intelligence record in the Cyware Intel Exchange (CTIX) + platform. It processes target entities from the case, prepares a payload with + specified metadata (such as TLP, confidence, tags, and description), and submits + it to the Cyware API. The action also polls the status of the creation task to + ensure the intelligence record is successfully processed. ### Parameters Description @@ -250,59 +337,61 @@ Create Intel in Cyware Intel Exchange: | :--- | :--- | :--- | :--- | - | Title | String | Yes | The title for the intelligence record (maximum 100 characters). - | + | Title | string | Yes | The title for the intelligence record (max 100 characters). + Defaults to the alert name. | - | IOC Type | DDL | Yes | The STIX-compliant type of the indicator (e.g., ipv4-addr, - domain-name, file). | + | TLP | ddl | No | The Traffic Light Protocol (TLP) value for the intel. Options: + RED, CLEAR, AMBER, AMBER_STRICT, NONE, GREEN. Defaults to NONE. | - | TLP | DDL | No | The Traffic Light Protocol level (RED, CLEAR, AMBER, AMBER_STRICT, - NONE, GREEN). Default is NONE. | + | Metadata Confidence Score | string | No | A source confidence score for the + intel (0-100). | - | Metadata Confidence Score | String | No | A source confidence score between - 0 and 100. | + | Tags | string | No | Comma-separated tag names to add to the intel. | - | Tags | String | No | Comma-separated list of tags to associate with the intelligence. + | Deprecates After | string | No | The expiration time of the indicator in days + (max 1000 days). Defaults to 180. | + + | Description | string | No | A description for the intel (max 1000 characters). | - | Deprecates After | String | No | The expiration time of the indicator in days - (maximum 1000 days). | + | IOC Type | ddl | Yes | The type of indicator (e.g., ipv4-addr, domain-name, + file, etc.). Defaults to ipv4-addr. | + - | Description | String | No | A detailed description for the intelligence (maximum - 1000 characters). | + ### Additional Notes + - The action validates that the `Title` does not exceed 100 characters and the + `Description` does not exceed 1000 characters. - ### Flow Description + - The `Metadata Confidence Score` and `Deprecates After` parameters are validated + as integers. - 1. **Parameter Initialization**: The action retrieves the integration configuration - (Base URL, Credentials) and the action-specific parameters. + - If no entities are found in the case, the action completes without performing + any operations. - 2. **Entity Collection**: It identifies all target entities associated with the - current case. - 3. **Validation**: The action validates the lengths of the Title and Description, - and ensures the Confidence Score and Expiration days are within valid numeric - ranges. + ### Flow Description - 4. **Intel Creation**: For each entity, it sends a POST request to the Cyware - CTIX API to initiate the creation of a STIX-based intelligence record. + 1. **Initialization**: Retrieves integration parameters (Base URL, Access ID, + Secret Key) and target entities from the case. - 5. **Status Polling**: After initiation, the action enters a polling loop, checking - the status of the creation task via the Cyware API at regular intervals until - the record is successfully created, an error occurs, or the maximum number of - attempts is reached. + 2. **Validation**: Validates input parameters (Title, Description, Confidence + Score, Deprecates After). - 6. **Result Reporting**: Finally, it aggregates the results for all entities and - provides a summary of successful and failed operations. + 3. **Processing**: Iterates through each target entity. + 4. **Payload Preparation**: Constructs the intelligence creation payload, including + metadata (TLP, tags, confidence, description) and the indicator value. - ### Additional Notes + 5. **Creation**: Sends a POST request to the Cyware CTIX API (`/conversion/quick-intel/create-stix/`) + to create the intel. - * The action applies the same `IOC Type` to all entities processed in a single - run. Ensure that the entities in the context match the selected type. + 6. **Status Polling**: If a task ID is returned, the action polls the status endpoint + (`/conversion/quick-intel/receive-report/`) until the report status is marked + as successful or failed, or until the maximum number of attempts is reached. - * If no entities are found, the action will complete successfully with a message - indicating no entities were processed. + 7. **Result Reporting**: Aggregates the results for all processed indicators and + adds them to the action result. capabilities: can_create_case_comments: false can_create_insight: false @@ -311,11 +400,19 @@ Create Intel in Cyware Intel Exchange: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates new intelligence records (indicators) in Cyware Intel Exchange. + Creates a new intelligence record in Cyware Intel Exchange. fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action makes a POST request to create an intelligence record in Cyware Intel + Exchange (can_mutate_external_data=true). It also polls for the status of the + creation task (fetches_data=true). It does not modify internal SOAR data or + update entities. categories: enrichment: false + reasoning: >- + The action creates external data (an intelligence record) rather than retrieving + data, so it cannot be an Enrichment action. entity_usage: entity_types: - ADDRESS @@ -366,14 +463,50 @@ Create Intel in Cyware Intel Exchange: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code uses `get_entities(siemplify)` to retrieve all target entities from + the case and processes them without filtering by type. Therefore, it supports + all entity types. Create Task for IOCs: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: true + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action creates a task in an external system (Cyware), which is functionally + equivalent to creating a ticket or record. This aligns with the 'Create Ticket' + category. It does not match other categories like enrichment, containment, or + alert updates. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - Creates tasks in Cyware Intel Exchange for specific Indicator of Compromise (IOC) - entities. This action allows analysts to automate the creation of follow-up tasks - or investigations within the Cyware platform, associated directly with threat - data objects found in a Google SecOps case. + This action creates a task for a threat data object (IOC) in the Cyware Intel + Exchange platform. It allows users to define task details, assign them to specific + users, and set deadlines. ### Parameters Description @@ -382,57 +515,41 @@ Create Task for IOCs: | :--- | :--- | :--- | :--- | - | **Text** | String | Yes | The description of the task to be performed. Limited - to 2000 characters. | - - | **Priority** | DDL | Yes | The priority level assigned to the task. Options: - `high`, `medium`, `low`. | + | Text | string | Yes | The description of the task to be performed (Max 2000 + characters). | - | **Status** | DDL | Yes | The initial status of the created task. Options: `not_started`, - `in_progress`, `completed`. | + | Priority | ddl | Yes | The priority of the task (high, medium, low). | - | **Deadline** | String | Yes | The deadline for the task expressed in days from - the current time. Must be an integer between 1 and 365. | - - | **Assignee Email ID** | String | No | The email address of a valid Cyware user - to whom the task will be assigned. If omitted, the task is created as unassigned. + | Status | ddl | Yes | The status of the task (not_started, in_progress, completed). | + | Deadline | string | Yes | The deadline of the task in days (Max 365 days). | - ### Flow Description - - 1. **Initialization**: Extracts integration configuration and action parameters, - including task details and the optional assignee email. + | Assignee Email ID | string | No | The email ID of a valid user to assign the + task. If not provided, the task is created without an assignee. | - 2. **Validation**: Validates that the task description is within the character - limit and that the deadline is a valid integer within the allowed range (1-365 - days). - 3. **User Resolution**: If an assignee email is provided, the action queries the - Cyware API to retrieve the corresponding internal User ID. If the user is not - found, the action fails. + ### Flow Description - 4. **IOC Lookup**: Retrieves all target entities from the case and performs a - bulk lookup in Cyware Intel Exchange to map entity identifiers to their internal - Cyware object IDs. + 1. **Initialization**: The action extracts the provided parameters and retrieves + the target entities from the case. - 5. **Task Creation**: Iterates through the valid IOCs found in Cyware and sends - a POST request to create a task for each, including the description, priority, - status, and calculated deadline timestamp. + 2. **Validation**: It validates the `Text` length and the `Deadline` integer value. - 6. **Result Reporting**: Aggregates the responses, providing a summary of successful - and failed task creations, and outputs the raw JSON results for each task. + 3. **Authentication**: It initializes the Cyware API manager using the integration + configuration. + 4. **User Lookup**: If an `Assignee Email ID` is provided, it retrieves the corresponding + user ID from Cyware. - ### Additional Notes + 5. **IOC Lookup**: It performs a bulk lookup to map the provided entity identifiers + to their corresponding indicator IDs in Cyware. - - **Entity Matching**: Only entities that already exist as indicators in Cyware - Intel Exchange will have tasks created for them. Entities not found in Cyware - are skipped. + 6. **Task Creation**: For each valid indicator, it creates a task in Cyware with + the specified parameters (text, priority, status, deadline, and optional assignee). - - **Error Handling**: The action will fail if no entities are provided, if the - assignee email is invalid, or if the task description exceeds the 2000-character - limit. + 7. **Result Reporting**: It compiles the results of the task creation process + and returns them as a JSON result, updating the action status accordingly. capabilities: can_create_case_comments: false can_create_insight: false @@ -441,12 +558,20 @@ Create Task for IOCs: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates new task objects in the Cyware Intel Exchange platform associated with - specific threat indicators. + Creates new tasks for indicators in the Cyware Intel Exchange platform. fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action fetches data (user information and indicator IDs) from the Cyware + Intel Exchange API. It mutates external data by creating new tasks in the Cyware + platform. It does not mutate internal SOAR data (other than returning results) + or modify alert data. categories: enrichment: false + reasoning: >- + The action is not an enrichment action because it performs a mutation on an + external system (creating a task). It does not meet the criteria for an enrichment + action. entity_usage: entity_types: - ADDRESS @@ -497,71 +622,107 @@ Create Task for IOCs: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code retrieves all target entities using `get_entities(siemplify)` and performs + a lookup for these entities in Cyware. It does not filter by specific entity + types, so it supports all available entity types. Get Allowed IOCs: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves a list of allowed IOCs from the Cyware platform. It does + not match any of the specific categories like 'Enrich IOC' (which requires enriching + a specific indicator), 'Search Events', or 'Get Alert Information'. It is a + general data retrieval action. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description - - This action retrieves a list of Indicators of Compromise (IOCs) that have been - marked as 'allowed' (whitelisted) within the Cyware CTIX platform. It allows security - analysts to audit or verify the current allowlist status of various indicator - types directly from Google SecOps. + Retrieves a list of allowed (whitelisted) Indicators of Compromise (IOCs) from + the Cyware Intel Exchange platform. This action allows users to filter the results + by indicator type and creation time. The retrieved data is presented as a data + table in the action results. - ### Parameters Description + ### Flow Description - | Parameter | Type | Mandatory | Description | + 1. The action extracts the configuration parameters (Base URL, Access ID, Secret + Key) and action parameters (IOC Type, Created From). - | :--- | :--- | :--- | :--- | + 2. It initializes the Cyware API manager. - | **IOC Type** | DDL | No | Filters the results by a specific indicator type (e.g., - `domain-name`, `ipv4-addr`, `file`). If set to 'All' (default), all allowed indicators - are retrieved. | + 3. It performs a GET request to the Cyware Intel Exchange API to fetch the allowed + IOCs, applying any specified filters. - | **Created From** | String | No | Filters records based on their creation time. - Expects an epoch timestamp in seconds (e.g., `1767160932`). | + 4. The retrieved IOCs are processed and formatted into a CSV-style data table. + 5. The action adds the data table to the result and returns the full JSON response. - ### Additional Notes - - This action does not run on specific entities within a case; it performs a global - retrieval from the Cyware platform based on the provided filters. + ### Parameters Description - - The action handles pagination automatically to ensure all matching records are - retrieved, though the displayed data table is limited to the first 10 records - for readability. + | Parameter | Type | Mandatory | Description | + | :--- | :--- | :--- | :--- | - ### Flow Description + | IOC Type | ddl | No | Filter the results by a specific indicator type (e.g., + domain-name, ipv4-addr). Select 'All' to retrieve all types. | - 1. **Parameter Extraction:** The action retrieves the `IOC Type` and `Created - From` filters from the user input. + | Created From | string | No | Filter records based on the creation time in epoch + format (seconds). | - 2. **Validation:** It validates that the `Created From` parameter is a valid non-negative - integer if provided. - 3. **API Interaction:** It connects to the Cyware CTIX API and performs a GET - request to the allowed indicators endpoint, applying the specified filters. + ### Additional Notes - 4. **Data Processing:** The action aggregates paginated results into a single - list and maps them to a structured data model. + - If no filters are provided, the action retrieves all allowed IOCs up to the + default page size limits. - 5. **Output Generation:** It populates a data table named 'Allowed IOCs' with - the ID, Type, and Value of the retrieved indicators and attaches the full raw - JSON response to the action results. + - The action outputs a data table named 'Allowed IOCs' containing the ID, Type, + and Value of the retrieved indicators. capabilities: can_create_case_comments: false can_create_insight: false can_modify_alert_data: false can_mutate_external_data: false - can_mutate_internal_data: true + can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null fetches_data: true - internal_data_mutation_explanation: >- - The action adds a data table named 'Allowed IOCs' to the Google SecOps case - to display the retrieved information. + internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to retrieve data from the Cyware Intel Exchange. + It does not mutate any external systems or internal SOAR data (entities, insights, + etc.). It only outputs the retrieved data as a table in the action results. categories: enrichment: false + reasoning: >- + The action retrieves a list of allowed IOCs from an external system. It does + not enrich specific entities or alerts within the case, nor does it meet the + criteria for an enrichment action as it is a global data retrieval task rather + than context gathering for specific entities. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -577,53 +738,83 @@ Get Allowed IOCs: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with siemplify.target_entities. It performs a global + query against the Cyware API based on provided parameters. Get IOC Details: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action fetches threat intelligence data (reputation, scores, tags) for indicators + from Cyware Intel Exchange and updates the SOAR entities with this information. + This matches the 'Enrich IOC' category. It does not mutate external systems + or perform other actions like ticket creation or containment. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description - - Retrieves detailed threat intelligence for entities from Cyware Intel Exchange - (CTIX), including analyst scores, confidence levels, and TLP classifications. + This action retrieves threat intelligence details for indicators (IOCs) from the + Cyware Intel Exchange platform. It allows users to optionally include enrichment + data and relations in the response. The action fetches details for the provided + entities, displays them in a data table, and enriches the entities within the + SOAR case by updating their properties with threat intelligence scores and metadata. - ### Parameters Description + ### Parameters | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Enrichment Data | boolean | No | If true, includes detailed enrichment metadata - in the results. | - - | Relation Data | boolean | No | If true, includes relationship data between IOCs - in the results. | - - | Fields | string | No | A comma-separated list of specific fields to retrieve - from the API. | - - - ### Additional Notes - - - The action performs a bulk lookup for all target entities. + | Enrichment Data | boolean | false | Whether to include enrichment data in the + results. | - - The data table displayed in the case wall is limited to the first 10 records. + | Relation Data | boolean | false | Whether to include relations in the results. + | - - Entities are enriched with properties prefixed with 'Cyware_'. + | Fields | string | false | Specific fields to retrieve (e.g., "name,id"). | ### Flow Description - 1. Extract parameters and identify target entities. + 1. Extracts configuration parameters (Base URL, Access ID, Secret Key, Verify + SSL). + + 2. Extracts action parameters (Enrichment Data, Relation Data, Fields). - 2. Query the Cyware CTIX API for IOC details using entity identifiers. + 3. Retrieves target entities from the case. - 3. Parse the response and populate a data table for the case wall. + 4. Queries the Cyware Intel Exchange API for IOC details. - 4. Map the results back to the original entities. + 5. Constructs a data table with the retrieved IOC information. - 5. Update entity additional properties with threat intelligence and mark them - as enriched. + 6. Updates the SOAR entities with the retrieved enrichment data (e.g., scores, + TLP, tags). - 6. Return the full JSON response. + 7. Updates the entities in the SOAR platform. capabilities: can_create_case_comments: false can_create_insight: false @@ -634,10 +825,20 @@ Get IOC Details: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates entity additional properties with Cyware threat intelligence (scores, - TLP, status) and marks entities as enriched. + Updates entity attributes with threat intelligence data and marks the entity + as enriched. + reasoning: >- + The action fetches threat intelligence data from an external API (Cyware Intel + Exchange) using a POST request. It does not mutate external systems (no state + change on Cyware). It performs internal mutations by updating entity attributes + (e.g., adding enrichment data) and updating the entities in the SOAR platform. + It does not create insights, modify alert data, or create case comments. categories: enrichment: true + reasoning: >- + The action fetches data (IOC details) and updates entity attributes (enrichment). + It does not mutate external systems. It fits the definition of an enrichment + action. entity_usage: entity_types: - ADDRESS @@ -680,7 +881,7 @@ Get IOC Details: filters_by_case_identifier: false filters_by_creation_time: false filters_by_entity_type: false - filters_by_identifier: false + filters_by_identifier: true filters_by_is_artifact: false filters_by_is_enriched: false filters_by_is_internal: false @@ -688,36 +889,87 @@ Get IOC Details: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action retrieves all target entities from the case and filters them based + on whether their identifier exists in the results returned from the Cyware API. + Since no explicit type-based filtering is performed in the code, it is considered + to support all entity types. Manage Tags in IOCs: - ai_description: "### General Description\nThe **Manage Tags in IOCs** action allows\ - \ users to programmatically add or remove tags from Indicators of Compromise (IOCs)\ - \ within the Cyware Intel Exchange platform. It facilitates bulk tagging operations\ - \ based on entities present in a Google SecOps case, ensuring that threat intelligence\ - \ metadata is kept up-to-date.\n\n### Parameters Description\n| Parameter | Type\ - \ | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| **Tags** | String\ - \ | Yes | A comma-separated list of tag names to be added or removed (e.g., \"\ - malicious\", \"phishing\"). |\n| **Operation Type** | DDL | Yes | Determines the\ - \ action to perform. Options are `Add Tag` or `Remove Tag`. |\n\n### Additional\ - \ Notes\n- **Auto-Creation**: During an `Add Tag` operation, if a specified tag\ - \ does not exist in Cyware Intel Exchange, the action will automatically attempt\ - \ to create it before associating it with the IOCs.\n- **IOC Resolution**: The\ - \ action resolves SecOps entity identifiers to Cyware internal object IDs. If\ - \ an entity is not found in Cyware, it will be skipped, and a note will be included\ - \ in the output message.\n- **Validation**: For `Remove Tag` operations, only\ - \ existing tags found in Cyware will be processed; invalid or non-existent tags\ - \ are ignored.\n\n### Flow Description\n1. **Initialization**: Retrieves integration\ - \ credentials and extracts the `Tags` and `Operation Type` parameters.\n2. **Tag\ - \ Discovery**: Fetches the full list of available tags from Cyware Intel Exchange\ - \ to map the provided tag names to their respective internal IDs.\n3. **Entity\ - \ Resolution**: Converts the identifiers of the target entities into Cyware IOC\ - \ object IDs using a bulk lookup.\n4. **Tag Management (Add)**: \n - Identifies\ - \ any tags that do not yet exist in Cyware and creates them.\n - Executes a\ - \ bulk API call to associate the complete list of tag IDs with the identified\ - \ IOCs.\n5. **Tag Management (Remove)**: \n - Filters the provided tag list\ - \ to include only those that currently exist in Cyware.\n - Executes a bulk\ - \ API call to disassociate the specified tag IDs from the identified IOCs.\n6.\ - \ **Completion**: Returns a summary message indicating the number of tags processed\ - \ and any entities or tags that were skipped." + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action performs tag management (add/remove) on IOCs in an external system. + It does not match any of the provided specific categories like 'Enrich IOC' + (which is read-only), 'Contain Host', or 'Update Alert'. Therefore, all flags + are false. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: >- + ### General Description + + This action manages tags for Indicators of Compromise (IOCs) within the Cyware + Intel Exchange platform. It allows analysts to either add or remove specific tags + from a set of IOCs identified in the SOAR case. If adding tags, the action automatically + creates any tags that do not already exist in the Cyware platform before applying + them to the IOCs. + + + ### Parameters + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Tags | string | Yes | A comma-separated list of tag names to add or remove (e.g., + "malware, phishing"). | + + | Operation Type | ddl | Yes | The operation to perform: "Add Tag" or "Remove + Tag". | + + + ### Flow Description + + 1. **Initialization**: Extracts integration configuration (Base URL, Access ID, + Secret Key) and action parameters. + + 2. **Entity Retrieval**: Retrieves all target entities (IOCs) from the current + SOAR case. + + 3. **Tag Resolution**: Fetches existing tags from Cyware Intel Exchange to map + tag names to their respective IDs. + + 4. **Operation Execution**: + * **If "Add Tag"**: Looks up IOC IDs for the provided entities. If any tags + are missing in Cyware, it creates them. Finally, it performs a bulk update to + add the tags to the identified IOCs. + * **If "Remove Tag"**: Looks up IOC IDs for the provided entities and performs + a bulk update to remove the specified tags from the identified IOCs. + 5. **Result Reporting**: Returns the operation status and details via the script + result JSON. capabilities: can_create_case_comments: false can_create_insight: false @@ -726,13 +978,22 @@ Manage Tags in IOCs: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - This action modifies the metadata of IOCs in Cyware Intel Exchange by adding - or removing tags. Additionally, it can create new tag objects in the external - system if they do not already exist during an 'Add Tag' operation. + The action adds or removes tags from IOCs in the Cyware Intel Exchange platform + and may create new tags if they do not exist. fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action fetches data (tag lists and IOC lookups) from the Cyware Intel Exchange + API. It performs external mutations by adding, removing, or creating tags in + the Cyware platform. It does not modify internal SOAR case data (e.g., updating + entity fields or adding case comments), nor does it update alert status. categories: enrichment: false + reasoning: >- + The action is not an enrichment action because it performs mutations on an external + system (Cyware Intel Exchange) by adding/removing tags. It does not meet the + criteria for an enrichment action, which must be read-only regarding external + systems. entity_usage: entity_types: - ADDRESS @@ -783,67 +1044,85 @@ Manage Tags in IOCs: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action retrieves all target entities from the case using `get_entities` + and attempts to look them up in Cyware. It does not filter by specific entity + types in the code, so it is considered to support all entity types. Mark IOCs False Positive: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: true + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action modifies the status of an indicator in an external threat intelligence + platform (Cyware) to 'false positive'. This aligns with the 'Add IOC To Allowlist' + category, as marking an indicator as a false positive is a standard method to + prevent future alerts on that indicator. It does not perform enrichment, containment, + or ticket creation. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - This action marks multiple Indicators of Compromise (IOCs) as false positives - within the Cyware Intel Exchange (CTIX) platform. It is used to update the status - of threat intelligence indicators that have been determined to be non-threatening, - ensuring that future security analysis is accurate and noise is reduced. - - - ### Parameters Description - - There are no action-specific parameters for this action. It relies on the global - integration configuration parameters: - - - | Parameter Name | Type | Mandatory | Description | + This action marks specified indicators (IOCs) as false positives within the Cyware + Intel Exchange platform. By identifying indicators that have been incorrectly + flagged, this action helps maintain the accuracy of threat intelligence data. - | :--- | :--- | :--- | :--- | - - | Base URL | String | Yes | The base URL of the Cyware CTIX tenant. | - - | Access ID | String | Yes | The Access ID used for API authentication. | - - | Secret Key | String | Yes | The Secret Key used for API authentication. | - - | Verify SSL | Boolean | No | If enabled, the action will verify the SSL certificate - of the CTIX server. Default is False. | + ### Flow Description - ### Additional Notes + 1. **Configuration Retrieval**: The action retrieves the necessary integration + parameters (Base URL, Access ID, Secret Key) from the Cyware Intel Exchange integration + configuration. - * The action first performs a lookup to translate the Google SecOps entity identifiers - into Cyware-specific internal IDs. + 2. **Entity Retrieval**: The action retrieves all target entities attached to + the current case. - * Only entities that already exist in the Cyware Intel Exchange platform will - be processed; any entities not found in CTIX will be skipped. + 3. **IOC Lookup**: The action performs a bulk lookup in the Cyware Intel Exchange + platform to map the entity values to their corresponding internal object IDs. - * The action performs a bulk update, meaning it processes all valid entities in - a single API request to the external system. + 4. **Filtering**: The action filters out any indicators that were not found in + the Cyware platform. + 5. **Mutation**: The action sends a bulk request to Cyware to mark the identified, + valid indicators as false positives. - ### Flow Description + 6. **Result Reporting**: The action returns the operation status and result details, + including the number of indicators successfully marked. - 1. **Initialization**: The action initializes the Siemplify (Google SecOps) environment - and retrieves the integration configuration (Base URL, credentials). - 2. **Entity Retrieval**: It collects all target entities associated with the current - case. + ### Parameters Description - 3. **IOC Lookup**: The action calls the Cyware API to perform a bulk lookup of - the entity identifiers to retrieve their corresponding internal Cyware IDs. + There are no specific action parameters required for this action. It relies on + the integration configuration and the entities attached to the case. - 4. **Validation**: It identifies which entities have valid IDs in CTIX and logs - any entities that are missing from the platform. - 5. **Status Update**: If valid IDs are found, the action sends a request to the - Cyware bulk action endpoint to mark those specific indicators as 'False Positive'. + ### Additional Notes - 6. **Result Reporting**: The action returns the API response as a JSON object - and provides a summary message indicating the number of successfully updated indicators. + This action performs a mutation on an external system (Cyware Intel Exchange). + It does not modify internal Google SecOps data. capabilities: can_create_case_comments: false can_create_insight: false @@ -852,12 +1131,20 @@ Mark IOCs False Positive: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - This action updates the status of indicators in the Cyware Intel Exchange platform - by marking them as 'False Positive' via a POST request to the bulk action endpoint. + Marks indicators as false positive in the Cyware Intel Exchange platform. fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action fetches data from Cyware Intel Exchange to lookup IOC IDs (fetches_data=true). + It then performs a POST request to mark these indicators as false positives + in the external system (can_mutate_external_data=true). It does not modify internal + SOAR data, update entities, create insights, or modify alert data. categories: enrichment: false + reasoning: >- + The action mutates external data (marks indicators as false positive in Cyware), + which violates the 'External State Preservation' rule for enrichment actions. + Therefore, it is not an enrichment action. entity_usage: entity_types: - ADDRESS @@ -908,27 +1195,84 @@ Mark IOCs False Positive: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action retrieves all target entities from the case using `get_entities(siemplify)`. + It does not filter by specific entity types in the code, meaning it attempts + to process any entity provided. Therefore, it supports all available entity + types. Ping: - ai_description: "### General Description\nThe **Ping** action is a diagnostic tool\ - \ used to verify the connectivity between Google SecOps and the Cyware Intel Exchange\ - \ platform. Its primary purpose is to ensure that the provided configuration parameters\ - \ (Base URL, Access ID, and Secret Key) are correct and that the network path\ - \ to the Cyware server is open. It performs a simple health check by sending a\ - \ GET request to the service's ping endpoint.\n\n### Parameters Description\n\ - This action does not require any input parameters.\n\n### Additional Notes\n*\ - \ This action is typically used during the initial setup of the integration or\ - \ for troubleshooting connectivity issues.\n* A successful execution returns a\ - \ 'True' result, while any failure (authentication, timeout, or DNS issues) returns\ - \ 'False'.\n\n### Flow Description\n1. **Initialization**: The action initializes\ - \ the Siemplify context and retrieves the integration's global configuration parameters,\ - \ including the Base URL and authentication credentials.\n2. **API Connection**:\ - \ It instantiates the `APIManager` which handles the authentication logic (HMAC\ - \ signature generation).\n3. **Connectivity Test**: The action calls the `test_connectivity`\ - \ method, which executes a GET request to the `/ping/` endpoint.\n4. **Result\ - \ Handling**: \n * If the server responds with a success status, the action\ - \ logs the success and returns a positive result.\n * If an exception occurs\ - \ (e.g., `UnauthorizedException` or `InternalServerError`), the action captures\ - \ the error, logs the details, and marks the execution as failed." + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action is a connectivity test ("Ping") and does not perform any of the defined + product category operations (e.g., enrichment, containment, ticketing). + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: >- + ### General Description + + This action verifies connectivity to the Cyware Intel Exchange server by sending + a ping request. It ensures that the integration is correctly configured and that + the SOAR platform can communicate with the Cyware API. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Base URL | String | Yes | The URL of the Cyware CTIX tenant. | + + | Access ID | String | Yes | The Access ID for API authentication. | + + | Secret Key | String | Yes | The Secret Key for API authentication. | + + | Verify SSL | Boolean | No | Whether to verify the SSL certificate. Defaults + to False. | + + + ### Flow Description + + 1. Extracts integration configuration parameters (Base URL, Access ID, Secret + Key, Verify SSL). + + 2. Initializes the API manager with the provided credentials. + + 3. Sends a GET request to the `/ping/` endpoint of the Cyware server. + + 4. Returns a success message if the connection is established, or an error message + if the connection fails. + + + ### Additional Notes + + This action is a connectivity test and does not perform any data retrieval or + modification. capabilities: can_create_case_comments: false can_create_insight: false @@ -939,8 +1283,15 @@ Ping: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the `/ping/` endpoint to verify connectivity. + It does not modify external or internal data, nor does it fetch contextual data + about alerts or entities. categories: enrichment: false + reasoning: >- + The action is a connectivity test ("Ping"). Per the instructions, Ping actions + are not enrichment actions. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -956,49 +1307,86 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with entities, as it is a connectivity test. Remove IOCs from Allowed list: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action removes indicators from an allowlist in an external system (Cyware + Intel Exchange). This directly matches the 'Remove IOC From Allowlist' category. + remove_ioc_from_allowlist: true + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - The **Remove IOCs from Allowed list** action is used to un-whitelist indicators - in Cyware Intel Exchange. It processes the entities present in a Google SecOps - case, resolves their identifiers to internal Cyware indicator IDs, and then removes - those IDs from the Cyware allowed list (allowlist). + This action removes specified Indicators of Compromise (IOCs) from the allowlist + within the Cyware Intel Exchange platform. It is designed to manage indicator + status by un-whitelisting entities that were previously allowed. ### Parameters - There are no specific action parameters for this action. It utilizes the global - integration configuration (Base URL, Access ID, Secret Key, and Verify SSL) and - the entities attached to the case. + | Parameter | Type | Mandatory | Description | + | :--- | :--- | :--- | :--- | - ### Flow Description + | Base URL | string | Yes | The base URL of the Cyware CTIX tenant. | - 1. **Initialization**: The action retrieves integration credentials and the list - of target entities from the current case. + | Access ID | string | Yes | The Access ID for API authentication. | - 2. **ID Resolution**: It performs a bulk lookup in Cyware Intel Exchange to map - the entity identifiers (such as IP addresses, domains, or hashes) to their corresponding - internal Cyware indicator IDs. + | Secret Key | string | Yes | The Secret Key for API authentication. | - 3. **Validation**: The action identifies which entities exist in Cyware and logs - any that are missing from the external system. + | Verify SSL | boolean | No | Whether to verify the SSL certificate. Defaults + to False. | - 4. **Removal**: For all successfully resolved IDs, it sends a bulk POST request - to the Cyware API to remove these indicators from the allowed list. - 5. **Completion**: The action returns the raw API response as JSON and provides - a summary message of the operation's success or failure. + ### Additional Notes + This action requires valid API credentials for the Cyware Intel Exchange integration. + It performs a bulk lookup to map entity identifiers to internal Cyware IDs before + attempting the removal. - ### Additional Notes - - This action requires the entities to already exist as indicators within Cyware - Intel Exchange to be successfully removed from the allowed list. + ### Flow Description + + 1. Retrieve integration configuration parameters (Base URL, Access ID, Secret + Key, Verify SSL). + + 2. Identify target entities from the current case. + + 3. Perform a bulk lookup in Cyware Intel Exchange to map the entity identifiers + to internal indicator IDs. + + 4. Filter out any indicators that were not found in the system. - - If no entities are provided or no valid indicators are found in the external - system, the action will complete gracefully with an informative message. + 5. Send a request to remove the valid indicators from the allowlist. + + 6. Return the operation result and status to the user. capabilities: can_create_case_comments: false can_create_insight: false @@ -1007,49 +1395,27 @@ Remove IOCs from Allowed list: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Removes specified indicators from the allowed list (un-whitelists them) in Cyware - Intel Exchange via a bulk action API call. + Removes indicators from the allowlist in the Cyware Intel Exchange platform. fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action fetches data (bulk lookup of IOCs) and mutates external data (removes + IOCs from the allowlist in Cyware). It does not mutate internal SOAR data (no + entity updates, insights, or case comments are created). categories: enrichment: false + reasoning: >- + The action is a mutation action (removes from allowlist) and does not meet the + criteria for an enrichment action, which must be read-only regarding external + systems. entity_usage: entity_types: - ADDRESS - - ALERT - - APPLICATION - - CHILDHASH - - CHILDPROCESS - - CLUSTER - - CONTAINER - - CREDITCARD - - CVE - - CVEID - - DATABASE - - DEPLOYMENT - - DESTINATIONDOMAIN - DOMAIN - - EMAILSUBJECT - - EVENT - - FILEHASH - - FILENAME - - GENERICENTITY - - HOSTNAME - - IPSET - - MacAddress - - PARENTHASH - - PARENTPROCESS - - PHONENUMBER - - POD - - PROCESS - - SERVICE + - DESTINATIONDOMAIN - SOURCEDOMAIN - - THREATACTOR - - THREATCAMPAIGN - - THREATSIGNATURE + - FILEHASH - DestinationURL - - USB - - USERUNIQNAME filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1063,3 +1429,7 @@ Remove IOCs from Allowed list: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action retrieves all target entities from the case and attempts to look + them up in Cyware. It does not filter by specific entity attributes within the + code, so it supports all relevant IOC entity types. diff --git a/content/response_integrations/third_party/partner/cyware_intel_exchange/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/partner/cyware_intel_exchange/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..b02f191af --- /dev/null +++ b/content/response_integrations/third_party/partner/cyware_intel_exchange/resources/ai/integration_ai_description.yaml @@ -0,0 +1,25 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: false + reasoning: >- + The cyware_intel_exchange integration is a Threat Intelligence Platform (TIP) + connector. Its primary capability is to enrich security alerts by retrieving threat + intelligence data (reputation, scores, tags) for indicators (IPs, Hashes, Domains) + using the 'Get IOC Details' action, which directly aligns with the Threat Intelligence + category. The integration also provides operational capabilities to manage threat + intelligence within the Cyware platform, such as adding/removing indicators from + allowlists, managing tags, creating intelligence records, and creating tasks for + indicators. It does not perform SIEM log analysis, EDR host containment, network + security blocking, email management, IAM operations, cloud resource management, + vulnerability scanning, asset inventory lookups, or collaboration/notification + tasks. While it creates 'tasks', these are specific to the Cyware platform and + do not constitute an ITSM ticketing workflow. + siem: false + threat_intelligence: true + vulnerability_management: false diff --git a/content/response_integrations/third_party/partner/darktrace/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/partner/darktrace/resources/ai/actions_ai_description.yaml index a85ceb0d7..d9b584fd6 100644 --- a/content/response_integrations/third_party/partner/darktrace/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/partner/darktrace/resources/ai/actions_ai_description.yaml @@ -1,24 +1,77 @@ Add Comment To Model Breach: - ai_description: "### General Description\nAdds a comment to a specific model breach\ - \ in Darktrace. This action allows analysts to document findings, provide updates,\ - \ or add context directly to a Darktrace alert from within Google SecOps. It targets\ - \ a specific model breach using its unique identifier.\n\n### Parameters Description\n\ - \n| Parameter | Type | Mandatory | Description |\n| :--- | :--- | :--- | :---\ - \ |\n| Model Breach ID | String | Yes | The unique identifier of the model breach\ - \ in Darktrace to which the comment will be added. |\n| Comment | String | Yes\ - \ | The text content of the comment to be appended to the model breach record.\ - \ |\n\n### Flow Description\n1. **Initialization**: The action extracts the necessary\ - \ API configuration (Root URL, Token, Private Token) and the specific action parameters\ - \ (Model Breach ID and Comment).\n2. **API Connection**: Initializes the Darktrace\ - \ Manager to establish a secure connection to the Darktrace API.\n3. **Execution**:\ - \ Sends a POST request to the Darktrace endpoint `/modelbreaches/{model_breach_id}/comments`\ - \ containing the comment payload.\n4. **Error Handling**: Specifically catches\ - \ cases where the Model Breach ID does not exist (NotFoundException) and provides\ - \ a clear error message. \n5. **Completion**: Returns the JSON response from the\ - \ Darktrace API and marks the action as completed or failed based on the outcome.\n\ - \n### Additional Notes\nThis action performs a state-changing operation in the\ - \ external Darktrace system. It does not interact with or modify entities within\ - \ the Google SecOps environment." + action_product_categories: + add_alert_comment: true + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action appends a note to the activity timeline of an alert (model breach) + in the external Darktrace system. This aligns with the 'Add Alert Comment' category. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: >- + ### General Description + + Adds a comment to a specific model breach in the Darktrace platform. This action + allows analysts to append notes or context directly to an existing model breach, + facilitating better documentation and collaboration within Darktrace. + + + ### Flow Description + + 1. **Parameter Extraction**: The action extracts the required configuration parameters + (API Root, API Token, API Private Token, Verify SSL) and the action-specific parameters + (Model Breach ID, Comment). + + 2. **Manager Initialization**: Initializes the `DarktraceManager` with the provided + credentials to establish a connection to the Darktrace API. + + 3. **Execution**: Sends a POST request to the Darktrace API endpoint `/modelbreaches/{model_breach_id}/comments` + with the provided comment message. + + 4. **Result Handling**: Returns the result of the operation. If the model breach + is not found, it handles the `NotFoundException` and returns a failure status + with an appropriate error message. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Model Breach ID | string | Yes | The unique identifier of the model breach in + Darktrace to which the comment will be added. | + + | Comment | string | Yes | The text content of the comment to be added to the + model breach. | + + + ### Additional Notes + + This action does not interact with Google SecOps entities directly; it operates + on a specific Model Breach ID provided as an input parameter. capabilities: can_create_case_comments: false can_create_insight: false @@ -27,12 +80,19 @@ Add Comment To Model Breach: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Adds a new comment to a model breach record in the Darktrace platform via a - POST request to the API. + Adds a comment to a model breach in the Darktrace platform. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a POST request to an external API (Darktrace) to add a comment + to a model breach. It does not fetch data, update entities, or modify internal + SOAR data. It does not create case comments within the SOAR platform. categories: enrichment: false + reasoning: >- + The action does not fetch data (not enrichment). It mutates external data (adds + a comment). It does not fit the criteria for enrichment as it does not retrieve + data. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -48,62 +108,69 @@ Add Comment To Model Breach: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over `target_entities`. It uses a specific `Model + Breach ID` provided as a parameter. Enrich Entities: - ai_description: >- - ### General Description - - Enriches IP Address, Hostname, MAC Address, and URL entities using threat intelligence - and device metadata from Darktrace. This action retrieves comprehensive device - details, endpoint information, and optionally historical connection data to provide - security analysts with context regarding internal and external endpoints. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Fetch Connection Data | boolean | No | If enabled, the action retrieves additional - information about network connections related to internal Darktrace endpoints. - | - - | Max Hours Backwards | string | No | Specifies the lookback window (in hours) - for fetching connection data. Defaults to 24. If a value less than 1 is provided, - the default is used. | - - | Create Endpoint Insight | boolean | No | If enabled, generates a detailed insight - for the entity in the Google SecOps case containing hostname, IP, MAC, OS, and - device type information. | - - - ### Flow Description - - 1. **Initialization**: The action extracts API credentials (API Root, Token, Private - Token) and configuration parameters, including the connection data toggle and - lookback window. - - 2. **Entity Filtering**: It identifies supported entities from the case, specifically - targeting IP Addresses, Hostnames, MAC Addresses, and URLs. - - 3. **Data Retrieval**: For each entity, the action queries the Darktrace API: - * **IP/MAC**: Fetches device or endpoint details directly. - * **Hostname**: Searches for the device to retrieve its IP or MAC, then fetches - full details. - * **URL**: Extracts the domain or path and queries for endpoint details. - 4. **Connection Enrichment**: If `Fetch Connection Data` is active and a device - ID is found, the action retrieves historical connection logs for the specified - timeframe. - - 5. **Internal Updates**: The action enriches the entities by updating their additional - properties with Darktrace metadata, adding data tables for interacted devices - and connections, and marking the entities as enriched. - - 6. **Insight Generation**: If `Create Endpoint Insight` is enabled, a formatted - insight is added to the entity for quick reference. - - 7. **Finalization**: The action updates the entities in the Google SecOps environment - and returns a JSON summary of the results. + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: true + enrich_ioc: true + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves reputation, prevalence, and contextual metadata for indicators + (IOCs) and assets (devices/endpoints) from Darktrace. This aligns with both + 'Enrich IOC' and 'Enrich Asset' categories. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: "Enriches entities (IP, Hostname, MacAddress, URL) using information\ + \ from Darktrace. This action retrieves device and endpoint details from Darktrace\ + \ and optionally fetches connection data for internal endpoints. It updates the\ + \ entity's profile with enrichment data, generates insights, and attaches data\ + \ tables to the case for further analysis.\n\n### Flow Description\n1. **Parameter\ + \ Extraction**: The action extracts configuration parameters (API Root, Token,\ + \ SSL verification) and action-specific parameters (Fetch Connection Data, Max\ + \ Hours Backwards, Create Endpoint Insight).\n2. **Entity Filtering**: It iterates\ + \ through the target entities, filtering for supported types: ADDRESS, HOSTNAME,\ + \ MACADDRESS, and URL.\n3. **Data Retrieval**: For each entity, it queries the\ + \ Darktrace API to retrieve device or endpoint details based on the entity type.\n\ + 4. **Optional Connection Data**: If 'Fetch Connection Data' is enabled, it retrieves\ + \ additional connection history for the identified device.\n5. **Enrichment &\ + \ Reporting**: \n - Updates the entity's additional properties with the retrieved\ + \ data.\n - Marks the entity as enriched.\n - Adds a data table containing\ + \ device/endpoint details to the case.\n - Optionally creates an entity insight\ + \ if 'Create Endpoint Insight' is enabled.\n - Adds a data table for connection\ + \ data if retrieved.\n - Updates the entities in the case and returns a JSON\ + \ result summary.\n\n### Parameters\n| Parameter | Type | Mandatory | Description\ + \ |\n| :--- | :--- | :--- | :--- |\n| Fetch Connection Data | boolean | No | If\ + \ enabled, the action fetches connection data related to the internal endpoints\ + \ from Darktrace. |\n| Max Hours Backwards | string | No | Specifies the time\ + \ range (in hours) for fetching connection data. Default is 24. |\n| Create Endpoint\ + \ Insight | boolean | No | If enabled, creates an insight containing information\ + \ about the internal endpoints. |\n\n### Additional Notes\n- The action automatically\ + \ handles domain extraction from URL entities.\n- If no entities are successfully\ + \ enriched, the action returns a failure status." capabilities: can_create_case_comments: false can_create_insight: true @@ -114,11 +181,22 @@ Enrich Entities: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - The action updates entity attributes with enrichment data, sets the 'is_enriched' - flag, adds data tables to the case, and creates entity insights containing device - and endpoint details. + Updates entity additional properties, adds entity insights, and adds data tables + to the case. + reasoning: >- + The action fetches data from the Darktrace API (fetches_data=true). It does + not perform any write operations to external systems (can_mutate_external_data=false). + It performs internal mutations by updating entity properties, adding insights, + and adding data tables to the case (can_mutate_internal_data=true). It specifically + uses SDK methods to update entities and create insights. categories: enrichment: true + reasoning: >- + The action is designed to fetch contextual information about entities from an + external source (Darktrace) and enrich the entity profile within the SOAR platform. + It does not mutate external systems and only performs allowed internal mutations + (updating entities, creating insights). Therefore, it qualifies as an enrichment + action. entity_usage: entity_types: - ADDRESS @@ -138,66 +216,92 @@ Enrich Entities: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action iterates over `siemplify.target_entities` and filters them based + on the `SUPPORTED_ENTITY_TYPES` list (ADDRESS, HOSTNAME, MACADDRESS, URL). Execute Custom Search: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action executes a custom search query and returns the results. This directly + matches the 'Search Events' category, which is defined as returning a collection + of historical logs or telemetry data matching specific search parameters. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: true + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description + Executes a custom search query against the Darktrace platform to retrieve historical + data or telemetry. This action allows analysts to perform ad-hoc investigations + by querying Darktrace's advanced search API. - Executes a custom search query in Darktrace to retrieve specific event or threat - data within a defined timeframe. This action allows users to leverage Darktrace's - advanced search capabilities directly from Google SecOps, returning raw search - hits for further analysis or automation logic. + ### Flow Description - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Query | String | Yes | The specific Darktrace query string to be executed. | + 1. **Parameter Extraction**: The action retrieves the necessary API credentials + (API Root, Token, Private Token) and action parameters (Query, Time Frame, Start/End + Time, Max Results). - | Time Frame | DDL | No | The temporal scope for the search. Options include relative - ranges (e.g., 'Last Hour'), alert-relative ranges (e.g., '5 Minutes Around Alert - Time'), or 'Custom'. Defaults to 'Last Hour'. | + 2. **Time Calculation**: It determines the search time range. If a specific time + frame is provided, it calculates the start and end timestamps. If the time frame + is relative to the alert (e.g., '30 Minutes Around Alert Time'), it uses the current + alert's start and end times. - | Start Time | String | No | The ISO 8601 formatted start time. This is mandatory - if 'Time Frame' is set to 'Custom'. | + 3. **Search Execution**: It constructs a base64-encoded query and executes a GET + request to the Darktrace `/advancedsearch/api/search/` endpoint. - | End Time | String | No | The ISO 8601 formatted end time. If 'Custom' is selected - and this is empty, the current time is used. | + 4. **Result Output**: The retrieved search results are parsed and added to the + action's result JSON, making them available for the analyst to review. - | Max Results To Return | String | No | Limits the number of hits returned by - the search. Defaults to 50. | + ### Parameters - ### Additional Notes - - - If 'Custom' is selected as the 'Time Frame', the 'Start Time' parameter must - be provided, otherwise the action will fail. + | Parameter | Type | Mandatory | Description | - - When using alert-relative timeframes (e.g., '30 Minutes Around Alert Time'), - the action automatically calculates the range based on the start and end times - of the current alert in Google SecOps. + | :--- | :--- | :--- | :--- | + | Query | String | Yes | The search query to execute in Darktrace. | - ### Flow Description + | Time Frame | DDL | No | The time range for the search (e.g., 'Last Hour', 'Last + 24 Hours', 'Custom'). Defaults to 'Last Hour'. | - 1. **Parameter Extraction**: Retrieves API configuration and user-provided search - parameters. + | Start Time | String | No | The start time in ISO 8601 format. Mandatory if 'Time + Frame' is set to 'Custom'. | - 2. **Time Range Calculation**: Determines the absolute start and end timestamps - based on the 'Time Frame' selection and alert context. + | End Time | String | No | The end time in ISO 8601 format. Defaults to current + time if not provided. | - 3. **Query Encoding**: Formats the search parameters into a JSON structure and - encodes it into a Base64 string as required by the Darktrace Advanced Search API. + | Max Results To Return | String | No | The maximum number of results to return. + Defaults to 50. | - 4. **API Execution**: Sends a GET request to the Darktrace `/advancedsearch/api/search/{base64_query}` - endpoint. - 5. **Data Parsing**: Processes the API response and converts the resulting hits - into a structured JSON format. + ### Additional Notes - 6. **Result Reporting**: Returns the search results to the Google SecOps platform. + If 'Custom' is selected for the 'Time Frame' parameter, the 'Start Time' parameter + must be provided. The action utilizes the current alert's context (start/end time) + if the selected time frame is relative to the alert. capabilities: can_create_case_comments: false can_create_insight: false @@ -208,8 +312,18 @@ Execute Custom Search: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the Darktrace API to retrieve search results + based on a user-provided query. It does not modify any external systems (no + POST/PUT/DELETE operations that change state). It does not modify internal Google + SecOps data (no entity updates, insights, or case comments). It only outputs + the retrieved data to the action result. categories: - enrichment: false + enrichment: true + reasoning: >- + The action is designed to fetch contextual data (search results) from an external + system (Darktrace). It does not mutate external systems, nor does it modify + internal Google SecOps data. Therefore, it qualifies as an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -225,84 +339,118 @@ Execute Custom Search: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over or process `target_entities`. It operates based + on the alert's time context and user-provided query parameters, not on specific + entity objects. List Endpoint Events: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: true + enrich_ioc: true + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves event logs for specific endpoints (IPs, Hostnames, MACs) + from Darktrace. This provides context about the asset's behavior, matching 'Enrich + Asset' and 'Enrich IOC'. It also returns a collection of historical logs, matching + 'Search Events'. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: true + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - This action retrieves the latest security and network events related to specific - endpoints from Darktrace. It supports searching for events based on IP addresses, - Hostnames, or MAC addresses. The action allows users to filter by specific event - types (such as connections, unusual connections, or model breaches) and define - a specific time window for the search. The retrieved data is presented as data - tables on the case wall and as a raw JSON result for further automation. + Lists endpoint events from Darktrace for specified entities (IP, Hostname, or + MacAddress). This action retrieves historical event data such as connections, + unusual connections, and model breaches to provide context for security investigations. - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | + ### Flow Description - | **Event Type** | String | Yes | A comma-separated list of event types to retrieve. - Supported values include: `connection`, `unusualconnection`, `newconnection`, - `notice`, `devicehistory`, `modelbreach`. | + 1. **Initialization**: Extracts configuration parameters (API root, tokens) and + action parameters (Event Type, Time Frame, etc.). - | **Time Frame** | DDL | Yes | The time range for the search (e.g., Last Hour, - Last 24 Hours). If set to "Custom", the "Start Time" parameter must be provided. - | + 2. **Filtering**: Identifies and filters target entities from the case that match + supported types (IP, Hostname, MacAddress). - | **Start Time** | String | No | The start time for the search in ISO 8601 format. - This is mandatory only if "Time Frame" is set to "Custom". | + 3. **Device Search**: For each valid entity, queries the Darktrace API to locate + the corresponding device. - | **End Time** | String | No | The end time for the search in ISO 8601 format. - If left empty while using a "Custom" time frame, the current time is used. | + 4. **Event Retrieval**: If the device is found, fetches the requested event types + within the specified time frame. - | **Max Events To Return** | String | No | The maximum number of events to return - per event type. Defaults to 50. | + 5. **Reporting**: Adds the retrieved event data to the action results as data + tables and a JSON result object. - ### Additional Notes + ### Parameters Description - - Events are returned in the UTC timezone. + | Parameter | Type | Mandatory | Description | - - The action first attempts to resolve the entity to a Darktrace Device ID (`did`) - before fetching events. + | :--- | :--- | :--- | :--- | - - If multiple event types are requested, a separate data table is created for - each type per entity. + | Event Type | string | Yes | Comma-separated list of event types to return (e.g., + connection, unusualconnection, notice). | + | Time Frame | ddl | Yes | Time range for the search (e.g., Last Hour, Last 6 + Hours, Custom). | - ### Flow Description + | Start Time | string | No | ISO 8601 start time. Mandatory if "Custom" is selected + for Time Frame. | - 1. **Parameter Initialization**: Extracts API configuration and action parameters, - validating that the provided event types and limits are valid. + | End Time | string | No | ISO 8601 end time. Defaults to current time if not + provided. | - 2. **Time Calculation**: Determines the start and end timestamps based on the - selected "Time Frame" or custom inputs. + | Max Events To Return | string | No | Maximum number of events to return per + event type. Default is 50. | - 3. **Entity Resolution**: For each supported entity (IP, Hostname, or MAC Address), - the action queries Darktrace to find the corresponding internal Device ID. - 4. **Event Retrieval**: If a device is found, the action iterates through the - requested event types and fetches the latest events within the specified time - range. + ### Additional Notes - 5. **Data Output**: Successfully retrieved events are formatted into data tables - and added to the case wall. The full dataset is also attached as a JSON result. + If "Custom" is selected for the "Time Frame" parameter, the "Start Time" parameter + must be provided. capabilities: can_create_case_comments: false can_create_insight: false can_modify_alert_data: false can_mutate_external_data: false - can_mutate_internal_data: true + can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null fetches_data: true - internal_data_mutation_explanation: >- - The action adds data tables to the Google SecOps case wall to display the retrieved - endpoint events. + internal_data_mutation_explanation: null + reasoning: >- + The action performs GET requests to the Darktrace API to retrieve event data + for specific endpoints. It does not perform any POST/PUT/DELETE operations on + external systems, nor does it modify internal Google SecOps data (e.g., it does + not update entities, create insights, or modify case data). It only outputs + data to the action result. categories: - enrichment: false + enrichment: true + reasoning: >- + The action is designed to fetch supplemental context (events) for entities. + It does not mutate external systems or modify internal Google SecOps data (it + only outputs results). Therefore, it qualifies as an enrichment action. entity_usage: entity_types: - ADDRESS @@ -321,70 +469,110 @@ List Endpoint Events: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over `siemplify.target_entities` and filters them based on + whether their type is in the `SUPPORTED_ENTITY_TYPES` list (ADDRESS, HOSTNAME, + MACADDRESS). List Similar Devices: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: true + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves contextual metadata about devices (similar devices) from + Darktrace, which aligns with 'Enrich Asset'. It also performs a search for the + device within the product to get its ID, which aligns with 'Search Asset'. It + does not modify external systems or alert data. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: true + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - Retrieves a list of devices from Darktrace that exhibit similar behavioral patterns - to the provided endpoint entities. This action leverages Darktrace's AI-driven - analysis to identify related assets, which is critical for scoping potential compromises - or identifying lateral movement during an investigation. It supports IP Address, - Hostname, and MAC Address entities. - + This action retrieves a list of similar devices for a given endpoint (IP, Hostname, + or MAC Address) from the Darktrace platform. It helps security analysts identify + related assets or potential lateral movement by querying Darktrace's device database. - ### Parameters Description - | Parameter | Type | Mandatory | Default | Description | + ### Flow Description - | :--- | :--- | :--- | :--- | :--- | + 1. **Initialization**: The action extracts necessary API credentials (API Root, + Token, Private Token) and the `Max Devices To Return` parameter. - | Max Devices To Return | Integer | No | 50 | Specifies the maximum number of - similar devices to retrieve for each identified entity. | + 2. **Filtering**: It filters the provided `target_entities` to include only supported + types: `ADDRESS`, `HOSTNAME`, and `MacAddress`. + 3. **Device Search**: For each valid entity, the action queries Darktrace to find + the corresponding device ID (`did`). - ### Flow Description + 4. **Retrieval**: If the device is found, it requests a list of similar devices + from Darktrace, limited by the `Max Devices To Return` parameter. - 1. **Parameter Validation**: Validates that the 'Max Devices To Return' parameter - is a positive integer greater than zero. + 5. **Output**: The action adds a table of similar devices to the entity's context + and includes the full results in the action's JSON output. - 2. **Connection Initialization**: Establishes a secure connection to the Darktrace - API using the configured API Root and tokens. - 3. **Entity Filtering**: Filters the case's target entities to identify supported - types: ADDRESS (IP), HOSTNAME, and MacAddress. + ### Parameters - 4. **Device Identification**: For each valid entity, the action searches Darktrace - to find its corresponding internal Device ID (DID). + | Parameter | Type | Mandatory | Description | - 5. **Similarity Query**: Queries the Darktrace '/similardevices' endpoint using - the DID to fetch a list of similar devices, limited by the user-defined threshold. + | :--- | :--- | :--- | :--- | - 6. **Data Enrichment**: Enriches the case by adding a detailed data table to each - successful entity and populating the action's JSON results with the raw device - data. + | Max Devices To Return | integer | No | Specifies the maximum number of similar + devices to return per entity. Defaults to 50. | ### Additional Notes - - The 'Max Devices To Return' parameter must be greater than 0; otherwise, the - action will fail with an error. + - The action requires valid Darktrace API credentials to be configured in the + integration settings. - - If a matching device cannot be found in Darktrace for a specific entity, that - entity will be reported as failed in the final output message. + - If no similar devices are found for an entity, the action will report it as + a failure for that specific entity. capabilities: can_create_case_comments: false can_create_insight: false can_modify_alert_data: false can_mutate_external_data: false - can_mutate_internal_data: true - can_update_entities: true + can_mutate_internal_data: false + can_update_entities: false external_data_mutation_explanation: null fetches_data: true - internal_data_mutation_explanation: >- - The action enriches entities by adding data tables containing similar device - information and populates the action's JSON results with the retrieved data. + internal_data_mutation_explanation: null + reasoning: >- + The action performs GET requests to the Darktrace API to search for devices + and retrieve similar device information. It does not perform any POST/PUT/DELETE + operations on external systems (no external mutation). It adds result tables + and JSON to the SOAR action output, which is standard for enrichment actions + and does not constitute internal data mutation (modifying existing case data). categories: enrichment: true + reasoning: >- + The action fetches contextual data (similar devices) from an external system + (Darktrace) to enrich the investigation. It does not mutate external systems, + nor does it modify existing internal SOAR data (like alert status or case fields). + It meets all criteria for an enrichment action. entity_usage: entity_types: - ADDRESS @@ -403,58 +591,77 @@ List Similar Devices: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code explicitly filters `siemplify.target_entities` using `SUPPORTED_ENTITY_TYPES`, + which includes `ADDRESS`, `HOSTNAME`, and `MACADDRESS`. It iterates over these + entities to perform lookups. Ping: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action is a connectivity test (Ping) and does not perform any of the defined + functional operations like enriching IOCs, updating tickets, or containing hosts. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description - - The **Ping** action is a diagnostic tool designed to verify the connectivity between - Google SecOps and the Darktrace server. It validates that the integration's configuration - parameters, such as the API Root and authentication tokens, are correctly set - and that the Darktrace API is reachable. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | + Tests connectivity to the Darktrace server using the provided API credentials. + This action performs a GET request to the status endpoint to verify that the integration + is correctly configured and the server is reachable. - | :--- | :--- | :--- | :--- | - | **API Root** | String | Yes | The base URL of the Darktrace API instance (e.g., - https://darktrace-instance.com). | + ### Flow Description - | **API Token** | String | Yes | The public API token used for authentication. - | + 1. The action extracts the API Root, API Token, API Private Token, and SSL verification + settings from the integration configuration. - | **API Private Token** | String | Yes | The private API token used to generate - the HMAC signature for request headers. | + 2. It initializes the `DarktraceManager` with these credentials. - | **Verify SSL** | Boolean | No | If set to true, the action will validate the - SSL certificate of the Darktrace server. | + 3. It calls the `test_connectivity` method, which sends a GET request to the Darktrace + `/status` endpoint. + 4. If the request is successful, the action returns a success message. If the + request fails, it catches the exception and returns a failure message. - ### Additional Notes - This action does not process any entities and is strictly used for testing the - integration's communication with the Darktrace API. It targets the `/status` endpoint - to confirm service availability. + ### Parameters + | Parameter | Type | Mandatory | Description | - ### Flow Description + | :--- | :--- | :--- | :--- | - 1. **Parameter Extraction:** The action retrieves the API Root, API Token, Private - Token, and SSL verification settings from the integration configuration. + | API Root | string | Yes | The base URL for the Darktrace API. | - 2. **Manager Initialization:** It initializes the `DarktraceManager` with the - extracted credentials. + | API Token | string | Yes | The API token for authentication. | - 3. **Connectivity Test:** The manager executes a signed GET request to the Darktrace - `/status` endpoint. - - 4. **Response Validation:** The action checks the HTTP response and any error - messages returned by the API. + | API Private Token | string | Yes | The private API token for signature generation. + | - 5. **Execution Result:** If the request is successful, the action completes with - a success message; otherwise, it fails and provides the error details. + | Verify SSL | boolean | No | Whether to verify the SSL certificate of the API + root. | capabilities: can_create_case_comments: false can_create_insight: false @@ -465,8 +672,15 @@ Ping: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the Darktrace status endpoint to verify + connectivity. It does not mutate external or internal data, nor does it update + entities or create insights. categories: enrichment: false + reasoning: >- + The action is a 'Ping' action, which is explicitly excluded from being an enrichment + action per the instructions. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -482,48 +696,87 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with any entities. Update Model Breach Status: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action updates the status of a model breach in Darktrace. This aligns with + the 'Update Alert' category as it changes the status of an alert-like object + (model breach). + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: true + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - Updates the status of a specific model breach in Darktrace. This action allows - security analysts to programmatically acknowledge or unacknowledge breaches identified - by Darktrace, facilitating automated incident response workflows and status synchronization - between Google SecOps and Darktrace. + Updates the status of a model breach in the Darktrace platform. This action allows + analysts to acknowledge or unacknowledge specific model breaches, ensuring that + the status in Darktrace reflects the current investigation state. - ### Parameters Description + ### Flow Description - | Parameter | Type | Mandatory | Description | + 1. **Initialization**: Extracts configuration parameters (API Root, Token, Private + Token, SSL verification) and action parameters (Status, Model Breach ID). - | :--- | :--- | :--- | :--- | + 2. **Validation**: Initializes the `DarktraceManager` to interact with the Darktrace + API. - | Status | DDL | Yes | Specifies the target status for the model breach. Supported - values are `Acknowledged` and `Unacknowledged`. | + 3. **Fetch**: Retrieves the current details of the specified model breach to verify + its existence and current status. - | Model Breach ID | String | Yes | The unique identifier of the model breach in - Darktrace that needs to be updated. | + 4. **Check**: Compares the requested status with the current status. If the breach + is already in the desired state, the action terminates with a success message. + 5. **Update**: If the status differs, performs a POST request to either acknowledge + or unacknowledge the model breach in Darktrace. - ### Flow Description + 6. **Completion**: Returns a success message indicating the status update or an + error message if the operation fails. - 1. **Initialization**: The action initializes the Darktrace manager using API - credentials and configuration parameters. - 2. **Current State Retrieval**: It fetches the current details of the specified - model breach from Darktrace using the `Model Breach ID` to determine its existing - acknowledgment status. + ### Parameters Description - 3. **Status Comparison**: The action compares the current status with the requested - `Status` parameter. If the breach already has the requested status, it raises - an `AlreadyAppliedException` and completes successfully without further action. + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Status | ddl | Yes | The status to set for the model breach. Options: 'Acknowledged', + 'Unacknowledged'. | - 4. **Mutation**: If the status needs to be changed, the action sends a POST request - to the Darktrace API to either acknowledge or unacknowledge the breach based on - the input. + | Model Breach ID | string | Yes | The unique identifier of the model breach to + update. | + + + ### Additional Notes - 5. **Completion**: The action returns a success message confirming the status - update or indicating that the status was already set as requested. + This action performs a state change in the external Darktrace system. It does + not modify any entities or data within the Google SecOps platform. capabilities: can_create_case_comments: false can_create_insight: false @@ -532,12 +785,20 @@ Update Model Breach Status: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates the acknowledgment status of a model breach in the Darktrace platform - by sending POST requests to the /acknowledge or /unacknowledge endpoints. + Updates the status of a model breach (Acknowledged/Unacknowledged) in the Darktrace + platform. fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action fetches data (GET) to verify the current status of the model breach + and performs a mutation (POST) to update the status in the external Darktrace + system. It does not modify internal SecOps data, entities, or insights. categories: enrichment: false + reasoning: >- + The action performs a mutation on an external system (Darktrace), which violates + the 'External State Preservation' rule for enrichment actions. Therefore, it + is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -553,3 +814,7 @@ Update Model Breach Status: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over or process `target_entities`. It relies on + the 'Model Breach ID' parameter provided by the user to identify the target + object in Darktrace. diff --git a/content/response_integrations/third_party/partner/darktrace/resources/ai/connectors_ai_description.yaml b/content/response_integrations/third_party/partner/darktrace/resources/ai/connectors_ai_description.yaml new file mode 100644 index 000000000..99cf639f9 --- /dev/null +++ b/content/response_integrations/third_party/partner/darktrace/resources/ai/connectors_ai_description.yaml @@ -0,0 +1,171 @@ +Darktrace - AI Incident Events Connector: + ai_description: >- + ### General Description + + The Darktrace - AI Incident Events Connector is designed to ingest AI-driven incident + events from the Darktrace platform into Google SecOps. It enables security teams + to monitor and respond to high-fidelity AI-detected threats by automatically creating + cases within the SOAR platform. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | DeviceProductField | String | Yes | Source field name to retrieve the Product + Field name. | + + | EventClassId | String | Yes | Source field name to retrieve the Event Field + name. | + + | Environment Field Name | String | No | Field name where the environment name + is stored. | + + | Environment Regex Pattern | String | No | Regex pattern to manipulate the environment + field value. | + + | PythonProcessTimeout | Integer | Yes | Timeout limit for the connector script. + | + + | API Root | String | Yes | API root URL of the Darktrace instance. | + + | API Token | String | Yes | Darktrace API token. | + + | API Private Token | Password | Yes | Darktrace API private token. | + + | Verify SSL | Boolean | Yes | Whether to verify the SSL certificate for the connection. + | + + | Lowest AI Incident Score To Fetch | Integer | Yes | Minimum score threshold + for fetching AI incidents (0-100). | + + | Max Hours Backwards | Integer | No | Hours to look back for the initial fetch + or fallback. | + + | Max AI Incidents To Fetch | Integer | No | Maximum number of incidents to process + per iteration. | + + | Use dynamic list as a blocklist | Boolean | Yes | Whether to use a dynamic list + as a blocklist. | + + | Proxy Server Address | String | No | Proxy server address. | + + | Proxy Username | String | No | Proxy username. | + + | Proxy Password | Password | No | Proxy password. | + + + ### Flow Description + + 1. The connector authenticates with the Darktrace API using the provided API Token + and Private Token. + + 2. It determines the time range for data retrieval based on the last successful + run timestamp or the configured `Max Hours Backwards`. + + 3. It queries the Darktrace `/aianalyst/incidentevents` endpoint for AI incidents, + applying the `Lowest AI Incident Score To Fetch` filter. + + 4. Fetched incidents are filtered against `existing_ids` to prevent duplicates + and checked against the configured whitelist/blacklist. + + 5. Valid incidents are mapped to the Google SecOps `AlertInfo` format, including + environment and severity details. + + 6. The connector creates cases in Google SecOps for each processed incident. + + 7. Finally, it updates the last success timestamp to ensure subsequent runs only + fetch new data. +Darktrace - Model Breaches Connector: + ai_description: >- + ### General Description + + The Darktrace Model Breaches Connector is designed to fetch model breach alerts + and their associated connection events from the Darktrace platform. By integrating + this connector, users can automatically ingest security incidents into Google + SecOps, allowing for centralized monitoring and automated response to anomalous + network behavior. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | API Root | String | Yes | The base URL of the Darktrace API. | + + | API Token | String | Yes | The API token for authentication. | + + | API Private Token | Password | Yes | The private API token for signature generation. + | + + | Verify SSL | Boolean | Yes | Whether to verify the SSL certificate of the Darktrace + server. | + + | Lowest Model Breach Score To Fetch | Integer | No | The minimum score (0-100) + for breaches to be fetched. | + + | Lowest Priority To Fetch | Integer | No | The minimum priority (1-5) for breaches + to be fetched. | + + | Max Hours Backwards | Integer | No | The lookback period in hours for the initial + fetch. | + + | Max Model Breaches To Fetch | Integer | No | The maximum number of breaches + to process per iteration. | + + | Behaviour Visibility | String | No | Filter breaches by behavior category (Critical, + Suspicious, Compliance, Informational). | + + | Use whitelist as a blacklist | Boolean | Yes | If enabled, the whitelist acts + as a blacklist. | + + | PythonProcessTimeout | Integer | Yes | Timeout limit for the connector script. + | + + | DeviceProductField | String | Yes | Field name to retrieve the product name. + | + + | EventClassId | String | Yes | Field name to retrieve the event type. | + + | Environment Field Name | String | No | Field name where the environment name + is stored. | + + | Environment Regex Pattern | String | No | Regex pattern to manipulate the environment + field value. | + + | Proxy Server Address | String | No | Proxy server address. | + + | Proxy Username | String | No | Proxy username. | + + | Proxy Password | Password | No | Proxy password. | + + | Padding Time | Integer | No | Padding time in hours for the last success timestamp. + | + + + ### Flow Description + + 1. The connector initializes the connection to the Darktrace API using the provided + credentials and configuration. + + 2. It calculates the `last_success_timestamp` based on the configured `Max Hours + Backwards` and `Padding Time` to determine the starting point for fetching new + alerts. + + 3. It queries the Darktrace API for model breaches, applying filters for score, + priority, and existing alert IDs to avoid duplicates. + + 4. For each fetched breach, the connector retrieves detailed event information. + + 5. It applies additional filtering based on the `Behaviour Visibility` and whitelist/blacklist + settings. + + 6. The breach data is mapped into the SOAR alert format, including environment + and device information. + + 7. Finally, the connector saves the state (processed IDs and timestamps) and returns + the ingested alerts to the SOAR platform for case creation. diff --git a/content/response_integrations/third_party/partner/darktrace/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/partner/darktrace/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..f3a52a507 --- /dev/null +++ b/content/response_integrations/third_party/partner/darktrace/resources/ai/integration_ai_description.yaml @@ -0,0 +1,24 @@ +product_categories: + asset_inventory: true + cloud_security: false + collaboration: false + edr: true + email_security: false + iam_and_identity_management: false + itsm: false + network_security: true + reasoning: >- + The Darktrace integration provides comprehensive visibility into network and endpoint + activity. The connectors ingest AI-driven incident events and model breaches, + which aligns with SIEM capabilities for centralized monitoring and alert ingestion. + The integration supports EDR and Network Security categories by providing actions + to list endpoint events, retrieve connection data, and search for unusual network + behavior, which are critical for investigating host-based and network-based threats. + Additionally, the integration supports Asset Inventory by allowing analysts to + enrich entity profiles with device details and identify similar devices. It also + provides Threat Intelligence capabilities by enriching entities with contextual + data to confirm alert validity. It does not provide specific actions for Email + Security, IAM, ITSM, Vulnerability Management, or Collaboration. + siem: true + threat_intelligence: true + vulnerability_management: false diff --git a/content/response_integrations/third_party/partner/domain_tools/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/partner/domain_tools/resources/ai/actions_ai_description.yaml index b52a171db..60bbe4434 100644 --- a/content/response_integrations/third_party/partner/domain_tools/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/partner/domain_tools/resources/ai/actions_ai_description.yaml @@ -1,94 +1,57 @@ -Get Domain Profile: +Get Domain Rdap: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action fetches RDAP data from DomainTools, which provides registration and + ownership context for domains. This matches the 'Enrich IOC' category. It does + not modify external systems or perform containment actions. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description - - Enriches Domain, Hostname, and URL entities using DomainTools threat intelligence. - This action retrieves the "Domain Profile" for a given domain, providing comprehensive - details such as registration information, hosting history summaries, and risk - indicators. It is designed to provide security analysts with immediate context - regarding the reputation and ownership of external domains. - - - ### Parameters Description + Enriches domain, hostname, or URL entities with RDAP (Registration Data Access + Protocol) information from DomainTools. This action retrieves threat intelligence + and registration details for the specified domain, hostname, or URL, and updates + the entity's properties with the retrieved data. - | Parameter | Type | Mandatory | Description | - | :--- | :--- | :--- | :--- | + ### Flow - | None | N/A | N/A | This action does not require any input parameters beyond - the integration configuration. | + 1. Extracts configuration parameters (Username, API Token, Verify SSL) from the + integration settings. + 2. Identifies target entities from the case (DOMAIN, HOSTNAME, URL) or uses the + provided `Domain` parameter if specified. - ### Additional Notes + 3. Queries the DomainTools API for parsed RDAP data for each target entity. - * **License Requirement**: The action requires the "domain-profile" product - to be active on the DomainTools account license. + 4. Updates the entity's `additional_properties` with the retrieved RDAP data. - * **Domain Extraction**: It automatically extracts the root domain from URLs - and email addresses (e.g., extracting "example.com" from "www.example.com" or - "user@example.com"). - - * **Data Prefixing**: Enrichment data is added to the entity's additional properties - with a "DT" prefix to avoid naming collisions. - - - ### Flow Description - - 1. **Domain Extraction**: The action parses the entity identifier to extract the - root domain name. - - 2. **API Interaction**: It queries the DomainTools `domain_profile` endpoint using - the extracted domain. - - 3. **Data Transformation**: The JSON response is flattened and converted into - a CSV format for UI presentation. - - 4. **Internal Enrichment**: - * Updates the entity's `additional_properties` with the flattened profile - data. - * Marks the entity as `is_enriched`. - * Attaches a CSV data table containing the profile details to the entity - in the Google SecOps SOAR interface. - 5. **Finalization**: The action updates all processed entities in the case and - returns the raw JSON results for downstream playbook logic. - capabilities: - can_create_case_comments: false - can_create_insight: false - can_modify_alert_data: false - can_mutate_external_data: false - can_mutate_internal_data: true - can_update_entities: true - external_data_mutation_explanation: null - fetches_data: true - internal_data_mutation_explanation: >- - Updates entity additional properties with DomainTools profile data, sets the - enriched status, and adds a CSV data table to the entity. - categories: - enrichment: true - entity_usage: - entity_types: - - DOMAIN - - HOSTNAME - - DestinationURL - filters_by_additional_properties: false - filters_by_alert_identifier: false - filters_by_case_identifier: false - filters_by_creation_time: false - filters_by_entity_type: true - filters_by_identifier: false - filters_by_is_artifact: false - filters_by_is_enriched: false - filters_by_is_internal: false - filters_by_is_pivot: false - filters_by_is_suspicious: false - filters_by_is_vulnerable: false - filters_by_modification_time: false -Get Domain Risk: - ai_description: >- - Enriches Domain, Hostname, and URL entities with risk scores and detailed risk - profiles using DomainTools data. The action retrieves threat intelligence from - DomainTools' risk and reputation endpoints to evaluate the potential threat level - of a domain. + 5. Generates a summary table and JSON results for the case to provide visibility + into the enrichment results. ### Parameters @@ -97,30 +60,15 @@ Get Domain Risk: | :--- | :--- | :--- | :--- | - | Threshold | String | Yes | A numeric value (e.g., 3) used as a cutoff. If the - domain's risk score exceeds this value, the entity is marked as suspicious in - Google SecOps. | - - - ### Flow Description - - 1. **Domain Extraction:** Parses the entity identifier (URL, Hostname, or Domain) - to extract the base domain name. - - 2. **Data Retrieval:** Queries the DomainTools API (Risk and Reputation products) - to fetch the domain's risk score and component data. + | Domain | string | false | The domain to get the parsed domain RDAP result. If + not provided, the action runs on all supported entities in the case. | - 3. **Risk Evaluation:** Compares the retrieved risk score against the user-provided - `Threshold` parameter. - 4. **Entity Enrichment:** Updates the entity's additional properties with the - risk score (`DT_Risk`). - - 5. **Suspicious Marking:** If the risk score is higher than the threshold, the - entity's `is_suspicious` attribute is set to `True`. + ### Additional Notes - 6. **Result Reporting:** Returns a JSON result containing the detailed risk profile - and updates the case with the enrichment data. + If the `Domain` parameter is provided, the action will run only for that specific + domain. If it is not provided, the action will iterate over all supported entities + (DOMAIN, HOSTNAME, URL) present in the case. capabilities: can_create_case_comments: false can_create_insight: false @@ -131,15 +79,23 @@ Get Domain Risk: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates entity attributes by adding the 'DT_Risk' property and modifies the - 'is_suspicious' status of the entity if the risk score exceeds the defined threshold. + The action updates entity properties and adds data tables/JSON results to the + case. + reasoning: >- + The action fetches RDAP data from DomainTools (fetches_data=true). It updates + entity properties (can_update_entities=true) and adds data tables/JSON results + to the case (can_mutate_internal_data=true). It does not modify external systems. categories: enrichment: true + reasoning: >- + The action fetches data from an external source (DomainTools) and updates internal + entities without modifying external systems, which qualifies it as an enrichment + action. entity_usage: entity_types: + - DOMAIN - HOSTNAME - DestinationURL - - DOMAIN filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -153,46 +109,64 @@ Get Domain Risk: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false -Get Hosting History: - ai_description: >- - ### General Description - - This action retrieves the hosting history for a domain using the DomainTools API. - It provides security analysts with historical context regarding where a domain - has been hosted over time, which is useful for identifying infrastructure changes - or malicious patterns. The action enriches Hostname and URL entities with this - data and presents it in a structured CSV table within the Google SecOps UI. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | None | N/A | N/A | This action does not require any input parameters. | - - - ### Flow Description - - 1. **Entity Filtering**: The action identifies all Hostname and URL entities within - the current context. - - 2. **Domain Extraction**: For each entity, it extracts the base domain name from - the identifier (e.g., stripping protocols or email prefixes). - - 3. **API Query**: It calls the DomainTools 'hosting-history' endpoint to retrieve - historical records for the extracted domain. - - 4. **Data Enrichment**: The retrieved data is flattened and added to the entity's - 'additional_properties' with a 'DT' prefix. - - 5. **UI Enhancement**: A CSV-formatted table containing the hosting history is - attached to the entity via the 'add_entity_table' method for visibility in the - case wall. + reasoning: >- + The code iterates over `siemplify.target_entities` and filters them based on + `SUPPORTED_ENTITY_TYPES` (DOMAIN, HOSTNAME, URL). It also supports an optional + `Domain` parameter to run on a specific domain. +Get WhoIs History: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves Whois history, which provides threat intelligence and context + for domains. This aligns with the 'Enrich IOC' category. It does not perform + any other actions like ticketing, blocking, or identity management. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: "### General Description\nThis action enriches domain-related entities\ + \ (URL, Hostname, Domain) with Whois history data retrieved from DomainTools.\ + \ It provides historical registration information, which is valuable for threat\ + \ hunting and investigating the provenance of suspicious domains.\n\n### Parameters\n\ + | Parameter | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n\ + | Domain | string | No | The specific domain to retrieve Whois history for. If\ + \ not provided, the action processes all target entities of type URL, Hostname,\ + \ or Domain. |\n\n### Flow Description\n1. **Configuration Extraction**: Retrieves\ + \ integration settings (Username, ApiToken, Verify SSL) from the environment.\n\ + 2. **Entity Identification**: Identifies target entities from the case or the\ + \ optional 'Domain' parameter.\n3. **Data Retrieval**: For each valid entity,\ + \ the action queries the DomainTools API for Whois history.\n4. **Data Processing**:\ + \ \n - Flattens the retrieved Whois history data.\n - Updates the entity's\ + \ `additional_properties` with the enriched data (prefixed with 'DT').\n -\ + \ Generates a CSV table of the history for the entity.\n5. **Result Reporting**:\ + \ \n - Updates the entities in the SOAR platform.\n - Adds a summary data\ + \ table to the action results.\n - Returns a JSON result containing the enriched\ + \ data for each processed entity." capabilities: can_create_case_comments: false - can_create_insight: false + can_create_insight: true can_modify_alert_data: false can_mutate_external_data: false can_mutate_internal_data: true @@ -200,13 +174,21 @@ Get Hosting History: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - The action updates the 'additional_properties' of the processed entities with - the retrieved hosting history data and attaches a CSV-formatted table to the - entity in the Google SecOps UI. + Updates entity additional properties and adds data tables to the case results. + reasoning: >- + The action fetches Whois history data from an external API (DomainTools). It + does not perform any external mutations (e.g., blocking). It performs internal + mutations by updating entity properties and adding data tables to the SOAR case. categories: enrichment: true + reasoning: >- + The action is designed to fetch supplemental context (Whois history) for entities. + It does not mutate external systems and only performs allowed internal mutations + (updating entities and adding insights/tables). Therefore, it qualifies as an + enrichment action. entity_usage: entity_types: + - DOMAIN - HOSTNAME - DestinationURL filters_by_additional_properties: false @@ -222,79 +204,71 @@ Get Hosting History: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false -Ping: + reasoning: >- + The action iterates over `siemplify.target_entities` and filters them based + on whether their type is in the supported list (URL, Hostname, Domain). +Investigate Domain: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves threat intelligence (risk scores, threats, evidence) for + domains, which aligns with 'Enrich IOC'. It does not perform asset enrichment + (e.g., user/host metadata), nor does it perform any containment or ticket management. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - The **Ping** action is a diagnostic tool used to verify the connectivity between - Google SecOps and the DomainTools API. Its primary purpose is to ensure that the - integration's configuration parameters, such as the Username and API Token, are - correct and that the network path to the DomainTools service is open. - - - ### Parameters Description - - There are no parameters for this action. - - - ### Additional Notes - - This action is typically executed during the initial setup of the DomainTools - integration or when troubleshooting communication issues. It performs a 'Read-Only' - operation by requesting account information from the API. + Enriches domain, hostname, and URL entities using DomainTools Iris Investigate. + This action retrieves comprehensive threat intelligence, including risk scores, + threat profiles, and hosting information, to assist in the investigation of suspicious + domains. ### Flow Description - 1. **Configuration Retrieval**: The action retrieves the Username, API Token, - and SSL verification settings from the DomainTools integration configuration. + 1. **Configuration Extraction**: Retrieves the DomainTools API credentials (Username, + API Token) and SSL verification settings. - 2. **Manager Initialization**: It instantiates the `DomainToolsManager` using - the provided credentials. + 2. **Entity Identification**: Identifies target entities (Domain, Hostname, URL) + from the case or uses the provided 'Domain' parameter if specified. - 3. **Connectivity Verification**: Upon initialization, the manager automatically - executes an API call to the DomainTools `account_information` endpoint to validate - the credentials and retrieve the list of licensed products. + 3. **Data Retrieval**: Queries the DomainTools Iris Investigate API for threat + intelligence data, processing entities in chunks of up to 100. - 4. **Final Status**: If the API call succeeds, the action returns a success message - ('Connection Established'). If the initialization or API call fails, it indicates - a connection failure. - capabilities: - can_create_case_comments: false - can_create_insight: false - can_modify_alert_data: false - can_mutate_external_data: false - can_mutate_internal_data: false - can_update_entities: false - external_data_mutation_explanation: null - fetches_data: true - internal_data_mutation_explanation: null - categories: - enrichment: false - entity_usage: - entity_types: [] - filters_by_additional_properties: false - filters_by_alert_identifier: false - filters_by_case_identifier: false - filters_by_creation_time: false - filters_by_entity_type: false - filters_by_identifier: false - filters_by_is_artifact: false - filters_by_is_enriched: false - filters_by_is_internal: false - filters_by_is_pivot: false - filters_by_is_suspicious: false - filters_by_is_vulnerable: false - filters_by_modification_time: false -Recent Domains: - ai_description: >- - ### General Description + 4. **Data Parsing**: Parses the API response into a structured model containing + analytics, identity, registration, and hosting details. + + 5. **Entity Enrichment**: Updates the entity's `additional_properties` with the + retrieved data and marks the entity as enriched. - This action searches for newly registered domains that contain a specific keyword - using the DomainTools Phisheye service. It is designed to help security teams - identify potential phishing or brand-impersonation domains shortly after they - are registered. **Note:** This action is deprecated as the Phisheye product has - been deprecated by DomainTools. + 6. **Result Reporting**: Adds a CSV table of the investigation results to the + entity and a summary table to the action results, then updates the entities in + the SOAR platform. ### Parameters Description @@ -303,112 +277,16 @@ Recent Domains: | :--- | :--- | :--- | :--- | - | String Query | String | Yes | The specific word or string to search for within - newly registered domain names. | - - - ### Additional Notes - - - This action does not operate on entities within a case; it relies solely on - the manual input provided in the `String Query` parameter. - - - Because the underlying Phisheye service is deprecated, this action may not return - results or may fail depending on the current state of the DomainTools API. - - - ### Flow Description - - 1. **Initialization**: The action initializes the DomainTools manager using the - integration's API credentials (Username and API Token). - - 2. **Parameter Extraction**: It retrieves the user-provided `String Query` parameter. - - 3. **API Query**: The action calls the DomainTools Phisheye API endpoint with - the provided query string. - - 4. **Data Transformation**: If results are returned, the action flattens the JSON - response and converts it into a CSV-compatible format. - - 5. **Reporting**: It creates a data table within the Google SecOps case to display - the search results and sets the action's result to success. - capabilities: - can_create_case_comments: false - can_create_insight: false - can_modify_alert_data: false - can_mutate_external_data: false - can_mutate_internal_data: true - can_update_entities: false - external_data_mutation_explanation: null - fetches_data: true - internal_data_mutation_explanation: >- - The action adds a data table to the Google SecOps case containing the results - of the domain search. - categories: - enrichment: false - entity_usage: - entity_types: [] - filters_by_additional_properties: false - filters_by_alert_identifier: false - filters_by_case_identifier: false - filters_by_creation_time: false - filters_by_entity_type: false - filters_by_identifier: false - filters_by_is_artifact: false - filters_by_is_enriched: false - filters_by_is_internal: false - filters_by_is_pivot: false - filters_by_is_suspicious: false - filters_by_is_vulnerable: false - filters_by_modification_time: false -Reverse Domain: - ai_description: >- - ### General Description - - Finds IP addresses that point to a specific domain or identifies domains associated - with a given IP address using DomainTools. This action is primarily used for reverse - DNS enrichment, allowing security analysts to understand the infrastructure associated - with a hostname, URL, or domain entity. - - - ### Parameters Description - - There are no action-specific parameters for this action. It relies on the global - integration configuration (Username, API Token, and Verify SSL). + | Domain | string | false | The domain to investigate. If not provided, the action + will attempt to enrich all supported entities (Domain, Hostname, URL) found in + the case. | ### Additional Notes - * The action supports `HOSTNAME`, `URL`, and `DOMAIN` entity types. - - * It automatically extracts the domain from URLs or email-like strings before - querying the API. - - * If the input is identified as a valid IPv4 address, it performs a 'Host Domains' - lookup; otherwise, it performs a 'Reverse IP' lookup. - - - ### Flow Description - - 1. **Entity Filtering:** The action identifies all entities in the current scope - that match the supported types (`URL`, `HOSTNAME`, `DOMAIN`). - - 2. **Domain Extraction:** For each entity, it extracts the base domain from the - identifier (e.g., stripping 'www' or URL paths). - - 3. **API Query:** It calls the DomainTools `enrich_domain` method, which dynamically - chooses between `host_domains` (for IPs) or `reverse_ip` (for domains) based on - the input format. - - 4. **Internal Enrichment:** If results are found, the action: - * Flattens the API response and adds it to the entity's `additional_properties` - with a `DT` prefix. - * Generates a CSV-formatted table of the results and attaches it to the - entity in the case wall. - 5. **Platform Update:** Updates the entities within Google SecOps to persist - the new metadata. - - 6. **Final Output:** Returns a JSON object containing the full enrichment data - for all processed entities. + If the 'Domain' parameter is provided, the action will prioritize investigating + that specific domain. Otherwise, it will iterate through all valid entities of + type Domain, Hostname, or URL present in the case. capabilities: can_create_case_comments: false can_create_insight: false @@ -419,14 +297,24 @@ Reverse Domain: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates entity additional properties with DomainTools reverse DNS data and adds - data tables to the entity's context in the case. + Updates entity 'additional_properties' and adds result tables/JSON to the action + output. + reasoning: >- + The action fetches threat intelligence data from the DomainTools API (fetches_data=true). + It does not modify external systems (can_mutate_external_data=false). It updates + internal SOAR entities with enrichment data and adds result tables (can_mutate_internal_data=true, + can_update_entities=true). It does not create insights, modify alerts, or add + case comments. categories: enrichment: true + reasoning: >- + The action fetches data from an external source (DomainTools) and updates internal + entities with that data. It does not mutate external systems. It fits the definition + of an enrichment action. entity_usage: entity_types: - - HOSTNAME - DestinationURL + - HOSTNAME - DOMAIN filters_by_additional_properties: false filters_by_alert_identifier: false @@ -441,128 +329,88 @@ Reverse Domain: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false -Reverse Email: - ai_description: "### General Description\nThe **Reverse Email** action leverages\ - \ the DomainTools Iris API to identify domain names associated with a specific\ - \ email address found in WhoIs records. This action is designed to help security\ - \ analysts uncover infrastructure linked to a known email address during investigations\ - \ or threat hunting activities.\n\n### Parameters Description\n| Parameter | Description\ - \ | Type | Mandatory |\n| :--- | :--- | :--- | :--- |\n| N/A | This action does\ - \ not require any input parameters. | N/A | N/A |\n\n### Additional Notes\n- This\ - \ action requires a DomainTools license that includes access to the **Iris** product.\n\ - - Enrichment data added to entities is prefixed with 'DT' to distinguish DomainTools\ - \ data from other sources.\n\n### Flow Description\n1. **Configuration Retrieval**:\ - \ The action fetches the DomainTools integration settings, including the Username,\ - \ API Token, and SSL verification preference.\n2. **Entity Filtering**: It identifies\ - \ all `USER` entities (representing email addresses) within the current scope\ - \ of the action.\n3. **External API Query**: For each identified email address,\ - \ the action queries the DomainTools Iris endpoint to find associated domains.\n\ - 4. **Data Processing**: The raw API response is flattened into a key-value structure\ - \ and converted into a CSV-compatible format for display.\n5. **Internal Enrichment**:\ - \ \n - The entity's `additional_data` is updated with the flattened DomainTools\ - \ attributes.\n - A data table containing the results is attached to the entity\ - \ in the Google SecOps SOAR UI.\n6. **Entity Update**: The action updates the\ - \ entities within the case to persist the newly acquired enrichment data.\n7.\ - \ **Completion**: The action concludes by providing a summary message of the enriched\ - \ entities and a boolean success status." - capabilities: - can_create_case_comments: false - can_create_insight: false - can_modify_alert_data: false - can_mutate_external_data: false - can_mutate_internal_data: true - can_update_entities: true - external_data_mutation_explanation: null - fetches_data: true - internal_data_mutation_explanation: >- - The action updates the 'additional_data' attribute of User entities with information - retrieved from DomainTools and adds a data table to the entity's result view. - categories: - enrichment: true - entity_usage: - entity_types: - - USERUNIQNAME - filters_by_additional_properties: false - filters_by_alert_identifier: false - filters_by_case_identifier: false - filters_by_creation_time: false - filters_by_entity_type: true - filters_by_identifier: false - filters_by_is_artifact: false - filters_by_is_enriched: false - filters_by_is_internal: false - filters_by_is_pivot: false - filters_by_is_suspicious: false - filters_by_is_vulnerable: false - filters_by_modification_time: false -Reverse IP: + reasoning: >- + The code filters 'siemplify.target_entities' using 'SUPPORTED_ENTITY_TYPES', + which includes URL, HOSTNAME, and DOMAIN. It checks the entity type attribute + to determine if the entity should be processed. +Ping: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action is a connectivity test ('Ping') and does not perform any of the defined + product category operations such as enrichment, ticketing, or containment. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description - - This action identifies domain names that share a specific IP address using the - DomainTools Iris API. It is designed to enrich IP Address entities by uncovering - their hosting relationships, which is critical for infrastructure mapping and - threat intelligence gathering. - - - ### Parameters Description - - There are no action-specific parameters for this action. It utilizes the global - integration configuration settings: - - * **Username**: DomainTools API username. - - * **ApiToken**: DomainTools API key. - - * **Verify SSL**: Boolean flag to enable/disable SSL certificate verification. - - - ### Flow Description - - 1. **Entity Filtering**: The action identifies all `ADDRESS` (IP) entities in - the current scope that are not marked as internal. - - 2. **API Query**: For each valid entity, the action calls the DomainTools Iris - API (`get_domains_by_ip`) to retrieve a list of domains associated with that IP. - - 3. **Data Processing**: If data is returned, the response is flattened and prefixed - with 'DT' to avoid naming collisions. - - 4. **Internal Enrichment**: The action updates the entity's 'additional_properties' - with the flattened API data. - - 5. **UI Visualization**: A data table containing the domain information is attached - to the entity in the Google SecOps case view. - - 6. **Finalization**: The action updates the entities in the system and returns - a summary of the enrichment results. + Tests connectivity to the DomainTools API. This action validates the provided + credentials by attempting to retrieve account information from the DomainTools + service. It returns a success message if the connection is established or a failure + message if the connection fails. ### Parameters Description | Parameter | Type + | Mandatory | Description | | :--- | :--- | :--- | :--- | | Username | String + | Yes | The DomainTools API username. | | ApiToken | String | Yes | The DomainTools + API key. | | Verify SSL | Boolean | Yes | Whether to verify SSL certificates for + API requests. | ### Additional Notes This action is a connectivity test and does + not process any entities. ### Flow Description 1. Initialize the Siemplify action. + 2. Retrieve configuration parameters (Username, ApiToken, Verify SSL). 3. Initialize + the DomainToolsManager, which triggers an API call to fetch account information. + 4. Return a status message indicating whether the connection was successful. capabilities: can_create_case_comments: false can_create_insight: false can_modify_alert_data: false can_mutate_external_data: false - can_mutate_internal_data: true - can_update_entities: true + can_mutate_internal_data: false + can_update_entities: false external_data_mutation_explanation: null fetches_data: true - internal_data_mutation_explanation: >- - Updates entity additional properties with enrichment data and adds data tables - to the entity in the case view. + internal_data_mutation_explanation: null + reasoning: >- + The action performs a connectivity test by calling the DomainTools API to fetch + account information. It does not modify any external or internal data. categories: - enrichment: true + enrichment: false + reasoning: >- + The action is a 'Ping' action, which is explicitly excluded from being an enrichment + action per the instructions. entity_usage: - entity_types: - - ADDRESS + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false filters_by_creation_time: false - filters_by_entity_type: true + filters_by_entity_type: false filters_by_identifier: false filters_by_is_artifact: false filters_by_is_enriched: false - filters_by_is_internal: true + filters_by_is_internal: false filters_by_is_pivot: false filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code does not iterate over or utilize the target_entities attribute. It + is a global connectivity test that does not depend on specific entity types. diff --git a/content/response_integrations/third_party/partner/domain_tools/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/partner/domain_tools/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..d530ab6c0 --- /dev/null +++ b/content/response_integrations/third_party/partner/domain_tools/resources/ai/integration_ai_description.yaml @@ -0,0 +1,22 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: false + reasoning: >- + The DomainTools integration is a dedicated threat intelligence provider. Its primary + actions, such as 'Get Domain Rdap', 'Get WhoIs History', and 'Investigate Domain', + are specifically designed to enrich domain, hostname, and URL entities with risk + scores, registration data, and historical context. This aligns perfectly with + the 'Threat Intelligence' category, which focuses on the enrichment of external + indicators to determine reputation and confirm alerts. The integration does not + perform SIEM log analysis, EDR host containment, network security blocking, email + management, IAM operations, cloud security, ITSM ticketing, vulnerability management, + asset inventory, or collaboration tasks. + siem: false + threat_intelligence: true + vulnerability_management: false diff --git a/content/response_integrations/third_party/partner/doppel_vision/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/partner/doppel_vision/resources/ai/actions_ai_description.yaml index 6383e0c69..a6877f049 100644 --- a/content/response_integrations/third_party/partner/doppel_vision/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/partner/doppel_vision/resources/ai/actions_ai_description.yaml @@ -1,48 +1,76 @@ Create Abuse Alert: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: true + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action creates a new record (abuse alert) in an external system. This aligns + with the 'Create Ticket' category, which involves generating a new record in + an external system. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - - The **Create Abuse Alert** action allows users to programmatically report a specific - entity (typically a URL) to the DoppelVision abuse box. This is useful for flagging - malicious content or suspicious domains discovered during an investigation so - that Doppel's system can process them. Note that the action will fail if the entity - is invalid or belongs to a protected list (e.g., google.com). + Creates an abuse alert in the DoppelVision system for a specified entity (e.g., + URL). This action automates the reporting process by sending a request to the + DoppelVision API. ### Parameters Description - | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | **Entity** | String | Yes | The specific value (e.g., a URL) to be reported - to the abuse box. | + | Entity | string | Yes | The entity (e.g., URL) for which to create the abuse + alert. | - ### Flow Description + ### Additional Notes + This action requires valid API credentials (API Key, User API Key, and Organization + Code) to be configured in the DoppelVision integration settings. The action will + fail if the provided entity is invalid or protected in the DoppelVision system. - 1. **Parameter Extraction**: Retrieves the API Key, User API Key, and Organization - Code from the integration configuration, and the target entity from the action - parameters. - 2. **API Interaction**: Uses the `DoppelManager` to send a POST request to the - `/alert/abuse` endpoint of the Doppel API. + ### Flow Description - 3. **Result Processing**: If the request is successful, the resulting alert data - is stored as a JSON result in the SOAR. + 1. Extracts the required API credentials (API Key, User API Key, Organization + Code) from the integration configuration. - 4. **Completion**: The action completes with a success message or logs an error - if the creation fails (e.g., due to a protected entity). + 2. Extracts the target `Entity` from the action parameters. + 3. Initializes the `DoppelManager` with the provided credentials. - ### Additional Notes + 4. Sends a POST request to the DoppelVision API (`/alert/abuse`) to create an + abuse alert for the specified entity. + 5. Stores the API response in the action result JSON. - This action does not run on entities automatically; it requires the user to provide - the entity value as a string parameter. + 6. Completes the action with a success or failure status based on the API response. capabilities: can_create_case_comments: false can_create_insight: false @@ -51,11 +79,18 @@ Create Abuse Alert: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates a new abuse alert in the DoppelVision system. + Creates an abuse alert in the external DoppelVision system. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a POST request to create an abuse alert in an external system + (DoppelVision). It does not fetch data for enrichment, nor does it modify internal + SOAR data (entities, insights, comments). categories: enrichment: false + reasoning: >- + The action is a mutation action (creating an alert), not an enrichment action, + as it does not fetch data for context. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -71,47 +106,74 @@ Create Abuse Alert: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action takes a string parameter named 'Entity' from the action configuration. + It does not iterate over or process `siemplify.target_entities`. Create Alert: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: true + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action creates a new alert record in the external DoppelVision system. This + aligns with the 'Create Ticket' category, which covers generating new records + in external systems. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description + Creates a new alert in the DoppelVision system for a specified entity. This action + allows users to trigger the creation of an alert record externally by providing + the entity identifier. - Creates a new alert within the Doppel system for a specified entity. This action - is used to programmatically flag entities (such as URLs) for monitoring or investigation - within the Doppel platform. It interacts with the Doppel API to register the entity - and returns the resulting alert details. - - ### Parameters Description + ### Parameters | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Entity | String | Yes | The specific entity identifier (e.g., a URL) for which - the alert should be created in the Doppel system. | + | Entity | string | Yes | The entity (e.g., URL, IP) for which to create the alert + in DoppelVision. | ### Flow Description - 1. **Credential Retrieval:** The action extracts the API Key, User API Key, and - Organization Code from the integration configuration. + 1. **Configuration Extraction**: The action retrieves the necessary API credentials + (API Key, User API Key, and Organization Code) from the integration configuration. - 2. **Input Extraction:** The action retrieves the 'Entity' string provided by - the user. - - 3. **API Interaction:** The `DoppelManager` sends a POST request to the `/alert` - endpoint of the Doppel API with the entity data. - - 4. **Response Processing:** If the request is successful, the JSON response from - Doppel is attached to the action results. If the request fails or the entity is - invalid/protected, the action reports a failure. + 2. **Parameter Extraction**: The `Entity` parameter is extracted from the action + input. + 3. **Manager Initialization**: The `DoppelManager` is initialized with the provided + credentials. - ### Additional Notes + 4. **Alert Creation**: The action calls the `create_alert` method, which sends + a POST request to the DoppelVision API to create the alert for the specified entity. - This action does not operate on Google SecOps entities directly; it uses a manual - string input. The action will fail if the entity is already protected or deemed - invalid by Doppel's internal logic. + 5. **Result Handling**: The API response is stored in the action result JSON. + If the creation fails, an exception is raised, and the action is marked as failed. capabilities: can_create_case_comments: false can_create_insight: false @@ -120,12 +182,18 @@ Create Alert: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates a new alert record in the Doppel external system via a POST request - to the /alert endpoint. + Creates a new alert in the DoppelVision system. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a POST request to create an alert in an external system + (DoppelVision). It does not fetch data for enrichment, nor does it modify internal + SecOps data or entities. categories: enrichment: false + reasoning: >- + The action is a creation/mutation action, not an enrichment action, as it does + not retrieve data for the purpose of enriching existing entities. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -141,55 +209,84 @@ Create Alert: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action takes an 'Entity' parameter as input, but it does not iterate over + or process the 'siemplify.target_entities' list. Therefore, it does not run + on specific entity types. Get Alert: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: true + reasoning: >- + The action retrieves alert details from the DoppelVision platform via an API + GET request. This directly matches the 'Get Alert Information' category. It + does not perform any other actions such as updating alerts, creating tickets, + or modifying IOCs. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description - - The **Get Alert** action retrieves comprehensive details for a specific alert - from the DoppelVision platform. It allows users to query alert information using - either a specific Alert ID or an associated entity (typically a URL). This action - is primarily used to gather context about existing alerts for further investigation - or automated decision-making within a playbook. + Retrieves alert details from the DoppelVision platform. This action allows users + to fetch specific alert information by providing either an entity identifier or + a unique Alert ID. The action interacts with the DoppelVision API to retrieve + the alert data and stores the resulting JSON in the action's output for further + analysis. - ### Parameters Description + ### Parameters | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | **Entity** | String | No | The entity (e.g., a URL) for which to fetch the alert - details. | + | Entity | string | No | The entity identifier to search for. Either this or 'Alert_ID' + must be provided. | - | **Alert_ID** | String | No | The unique identifier of the alert on the Doppel - Tenant. | + | Alert_ID | string | No | The unique ID of the alert to fetch. Either this or + 'Entity' must be provided. | ### Additional Notes - - **Mutual Exclusivity:** Either the `Entity` or the `Alert_ID` parameter must - be provided for the action to run. However, providing both simultaneously will - cause the action to fail. - - - This action is a read-only operation and does not change the state of the alert - in DoppelVision. + Either the 'Entity' or 'Alert_ID' parameter must be configured for the action + to run. If both or neither are provided, the action will fail. ### Flow Description - 1. **Initialization:** The action extracts the integration configuration (API - Key, User API Key, and Organization Code) and the action parameters (`Entity` - and `Alert_ID`). + 1. Extract configuration parameters (API Key, User API Key, Organization Code) + and action parameters (Entity, Alert_ID). - 2. **Validation:** It verifies that exactly one of the two parameters (`Entity` - or `Alert_ID`) is populated. + 2. Validate that exactly one of 'Entity' or 'Alert_ID' is provided. - 3. **Data Retrieval:** The `DoppelManager` performs a GET request to the Doppel - API's `/alert` endpoint using the provided identifier as a query parameter. + 3. Call the DoppelVision API to fetch the alert details using the provided identifier. - 4. **Output:** If the alert is successfully retrieved, the raw JSON data is added - to the action's results. If the alert is not found or the API returns an error, - the action fails with a descriptive message. + 4. If the alert is found, store the JSON response in the action result. + + 5. If the alert is not found or an error occurs, the action fails and logs the + error. capabilities: can_create_case_comments: false can_create_insight: false @@ -200,8 +297,17 @@ Get Alert: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to retrieve alert information from an external + API (DoppelVision). It does not perform any write operations on external systems + (no mutation) and does not modify any internal Google SecOps case data (no entity + updates, insights, or comments). categories: - enrichment: true + enrichment: false + reasoning: >- + The action fetches data from an external source, but it does not perform any + of the allowed internal mutations (updating entities, creating insights, or + adding comments) required to be classified as an Enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -217,14 +323,51 @@ Get Alert: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over or process Google SecOps entities (e.g., `siemplify.target_entities`). + It accepts an 'Entity' string as an input parameter for the API query, which + is distinct from the SOAR entity object model. Get Alerts: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: true + reasoning: >- + The action fetches a list of alerts from the Doppel platform based on user-defined + filters. This aligns with the 'Get Alert Information' category. It does not + perform any other actions like enrichment, containment, or ticket creation. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description The **Get Alerts** action retrieves a list of alerts from the Doppel platform - based on various filtering criteria. It is designed to fetch alert data for ingestion, - auditing, or further processing within a playbook. The action supports filtering - by product category, creation timestamps, queue status, and specific search keys. + based on specified filtering criteria. This action allows analysts to query the + Doppel tenant for alerts, supporting various filters such as search keys, product + categories, creation dates, sorting preferences, and queue states. The retrieved + alerts are returned as a JSON object in the action results for further analysis. ### Parameters Description @@ -233,59 +376,49 @@ Get Alerts: | :--- | :--- | :--- | :--- | - | Search Key | String | No | Filters alerts by a specific identifier, currently - supporting search by URL. | + | Search Key | string | No | A search term to filter alerts by URL or other identifiers. + | - | Product | DDL | No | Filters alerts by product category (e.g., domains, social_media, + | Product | ddl | No | The product category to filter by (e.g., domains, social_media, mobile_apps, ecommerce, crypto, emails, paid_adds). | - | Created Before | String | No | Filters for alerts created before a specific - date and time (ISO8601 format, e.g., '2024-01-05T13:45:30'). | - - | Created After | String | No | Filters for alerts created after a specific date - and time (ISO8601 format, e.g., '2024-01-05T13:45:30'). | + | Created Before | string | No | Filter alerts created before this date (format: + 'YYYY-MM-DDTHH:MM:SS'). | - | Sort Type | DDL | No | Specifies the field to sort the reports by. Defaults - to 'date_sourced'. Options: date_sourced, date_last_actioned. | + | Created After | string | No | Filter alerts created after this date (format: + 'YYYY-MM-DDTHH:MM:SS'). | - | Sort Order | DDL | No | Specifies the sorting order. Defaults to 'desc'. Options: - asc, desc. | + | Sort Type | ddl | No | The field to sort the reports by. Defaults to 'date_sourced'. + Options: 'date_sourced', 'date_last_actioned'. | - | Page | String | No | Specifies the page number for paginated results; defaults - to 0. | + | Sort Order | ddl | No | The order to sort the reports by. Defaults to 'desc'. + Options: 'asc', 'desc'. | - | Queue State | DDL | No | Filters alerts by their current queue status (e.g., - doppel_review, actioned, taken_down). | + | Page | string | No | Page number for pagination. Defaults to 0. | - | Tags | String | No | A comma-separated list of tags used to filter the alerts. + | Queue State | ddl | No | Filter alerts by their current queue status (e.g., + doppel_review, actioned, needs_confirmation, taken_down, monitoring, archived). | - - ### Additional Notes - - - If no parameters are provided, the action attempts to fetch all available alerts - for the configured tenant. - - - The 'Tags' parameter is parsed from a comma-separated string into a list for - the API request. + | Tags | string | No | A comma-separated list of tags to filter alerts. | ### Flow Description - 1. **Credential Extraction**: Retrieves the API Key, User API Key, and Organization - Code from the integration configuration. + 1. **Configuration Extraction**: The action retrieves the necessary API credentials + (API Key, User API Key, Organization Code) from the DoppelVision integration configuration. - 2. **Parameter Collection**: Extracts user-provided filters including search keys, - product categories, date ranges, and sorting preferences. + 2. **Parameter Parsing**: It extracts the optional action parameters provided + by the user and constructs a `filters` dictionary, removing any empty or null + values. - 3. **Filter Construction**: Builds a filter dictionary, removing any null values - and splitting the 'Tags' string into a list. + 3. **Data Retrieval**: The action instantiates the `DoppelManager` and calls the + `get_alerts` method, passing the constructed filters to the Doppel API. - 4. **API Execution**: Initializes the DoppelManager and calls the `get_alerts` - method, which performs a GET request to the Doppel API. - - 5. **Result Handling**: If alerts are found, they are stored in the action's JSON - result. If no alerts are returned, the action fails with an error message. + 4. **Result Handling**: If alerts are successfully retrieved, the action stores + the JSON response in the action result using `siemplify.result.add_result_json` + and logs the total count. If no alerts are found or an error occurs, the action + fails gracefully with an appropriate error message. capabilities: can_create_case_comments: false can_create_insight: false @@ -296,8 +429,17 @@ Get Alerts: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the Doppel API to retrieve alert data based + on user-provided filters. It does not modify any external systems (no POST/PUT/DELETE) + and does not modify any internal SOAR data (no entity updates, insights, or + case comments). categories: enrichment: false + reasoning: >- + The action retrieves data from an external system but does not enrich specific + entities or alerts within the case context. It is a data retrieval action, not + an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -313,50 +455,83 @@ Get Alerts: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not operate on `siemplify.target_entities`. It is a global action + that fetches alerts from the Doppel platform based on provided filters. Ping: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action is a connectivity test ("Ping") and does not perform any of the defined + functional outcomes like enriching IOCs, updating tickets, or containing hosts. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - The **Ping** action is a diagnostic tool designed to verify the connectivity between - Google SecOps and the DoppelVision platform. Its primary purpose is to validate - that the provided credentials (API Key, User API Key, and Organization Code) are - correct and that the DoppelVision API endpoint is reachable. + Validates connectivity to the DoppelVision API by performing a test request. This + action ensures that the provided credentials are correct and that the integration + can successfully communicate with the DoppelVision service. ### Parameters Description - There are no action-specific parameters for this task. It relies entirely on the - integration's configuration parameters: + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | - * **API Key**: The primary authentication token for the DoppelVision API (Mandatory). + | API Key | String | Yes | The primary API key used for authentication with the + DoppelVision service. | - * **User API Key**: An optional key for user-specific authentication. + | User API Key | String | No | An optional user-specific API key for authentication. + | - * **Organization Code**: An optional code used for multi-tenant or specific organizational - routing. + | Organization Code | String | No | An optional code for multi-tenant environment + configurations. | ### Additional Notes - This action is typically used during the initial setup of the integration or for - troubleshooting communication issues. It does not process any entities or modify - any data within Google SecOps or DoppelVision. + This action is intended for configuration validation and does not perform any + operational tasks on entities or alerts. ### Flow Description - 1. **Configuration Extraction**: The action retrieves the API Key, User API Key, - and Organization Code from the integration settings. + 1. The action extracts the configuration parameters: `API Key`, `User API Key`, + and `Organization Code`. - 2. **Manager Initialization**: It initializes the `DoppelManager` with the extracted - credentials. + 2. It initializes the `DoppelManager` instance using these credentials. - 3. **Connectivity Test**: The action calls the `connection_test` method, which - performs a `GET` request to the `/alerts` endpoint of the DoppelVision API. + 3. It executes the `connection_test` method, which sends a GET request to the + `/alerts` endpoint of the DoppelVision API. - 4. **Result Reporting**: If the API responds with a success status code, the action - ends with a 'Connection successful' message. If the request fails or the credentials - are invalid, it reports a connection failure. + 4. If the request is successful, it returns a "Connection successful" message; + otherwise, it returns a "Connection failed" message. capabilities: can_create_case_comments: false can_create_insight: false @@ -367,8 +542,14 @@ Ping: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to verify connectivity. It does not modify + external systems, update entities, or create insights. It is a diagnostic action. categories: enrichment: false + reasoning: >- + The action is a "Ping" action. According to the instructions, "Actions named + Ping must not be categorized as enrichment actions." entity_usage: entity_types: [] filters_by_additional_properties: false @@ -384,14 +565,48 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with `target_entities`. It is a global configuration + validation task. Update Alert: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action updates an alert in an external system (DoppelVision). It does not + update an alert within the SecOps platform, nor does it fit any other category + like ticket creation or IOC management. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - Updates the status and state of an alert within the DoppelVision platform. This - action allows analysts to modify the lifecycle stage of an alert (Queue State) - and the operational status of the associated entity (Entity State). It is primarily - used for remediation and alert management workflows. + Updates an alert's status (queue state and entity state) in the DoppelVision platform. + This action allows users to modify the state of an alert by providing either an + Alert ID or an Entity identifier. ### Parameters Description @@ -400,42 +615,32 @@ Update Alert: | :--- | :--- | :--- | :--- | - | **Alert_ID** | string | No | The unique identifier for the specific alert in - the Doppel tenant. Either this or 'Entity' must be provided. | + | Alert_ID | string | No | Unique identity for each specific alert in Doppel tenant. + | - | **Entity** | string | No | The entity (typically a URL) associated with the - alert. Either this or 'Alert_ID' must be provided. | + | Entity | string | No | Entity to be alerted (e.g., URL). | - | **Queue_State** | ddl | Yes | The target queue state for the alert. Options - include: `doppel_review`, `needs_confirmation`, `monitoring`, `taken_down`, `actioned`, - `archived`. | + | Queue_State | ddl | Yes | Queue state value of the Alerts (doppel_review, needs_confirmation, + monitoring, taken_down, actioned, archived). | - | **Entity_State** | ddl | Yes | The target state for the entity. Options include: - `active`, `down`, `parked`. | + | Entity_State | ddl | Yes | Entity state of Alerts (active, down, parked). | ### Additional Notes - * **Validation Logic:** The action requires exactly one identifier. You must provide - either the `Alert_ID` or the `Entity`. Providing both or neither will cause the - action to fail. - - * **Side Effects:** This action performs a `PUT` request to the Doppel API, resulting - in a state change in the external system. + Either `Alert_ID` or `Entity` must be provided for the action to run. If both + are provided, the action will fail. ### Flow Description - 1. **Parameter Extraction:** Retrieves API credentials from the integration configuration - and user-provided parameters from the action input. + 1. Extract parameters (API keys, Alert_ID/Entity, Queue_State, Entity_State). - 2. **Validation:** Checks that exactly one of `Alert_ID` or `Entity` is populated. + 2. Validate that either `Alert_ID` or `Entity` is provided, but not both. - 3. **API Interaction:** Executes a `PUT` request to the DoppelVision `/alert` - endpoint with the specified states and identifier. + 3. Call the DoppelVision API to update the alert using a PUT request. - 4. **Result Processing:** Captures the updated alert object from the response - and attaches it as a JSON result to the action output. + 4. Store the API response in the action result. capabilities: can_create_case_comments: false can_create_insight: false @@ -444,12 +649,19 @@ Update Alert: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates the 'queue_state' and 'entity_state' of an alert in the DoppelVision - platform via a PUT request. + Updates the alert's queue state and entity state in the DoppelVision platform + via a PUT request. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a PUT request to an external API (DoppelVision) to update + an alert's state. It does not fetch data, nor does it modify internal SecOps + data or entities. categories: enrichment: false + reasoning: >- + The action is a mutation action (updating an external alert) and does not fetch + data for enrichment purposes, therefore it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -465,3 +677,6 @@ Update Alert: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over `siemplify.target_entities`. It takes `Entity` + as a parameter, which is a string input, not a SecOps entity object. diff --git a/content/response_integrations/third_party/partner/doppel_vision/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/partner/doppel_vision/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..31a5d1e68 --- /dev/null +++ b/content/response_integrations/third_party/partner/doppel_vision/resources/ai/integration_ai_description.yaml @@ -0,0 +1,21 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: false + reasoning: >- + The integration 'doppel_vision' connects the DoppelVision threat intelligence + platform with Google SecOps. Its primary functionality involves retrieving, creating, + and updating threat alerts and abuse reports. This aligns directly with the Threat + Intelligence category, as it provides external threat data and allows for the + management of threat-related records. It does not perform SIEM log analysis, EDR + host-level actions, network security blocking, email inbox management, IAM operations, + cloud resource management, ITSM ticketing, vulnerability scanning, asset inventory + management, or collaboration/notification tasks. + siem: false + threat_intelligence: true + vulnerability_management: false diff --git a/content/response_integrations/third_party/partner/grey_noise/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/partner/grey_noise/resources/ai/actions_ai_description.yaml new file mode 100644 index 000000000..2d96ef290 --- /dev/null +++ b/content/response_integrations/third_party/partner/grey_noise/resources/ai/actions_ai_description.yaml @@ -0,0 +1,645 @@ +Execute GNQL Query: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action executes a GNQL query to search GreyNoise threat intelligence data + and returns the results. This matches the 'Search Events' category as it retrieves + a collection of data matching specific search parameters. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: true + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: >- + ### General Description + + Executes custom GreyNoise Query Language (GNQL) queries to search GreyNoise threat + intelligence data. This action supports automatic pagination to retrieve large + datasets based on the provided query and configuration parameters. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | GNQL Query | string | Yes | The GreyNoise Query Language query string to execute. + | + + | Max Results | string | No | Number of results to return per request (max 5000). + Defaults to 1000. | + + | Quick | boolean | No | If true, the response will only include the IP address + and the classification or trust level. Defaults to false. | + + | Exclude Raw | boolean | No | Whether to exclude raw scan data from the response. + Defaults to true. | + + + ### Flow Description + + 1. Extracts action parameters (GNQL Query, Max Results, Quick, Exclude Raw). + + 2. Initializes the `APIManager` with the configured API key. + + 3. Executes the GNQL query using the `APIManager`, handling pagination automatically + until the `Max Results` limit is reached or no more data is available. + + 4. Collects all retrieved data into a list. + + 5. Returns the collected data as a JSON result in the action output. + + + ### Additional Notes + + None. + capabilities: + can_create_case_comments: false + can_create_insight: false + can_modify_alert_data: false + can_mutate_external_data: false + can_mutate_internal_data: false + can_update_entities: false + external_data_mutation_explanation: null + fetches_data: true + internal_data_mutation_explanation: null + reasoning: >- + The action fetches data from the GreyNoise API by executing a GNQL query. It + does not mutate external or internal data, nor does it update entities, create + insights, or modify alert data. + categories: + enrichment: false + reasoning: >- + The action executes a query to search GreyNoise data and returns the results. + It does not perform enrichment on specific entities, nor does it modify any + internal or external data. Therefore, it is not an enrichment action. + entity_usage: + entity_types: [] + filters_by_additional_properties: false + filters_by_alert_identifier: false + filters_by_case_identifier: false + filters_by_creation_time: false + filters_by_entity_type: false + filters_by_identifier: false + filters_by_is_artifact: false + filters_by_is_enriched: false + filters_by_is_internal: false + filters_by_is_pivot: false + filters_by_is_suspicious: false + filters_by_is_vulnerable: false + filters_by_modification_time: false + reasoning: >- + The action does not interact with any entities. It takes a query string as input + and returns search results from the GreyNoise API. +Get CVE Details: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves threat intelligence (CVSS, EPSS, threat activity) for CVE + indicators and updates the entity profile. This directly matches the 'Enrich + IOC' category. It does not perform any other actions such as ticket creation, + alert updates, or containment. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: "### General Description\nThis action enriches CVE (Common Vulnerabilities\ + \ and Exposures) entities by retrieving threat intelligence from the GreyNoise\ + \ API. It fetches critical vulnerability data, including CVSS scores, EPSS scores,\ + \ and active threat activity, to provide analysts with context regarding the exploitability\ + \ and prevalence of the vulnerability. The action updates the entity's properties\ + \ within the SOAR platform and generates a detailed HTML insight for quick reference.\n\ + \n### Flow Description\n1. **Initialization**: The action initializes the GreyNoise\ + \ API manager using the configured API key.\n2. **Entity Retrieval**: It identifies\ + \ all CVE-type entities associated with the current case.\n3. **Validation**:\ + \ For each CVE entity, the action validates the identifier format (CVE-YYYY-NNNN).\n\ + 4. **Data Fetching**: It queries the GreyNoise API to retrieve detailed vulnerability\ + \ information.\n5. **Enrichment**: \n * Updates the entity's `additional_properties`\ + \ with retrieved data (e.g., `GN_CVSS_Score`, `GN_EPSS_Score`, `GN_Exploit_Found`).\n\ + \ * Marks the entity as enriched.\n6. **Insight Generation**: Creates an HTML-formatted\ + \ insight containing the vulnerability assessment and adds it to the entity.\n\ + 7. **Finalization**: Updates the entities in the SOAR platform and adds the raw\ + \ result data to the action output.\n\n### Parameters Description\n| Parameter\ + \ | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| GN API\ + \ Key | String | Yes | The API key used to authenticate with the GreyNoise service.\ + \ |\n\n### Additional Notes\n* The action requires at least one CVE entity to\ + \ be present in the case to execute successfully.\n* If no data is found for a\ + \ specific CVE in the GreyNoise dataset, the entity will not be enriched, and\ + \ the action will log the event." + capabilities: + can_create_case_comments: false + can_create_insight: true + can_modify_alert_data: false + can_mutate_external_data: false + can_mutate_internal_data: true + can_update_entities: true + external_data_mutation_explanation: null + fetches_data: true + internal_data_mutation_explanation: >- + Updates entity properties and adds insights to the entity within the SOAR platform. + reasoning: >- + The action fetches data from the GreyNoise API (fetches_data=true). It does + not perform any external mutations (can_mutate_external_data=false). It performs + internal mutations by updating entity properties and adding insights to the + SOAR platform (can_mutate_internal_data=true, can_update_entities=true, can_create_insight=true). + categories: + enrichment: true + reasoning: >- + The action is designed to fetch threat intelligence for CVE entities and update + their internal representation (properties and insights). It does not mutate + external systems or perform unauthorized internal modifications. Therefore, + it qualifies as an enrichment action. + entity_usage: + entity_types: + - CVE + filters_by_additional_properties: false + filters_by_alert_identifier: false + filters_by_case_identifier: false + filters_by_creation_time: false + filters_by_entity_type: true + filters_by_identifier: false + filters_by_is_artifact: false + filters_by_is_enriched: false + filters_by_is_internal: false + filters_by_is_pivot: false + filters_by_is_suspicious: false + filters_by_is_vulnerable: false + filters_by_modification_time: false + reasoning: >- + The code explicitly filters `siemplify.target_entities` for entities of type + `EntityTypes.CVE`. It does not filter by other attributes like creation time + or modification time. +IP Lookup: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves reputation, classification, and threat intelligence for + IP addresses from GreyNoise. This directly matches the 'Enrich IOC' category. + It does not perform any containment, ticketing, or alert modification actions. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: "### General Description\nThis action performs comprehensive IP\ + \ enrichment using the GreyNoise API. It retrieves threat intelligence, including\ + \ classification, actor information, tags, CVEs, and business service intelligence\ + \ for IP Address entities. The action supports both Community and Enterprise API\ + \ tiers, automatically adjusting the lookup method (individual vs. batch) based\ + \ on the API key provided.\n\n### Parameters\n| Parameter | Type | Mandatory |\ + \ Description |\n| :--- | :--- | :--- | :--- |\n| GN API Key | String | Yes |\ + \ The API key used to authenticate with the GreyNoise service. |\n\n### Flow Description\n\ + 1. **Initialization**: The action initializes the `APIManager` using the provided\ + \ API key and determines the API tier (Community or Enterprise).\n2. **Entity\ + \ Identification**: It retrieves all IP Address entities from the current case.\n\ + 3. **Data Retrieval**: \n - If using the **Community tier**, it processes IPs\ + \ individually.\n - If using the **Enterprise tier**, it performs a batch lookup\ + \ for efficiency.\n4. **Enrichment**: For each IP found in the GreyNoise dataset,\ + \ the action:\n - Updates the entity's `additional_properties` with retrieved\ + \ intelligence (e.g., classification, actor, tags).\n - Sets the `is_enriched`\ + \ flag to true.\n - Updates the `is_suspicious` status based on the classification\ + \ (e.g., 'malicious' or 'suspicious').\n - Generates an HTML insight containing\ + \ the detailed intelligence and adds it to the entity.\n5. **Result Reporting**:\ + \ The action updates the entities in the case and attaches the full JSON response\ + \ to the action results." + capabilities: + can_create_case_comments: false + can_create_insight: true + can_modify_alert_data: false + can_mutate_external_data: false + can_mutate_internal_data: true + can_update_entities: true + external_data_mutation_explanation: null + fetches_data: true + internal_data_mutation_explanation: >- + Updates entity properties (is_enriched, is_suspicious, additional_properties) + and adds entity insights within Google SecOps. + reasoning: >- + The action fetches threat intelligence data from the GreyNoise API (fetches_data=true). + It does not perform any actions that change the state of external systems (can_mutate_external_data=false). + It updates internal entity data (is_enriched, is_suspicious, additional_properties) + and creates entity insights (can_mutate_internal_data=true, can_update_entities=true, + can_create_insight=true). + categories: + enrichment: true + reasoning: >- + The action is designed to fetch supplemental context (threat intelligence) for + IP entities. It does not mutate external systems and only performs allowed internal + mutations (updating entities and creating insights). Therefore, it qualifies + as an enrichment action. + entity_usage: + entity_types: + - ADDRESS + filters_by_additional_properties: false + filters_by_alert_identifier: false + filters_by_case_identifier: false + filters_by_creation_time: false + filters_by_entity_type: true + filters_by_identifier: false + filters_by_is_artifact: false + filters_by_is_enriched: false + filters_by_is_internal: false + filters_by_is_pivot: false + filters_by_is_suspicious: false + filters_by_is_vulnerable: false + filters_by_modification_time: false + reasoning: >- + The action explicitly filters target entities using `get_ip_entities`, which + selects only entities of type `ADDRESS` (EntityTypes.ADDRESS). +IP Timeline Lookup: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves threat intelligence (timeline data) for an IP address, + which matches the 'Enrich IOC' category. It does not perform any other actions + like ticketing, blocking, or alert management. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: >- + ### General Description + + This action retrieves the activity timeline for IP addresses from the GreyNoise + platform. It provides visibility into how an IP address's classification or other + fields have changed over a specified period, helping analysts understand the historical + behavior of an indicator. + + + ### Flow Description + + 1. **Parameter Extraction**: The action extracts the `Days`, `Field`, and `Granularity` + parameters from the configuration. + + 2. **Validation**: It validates that the `Days` parameter is a positive integer. + + 3. **Entity Retrieval**: It identifies all `ADDRESS` type entities within the + current case. + + 4. **API Interaction**: For each IP entity, it queries the GreyNoise API to fetch + the activity timeline based on the provided parameters. + + 5. **Enrichment**: It updates the entity's `additional_properties` with the retrieved + timeline data (e.g., first seen, timeline field). + + 6. **Insight Generation**: It generates an HTML insight containing the timeline + data and attaches it to the entity. + + 7. **Entity Update**: It updates the entities in the case with the new enrichment + data and marks them as enriched. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Field | ddl | No | The field over which to show the activity breakdown (e.g., + classification, destination_port). Default is 'classification'. | + + | Granularity | string | No | The granularity of activity date ranges. Can be + in hours (e.g., 'Xh') or days (e.g., 'Xd'). Default is '1d'. | + + | Days | string | No | The number of days to show data for. Default is '30'. | + + + ### Additional Notes + + This action is strictly for enrichment purposes and does not perform any blocking + or external system modifications. + capabilities: + can_create_case_comments: false + can_create_insight: true + can_modify_alert_data: false + can_mutate_external_data: false + can_mutate_internal_data: true + can_update_entities: true + external_data_mutation_explanation: null + fetches_data: true + internal_data_mutation_explanation: >- + Updates entity properties and adds insights to the entity within the SOAR platform. + reasoning: >- + The action fetches timeline data from the GreyNoise API for IP entities. It + updates the entities with this enrichment data and creates an HTML insight on + the entity. It does not mutate external systems. + categories: + enrichment: true + reasoning: >- + The action fetches data from an external source (GreyNoise) and updates internal + entities/insights without modifying external systems. This fits the definition + of an enrichment action. + entity_usage: + entity_types: + - ADDRESS + filters_by_additional_properties: false + filters_by_alert_identifier: false + filters_by_case_identifier: false + filters_by_creation_time: false + filters_by_entity_type: true + filters_by_identifier: false + filters_by_is_artifact: false + filters_by_is_enriched: false + filters_by_is_internal: false + filters_by_is_pivot: false + filters_by_is_suspicious: false + filters_by_is_vulnerable: false + filters_by_modification_time: false + reasoning: >- + The code uses `get_ip_entities` which filters `siemplify.target_entities` for + `EntityTypes.ADDRESS`. +Ping: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action is a connectivity test ('Ping') and does not perform any of the defined + product category operations such as enrichment, ticketing, containment, or alert + modification. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: "### General Description\nThe Ping action is a diagnostic tool designed\ + \ to verify connectivity between the Google SecOps SOAR platform and the GreyNoise\ + \ API. It validates that the provided API key is authenticated and that the integration\ + \ can successfully communicate with the GreyNoise server. This action is typically\ + \ used to troubleshoot integration issues or confirm that the environment is correctly\ + \ configured before running more complex operations.\n\n### Parameters Description\n\ + | Parameter | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n\ + | GN API Key | String | Yes | The API key used to authenticate requests to the\ + \ GreyNoise service. |\n\n### Flow Description\n1. **Initialization**: The action\ + \ initializes the `SiemplifyAction` and retrieves the `GN API Key` from the integration\ + \ configuration.\n2. **Connectivity Test**: It instantiates the `APIManager` and\ + \ invokes the `test_connectivity` method, which performs a request to the GreyNoise\ + \ API to validate the credentials.\n3. **Error Handling**: \n * If a `RateLimitError`\ + \ occurs, the action logs the error and returns a failure status.\n * If a\ + \ `RequestFailure` occurs, the action logs the failure and returns a failure status.\n\ + \ * Any other exceptions are caught, logged, and result in a failure status.\n\ + 4. **Completion**: The action logs the final status and terminates with a success\ + \ or failure message, providing immediate feedback on the connectivity state." + capabilities: + can_create_case_comments: false + can_create_insight: false + can_modify_alert_data: false + can_mutate_external_data: false + can_mutate_internal_data: false + can_update_entities: false + external_data_mutation_explanation: null + fetches_data: false + internal_data_mutation_explanation: null + reasoning: >- + The action performs a connectivity test (Ping) against the GreyNoise API. It + does not fetch contextual data about entities, nor does it mutate any external + or internal systems. It is a diagnostic action used solely for verifying API + connectivity. + categories: + enrichment: false + reasoning: >- + The action is a connectivity test ('Ping'). Per the instructions, actions named + 'Ping' must not be categorized as enrichment actions. Furthermore, it does not + fetch data or modify state, failing the criteria for enrichment. + entity_usage: + entity_types: [] + filters_by_additional_properties: false + filters_by_alert_identifier: false + filters_by_case_identifier: false + filters_by_creation_time: false + filters_by_entity_type: false + filters_by_identifier: false + filters_by_is_artifact: false + filters_by_is_enriched: false + filters_by_is_internal: false + filters_by_is_pivot: false + filters_by_is_suspicious: false + filters_by_is_vulnerable: false + filters_by_modification_time: false + reasoning: >- + The action does not interact with any entities. It is a global connectivity + test that does not require entity context. +Quick IP Lookup: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves reputation, classification, and threat intelligence for + IP addresses from GreyNoise and updates the entity in the SOAR platform. This + aligns perfectly with the 'Enrich IOC' category. It does not perform any other + actions such as ticketing, blocking, or alert management. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: >- + ### General Description + + This action performs a lightweight IP classification lookup using the GreyNoise + API. It retrieves trust levels, internet scanner status, and business service + status for provided IP addresses. The action enriches the IP entities within the + SOAR platform by updating their properties, setting their suspicious status, and + generating visual insights for analysts. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | GN API Key | String | Yes | The API key used to authenticate with the GreyNoise + service. | + + + ### Flow Description + + 1. **Initialization**: The action initializes the GreyNoise API manager using + the provided API key. + + 2. **Entity Retrieval**: It identifies and filters all `ADDRESS` type entities + from the current case. + + 3. **Data Lookup**: It sends the list of IP addresses to the GreyNoise API to + perform a quick lookup. + + 4. **Processing**: For each IP address found in the GreyNoise dataset: + * It updates the entity's `additional_properties` with enrichment data (e.g., + classification, trust level). + * It sets the entity's `is_enriched` flag to `True`. + * It evaluates the classification to determine if the entity should be marked + as `is_suspicious`. + * It generates an HTML insight summarizing the IP intelligence and adds it + to the entity. + 5. **Update**: The action updates the enriched entities within the SOAR platform + and returns the results as a JSON object. + capabilities: + can_create_case_comments: false + can_create_insight: true + can_modify_alert_data: false + can_mutate_external_data: false + can_mutate_internal_data: true + can_update_entities: true + external_data_mutation_explanation: null + fetches_data: true + internal_data_mutation_explanation: >- + Updates entity properties and adds insights to entities within the SOAR platform. + reasoning: >- + The action fetches threat intelligence data from the GreyNoise API (fetches_data=true). + It does not perform any actions that change the state of external systems (can_mutate_external_data=false). + It performs internal mutations by updating entity properties and adding insights + to entities within the SOAR platform (can_mutate_internal_data=true, can_update_entities=true, + can_create_insight=true). + categories: + enrichment: true + reasoning: >- + The action is an enrichment action because it fetches data from an external + source (GreyNoise) to provide context on IP entities. It does not mutate external + systems. It performs allowed internal mutations (updating entities and creating + insights). + entity_usage: + entity_types: + - ADDRESS + filters_by_additional_properties: false + filters_by_alert_identifier: false + filters_by_case_identifier: false + filters_by_creation_time: false + filters_by_entity_type: true + filters_by_identifier: false + filters_by_is_artifact: false + filters_by_is_enriched: false + filters_by_is_internal: false + filters_by_is_pivot: false + filters_by_is_suspicious: false + filters_by_is_vulnerable: false + filters_by_modification_time: false + reasoning: >- + The action uses the `get_ip_entities` utility, which filters `siemplify.target_entities` + to include only those with `entity_type == EntityTypes.ADDRESS`. diff --git a/content/response_integrations/third_party/partner/grey_noise/resources/ai/connectors_ai_description.yaml b/content/response_integrations/third_party/partner/grey_noise/resources/ai/connectors_ai_description.yaml new file mode 100644 index 000000000..fdb39173a --- /dev/null +++ b/content/response_integrations/third_party/partner/grey_noise/resources/ai/connectors_ai_description.yaml @@ -0,0 +1,56 @@ +Generate Alert from GreyNoise GNQL: + ai_description: >- + ### General Description + + This connector integrates with GreyNoise to automatically fetch threat intelligence + data based on GNQL (GreyNoise Query Language) queries. It identifies malicious, + suspicious, benign, or unknown IP addresses and generates corresponding security + alerts within Google SecOps SOAR, enabling proactive threat monitoring and automated + incident response. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | GN API Key | Password | Yes | The API key used to authenticate with the GreyNoise + service. | + + | Max Results | Integer | No | The maximum number of results to fetch in a single + execution. | + + | Query | String | Yes | The GNQL query string used to filter the data to be fetched. + | + + | DeviceProductField | String | Yes | The field name used to determine the device + product in the generated alert. | + + | EventClassId | String | Yes | The field name used to determine the event name + (sub-type). | + + | PythonProcessTimeout | String | Yes | The timeout limit (in seconds) for the + Python process running the script. | + + + ### Flow Description + + 1. The connector initializes and retrieves configuration parameters, including + the API key and the GNQL query. + + 2. It reads existing event IDs from the system to perform deduplication and prevent + redundant alert creation. + + 3. It connects to the GreyNoise API and executes the specified GNQL query to retrieve + relevant IP intelligence data. + + 4. For each retrieved event, the connector maps the data to a standard SOAR AlertInfo + object, including severity, timestamps, and environment details. + + 5. It filters out duplicate events and checks for system overflow limits. + + 6. Valid alerts are ingested into Google SecOps SOAR as new cases. + + 7. Finally, the connector updates the stored event IDs to ensure future runs only + process new data. diff --git a/content/response_integrations/third_party/partner/grey_noise/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/partner/grey_noise/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..74081366b --- /dev/null +++ b/content/response_integrations/third_party/partner/grey_noise/resources/ai/integration_ai_description.yaml @@ -0,0 +1,25 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: false + reasoning: >- + The integration is primarily focused on providing threat intelligence and vulnerability + context. The 'Threat Intelligence' category is applicable because the integration + provides extensive enrichment for IP addresses (reputation, classification, actor + information, and historical timelines) via actions like 'IP Lookup' and 'Quick + IP Lookup'. The 'Vulnerability Management' category is applicable because the + 'Get CVE Details' action retrieves critical vulnerability data, including CVSS + and EPSS scores, which helps analysts assess the exploitability of vulnerabilities. + The integration does not fit the 'SIEM' category because, while it generates alerts + via a connector, it does so based on external threat intelligence data rather + than querying internal logs or assets. It does not perform EDR, Network Security + (blocking), Email Security, IAM, Cloud Security, ITSM, Asset Inventory, or Collaboration + functions. + siem: false + threat_intelligence: true + vulnerability_management: true diff --git a/content/response_integrations/third_party/partner/group_ib_ti/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/partner/group_ib_ti/resources/ai/actions_ai_description.yaml index 73a09ce81..2c862bf76 100644 --- a/content/response_integrations/third_party/partner/group_ib_ti/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/partner/group_ib_ti/resources/ai/actions_ai_description.yaml @@ -1,36 +1,77 @@ Get-Collection-Info-Async: - ai_description: "### General Description\nThis action retrieves threat intelligence\ - \ data from specific Group-IB TI collections. It is designed for periodic data\ - \ extraction (e.g., daily updates) by tracking sequence numbers to ensure only\ - \ new data is ingested. It operates independently of case entities, acting as\ - \ a data retrieval utility for the Group-IB TI portal.\n\n### Parameters Description\n\ - | Parameter | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n\ - | Collection | DDL | Yes | The specific Group-IB TI collection to download data\ - \ from (e.g., `apt/threat`, `malware/cnc`, `ioc/common`). |\n| Portion limit |\ - \ DDL | Yes | Controls the number of data portions (batches) received from the\ - \ TI Portal API in a single run. |\n| Enable mapping parser | Boolean | No | If\ - \ set to `true`, the action parses the JSON output using predefined Group-IB mapping\ - \ keys. If `false`, it returns raw data. |\n| Start date | String | No | The start\ - \ date (YYYY-MM-DD) for data download if no previous sequence timestamp is found\ - \ in the system. Defaults to 1 day ago if left empty. |\n\n### Additional Notes\n\ - - This action is asynchronous and ignores any entities present in the case; it\ - \ uses the execution trigger to start the collection download.\n- It utilizes\ - \ sequence tracking (via `fetch_timestamp`) to maintain state between runs, allowing\ - \ for incremental updates.\n\n### Flow Description\n1. **Initialization**: The\ - \ action initializes the Group-IB TI connector and retrieves user-defined parameters\ - \ including the collection name, portion limits, and parsing preferences.\n2.\ - \ **Sequence Tracking**: It attempts to fetch a stored timestamp (sequence update\ - \ number) from the environment. If found, it resumes data collection from that\ - \ specific sequence. \n3. **Fallback Logic**: If no sequence number is stored,\ - \ it calculates a starting point based on the provided 'Start date' or defaults\ - \ to 24 hours prior to the current time.\n4. **Data Retrieval**: It establishes\ - \ a connection to the Group-IB TI API and creates a generator to fetch data portions\ - \ for the selected collection, respecting the 'Portion limit'.\n5. **Processing\ - \ & Parsing**: For each retrieved portion, the action either applies a mapping\ - \ parser to structure the data into a standardized format or extracts the raw\ - \ items based on the 'Enable mapping parser' configuration.\n6. **Aggregation**:\ - \ The action aggregates all retrieved portions into a single result set, adds\ - \ it to the action's JSON output, and completes the execution." + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves threat intelligence collections from an external API. It + does not match any of the provided categories (e.g., it does not enrich specific + IOCs, update alerts, or perform containment). + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: >- + Extracts threat intelligence data from the Group-IB TI database. This action retrieves + specific collections of threat data (e.g., APT threats, malware, phishing kits) + based on a sequence update number or a provided start date. It does not operate + on specific entities. + + + ### Flow Description + + 1. Initialize the Group-IB connector and poller. + + 2. Determine the starting sequence update number, either by fetching the last + timestamp from storage or using the provided 'Start date'. + + 3. Create a data generator to fetch portions of the requested collection from + the Group-IB TI API. + + 4. Iterate through the data portions, optionally applying a mapping parser if + enabled. + + 5. Aggregate the parsed or raw data into a JSON result and add it to the action + output. + + + ### Parameters + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Enable mapping parser | boolean | No | If enabled, parses the raw data using + predefined mapping keys. Defaults to false. | + + | Collection | ddl | Yes | The specific Group-IB TI collection to download (e.g., + apt/threat, malware/malware). | + + | Start date | string | No | The date to start downloading collection data from + (format: YYYY-MM-DD). | + + | Portion limit | ddl | Yes | Controls the number of data portions returned from + the API. Defaults to 100. | capabilities: can_create_case_comments: false can_create_insight: false @@ -41,8 +82,17 @@ Get-Collection-Info-Async: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action fetches threat intelligence data from the Group-IB TI API (fetches_data=true). + It does not perform any write operations to external systems (can_mutate_external_data=false). + It does not modify internal SOAR data, update entities, create insights, or + add case comments (all mutation flags=false). categories: enrichment: false + reasoning: >- + While the action fetches data, it does not perform enrichment on specific entities + or alerts. It is a data retrieval action for threat intelligence feeds, not + an enrichment action as defined by the criteria. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -58,50 +108,71 @@ Get-Collection-Info-Async: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action explicitly ignores any entities provided in the context, as stated + in the description and confirmed by the code which does not iterate over target_entities. Get-Graph-Info: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves threat intelligence (graph information) for indicators + (IPs and Domains). This directly aligns with the 'Enrich IOC' category. It does + not perform any other operations such as ticketing, blocking, or alert management. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description - - The **Get-Graph-Info** action retrieves relational intelligence and infrastructure - data (often associated with WHOIS information) from the Group-IB Threat Intelligence - (TI) platform. It is specifically designed to provide context for network-based - entities by querying Group-IB's graph utility endpoints. - - - ### Parameters - - This action does not have any user-configurable parameters. It automatically processes - supported entities found in the current alert or case context. + Retrieves WHOIS and graph information for IP addresses and domains using the Group-IB + Threat Intelligence service. This action provides contextual intelligence to help + analysts understand the relationships and background of specific indicators. ### Flow Description - 1. **Initialization**: The action initializes the Group-IB TI poller using the - integration's global configuration (API Login, API Key, and API URL). + 1. **Initialization**: The action initializes the Group-IB connector to establish + a connection with the Threat Intelligence API. - 2. **Entity Gathering**: It retrieves the list of target entities from the current - Google SecOps context. + 2. **Entity Gathering**: It retrieves all target entities from the current case. - 3. **Type Validation**: The action uses an internal validator to identify the - type of each entity. It explicitly filters the list to only include entities identified - as **IP Addresses** or **Domains**. + 3. **Validation**: Each entity is validated to ensure it is either an IP address + or a domain. Unsupported entity types are skipped. - 4. **API Interaction**: For each valid entity, it sends a GET request to the Group-IB - TI `utils/graph` endpoint (e.g., `utils/graph/ip` or `utils/graph/domain`). + 4. **Data Retrieval**: For each valid entity, the action queries the Group-IB + API (`utils/graph/{type}`) to fetch relevant graph information. - 5. **Rate Limiting**: The script pauses for 1 second between entity requests to - respect external API rate limits. + 5. **Result Aggregation**: The retrieved data is aggregated into a JSON object. - 6. **Data Output**: The raw JSON responses from the API are aggregated and added - to the action's result JSON, making the data available for subsequent playbook - logic. + 6. **Output**: The final JSON result is attached to the action, making it available + for the playbook and the analyst. - ### Additional Notes + ### Parameters - - This action is a data-retrieval task. It does not automatically update entity - fields, add insights, or create case comments. The output is provided as a raw - JSON result for use in playbooks. + There are no specific input parameters for this action; it relies on the integration's + configured API credentials and the entities present in the case. capabilities: can_create_case_comments: false can_create_insight: false @@ -112,8 +183,18 @@ Get-Graph-Info: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to an external API (Group-IB) to retrieve + threat intelligence data. It does not perform any POST/PUT/DELETE operations + on external systems, nor does it modify internal case data (such as updating + entities, creating insights, or adding case comments). It only attaches the + retrieved data to the action result. categories: - enrichment: false + enrichment: true + reasoning: >- + The action is designed to fetch supplemental context (graph info) for entities. + It does not mutate external systems, nor does it perform any restricted internal + mutations. It meets all criteria for an enrichment action. entity_usage: entity_types: - ADDRESS @@ -131,32 +212,89 @@ Get-Graph-Info: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over `siemplify.target_entities` and filters them using `EntityValidator` + to ensure only 'ip' and 'domain' types are processed. These map to 'ADDRESS' + and 'DOMAIN' entity types in the SecOps platform. Get-TI-Search-Info: - ai_description: "### General Description\nThe **Get-TI-Search-Info** action allows\ - \ users to search for specific entities\u2014including Domains, IP Addresses,\ - \ File Hashes, Bank Cards, and Emails\u2014within the Group-IB Threat Intelligence\ - \ (TI) database. This action is designed to provide deep contextual enrichment\ - \ by identifying which threat collections (e.g., APT reports, malware configs,\ - \ compromised accounts) contain information about the target entities and retrieving\ - \ the detailed records associated with them.\n\n### Parameters Description\n|\ - \ Parameter | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n\ - | Enable mapping parser | Boolean | No | If set to `true`, the action will use\ - \ predefined mapping keys to structure the JSON output into a more readable format.\ - \ If `false` (default), the action returns the raw data as provided by the Group-IB\ - \ API. |\n\n### Flow Description\n1. **Initialization**: The action initializes\ - \ the Group-IB TI connector and poller using the integration's configuration (API\ - \ Key, Login, and URL).\n2. **Entity Identification**: It iterates through the\ - \ target entities in the current context and uses an internal validator to determine\ - \ their type (e.g., IP, Domain, Hash, Email, or Credit Card).\n3. **Global Search**:\ - \ For each valid entity, the action performs a global search across the Group-IB\ - \ TI database to identify all relevant data collections (API paths) that contain\ - \ matches.\n4. **Data Retrieval**: For every identified collection, the action\ - \ executes a specific query to fetch detailed records, limited to a maximum of\ - \ 3,000 items per collection.\n5. **Data Processing**: The retrieved records are\ - \ either parsed using a mapping configuration (if enabled) or kept in their raw\ - \ format.\n6. **Result Aggregation**: All findings are aggregated into a single\ - \ JSON object and attached to the action's execution results for use in subsequent\ - \ playbook steps." + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action queries the Group-IB TI database for indicators (IPs, Hashes, Domains, + etc.) and returns the findings. This is a classic Enrichment IOC action. It + does not perform any other operations like ticket creation, alert updates, or + containment. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: >- + Searches the Group-IB Threat Intelligence database for information related to + entities found in the case. This action identifies the type of each entity (e.g., + IP, Domain, Hash, Email, Credit Card) and queries the Group-IB TI platform to + retrieve relevant threat intelligence, such as associated threat actors, malware, + or malicious activity. The retrieved data is then returned as a JSON result for + further analysis. + + + ### Flow Description + + 1. **Initialization**: The action initializes the `SiemplifyAction` and the `GIBConnector` + to interact with the Group-IB TI API. + + 2. **Entity Gathering**: It retrieves all entities from the current case. + + 3. **Entity Validation**: For each entity, it uses an `EntityValidator` to determine + the entity type (e.g., IP, Domain, Hash). + + 4. **Data Retrieval**: It performs a global search for each entity in the Group-IB + TI database to identify relevant collections. + + 5. **Data Extraction**: It iterates through the identified collections, queries + the data, and optionally parses it using a mapping parser if enabled. + + 6. **Result Output**: The aggregated data is added to the action result as a JSON + object. + + + ### Parameters + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Enable mapping parser | boolean | No | If set to true, the action parses the + retrieved data using predefined mapping keys. If false, it collects raw dictionary + items. Defaults to false. | + + + ### Additional Notes + + This action does not modify any data within the case or external systems; it is + strictly an enrichment action that retrieves and displays threat intelligence + data. capabilities: can_create_case_comments: false can_create_insight: false @@ -167,21 +305,59 @@ Get-TI-Search-Info: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET-like operation to search the Group-IB TI database + for threat intelligence. It does not modify any external systems (no POST/PUT/DELETE). + It does not modify internal SOAR case data (no entity updates, insights, or + comments). It simply returns the retrieved data as a JSON result. categories: enrichment: true + reasoning: >- + The action is designed to fetch threat intelligence data for indicators (enrichment). + It does not mutate external systems or internal case data. It meets all criteria + for an enrichment action. entity_usage: entity_types: - ADDRESS + - ALERT + - APPLICATION + - CHILDHASH + - CHILDPROCESS + - CLUSTER + - CONTAINER + - CREDITCARD + - CVE + - CVEID + - DATABASE + - DEPLOYMENT + - DESTINATIONDOMAIN - DOMAIN + - EMAILSUBJECT + - EVENT - FILEHASH + - FILENAME + - GENERICENTITY + - HOSTNAME + - IPSET + - MacAddress + - PARENTHASH + - PARENTPROCESS + - PHONENUMBER + - POD + - PROCESS + - SERVICE + - SOURCEDOMAIN + - THREATACTOR + - THREATCAMPAIGN + - THREATSIGNATURE - DestinationURL + - USB - USERUNIQNAME - - CREDITCARD filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false filters_by_creation_time: false - filters_by_entity_type: true + filters_by_entity_type: false filters_by_identifier: false filters_by_is_artifact: false filters_by_is_enriched: false @@ -190,70 +366,99 @@ Get-TI-Search-Info: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action iterates over all `target_entities` provided in the case. It uses + an `EntityValidator` to determine the type of each entity and only processes + those it recognizes (IP, Domain, Hash, Email, Card). Since it does not filter + the input list before processing, it is considered to support all entity types. Get-TI-Search-Info-By-Collection: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves threat intelligence (reputation, prevalence, metadata) + for indicators like IPs, domains, and hashes. This directly matches the 'Enrich + IOC' category. It does not perform any other actions like ticketing, containment, + or alert updates. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - The **Get-TI-Search-Info-By-Collection** action searches the Group-IB Threat Intelligence - (TI) database for specific indicators across a wide range of collections. It allows - users to query for data related to Domains, IP Addresses, URLs, File Hashes, Bank - Cards, and Emails. The action is highly configurable, allowing users to target - specific collections and optionally apply a mapping parser to structure the raw - API response into a more readable format. + This action searches for threat intelligence information in the Group-IB TI database + for entities provided in the case. It allows analysts to query specific collections + (e.g., APT threats, malware, phishing) to retrieve contextual data, indicators, + and metadata associated with the provided entities. - ### Parameters Description + ### Flow Description - | Parameter | Type | Mandatory | Description | + 1. **Initialization**: The action initializes the Group-IB TI poller using the + provided API credentials and configuration. - | :--- | :--- | :--- | :--- | + 2. **Parameter Extraction**: It extracts the required `Collection` parameter, + the optional `Enable mapping parser` flag, and the optional `Search tag`. - | **Collection** | DDL | Yes | Specifies the Group-IB TI collection to search. - Options include `apt/threat`, `malware/cnc`, `compromised/account_group`, and - many others. | + 3. **Entity Processing**: The action iterates through all target entities in the + case. It uses an `EntityValidator` to identify the type of each entity (e.g., + IP, Domain, Hash, URL, Email, Credit Card). - | **Enable mapping parser** | Boolean | No | If set to `true`, the action transforms - the raw API data into a structured JSON format based on internal mapping keys. - If `false`, it returns the raw items from the API. Default is `false`. | + 4. **Query Construction**: For each entity, it constructs a search query. If a + `Search tag` is provided, it prefixes the query (e.g., `domain:example.com`); + otherwise, it uses the entity identifier directly. - | **Search tag** | String | No | An optional tag used to prefix the search query - (e.g., `domain:google.com`). If provided, the query is formatted as `tag:identifier`. - If omitted, the raw entity identifier is used. | + 5. **Data Retrieval**: It queries the Group-IB TI API for the selected collection + using the constructed query. + 6. **Result Processing**: The retrieved data is parsed (if the mapping parser + is enabled) and added to the action's result JSON, which is then returned to the + SOAR platform. - ### Flow Description - 1. **Initialization:** The action initializes the Group-IB TI connector and retrieves - user-defined parameters including the target collection and search preferences. + ### Parameters Description - 2. **Entity Processing:** It iterates through all entities in the current scope. - For each entity, it validates the identifier to determine if it matches supported - formats (IP, Domain, Hash, etc.). + | Parameter | Type | Mandatory | Description | - 3. **Query Construction:** A search query is built for each valid entity. If - a `Search tag` is specified, it is prepended to the entity identifier; otherwise, - the identifier is used as the standalone query. + | :--- | :--- | :--- | :--- | - 4. **Data Retrieval:** The action queries the Group-IB TI API for the selected - collection. It uses a generator to handle data retrieval, supporting up to 3,000 - items per query. + | `Collection` | DDL | Yes | The specific threat intelligence collection to query + (e.g., `apt/threat`, `malware/malware`). | - 5. **Parsing and Aggregation:** Based on the `Enable mapping parser` setting, - the retrieved data is either parsed into a structured format or kept as raw JSON. - All results are aggregated into a single result object. + | `Enable mapping parser` | Boolean | No | If set to true, the action uses a mapping + parser to format the output data. Defaults to false. | - 6. **Completion:** The final aggregated JSON is attached to the action result, - and the task is marked as completed. + | `Search tag` | String | No | An optional tag to prefix the search query (e.g., + `domain`). If provided, the query format becomes `tag:entity`. | ### Additional Notes - * The action includes built-in rate-limiting protection by implementing a 1-second - delay between API requests. - - * While the `Enable mapping parser` parameter is a boolean, the underlying logic - expects string comparisons ("true"/"false"), which is handled automatically by - the integration's parameter extraction logic. + This action does not modify any external systems or internal case data; it is + strictly an enrichment/search action. It supports a wide variety of entity types, + which are automatically detected and processed. capabilities: can_create_case_comments: false can_create_insight: false @@ -264,51 +469,32 @@ Get-TI-Search-Info-By-Collection: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the Group-IB TI API to retrieve threat + intelligence data based on the provided entities. It does not perform any write + operations to external systems (no mutation) and does not modify internal SOAR + case data (no internal mutation). It simply returns the retrieved data as a + result JSON. categories: enrichment: true + reasoning: >- + The action is designed to fetch supplemental context (threat intelligence) about + entities from an external source (Group-IB TI). It does not mutate external + state or internal SOAR data. Therefore, it qualifies as an enrichment action. entity_usage: entity_types: - ADDRESS - - ALERT - - APPLICATION - - CHILDHASH - - CHILDPROCESS - - CLUSTER - - CONTAINER - CREDITCARD - - CVE - - CVEID - - DATABASE - - DEPLOYMENT - - DESTINATIONDOMAIN - DOMAIN - - EMAILSUBJECT - - EVENT - - FILEHASH - - FILENAME - - GENERICENTITY - - HOSTNAME - - IPSET - - MacAddress - - PARENTHASH - - PARENTPROCESS - - PHONENUMBER - - POD - - PROCESS - - SERVICE - - SOURCEDOMAIN - - THREATACTOR - - THREATCAMPAIGN - - THREATSIGNATURE - DestinationURL - - USB + - FILEHASH - USERUNIQNAME filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false filters_by_creation_time: false filters_by_entity_type: false - filters_by_identifier: true + filters_by_identifier: false filters_by_is_artifact: false filters_by_is_enriched: false filters_by_is_internal: false @@ -316,29 +502,72 @@ Get-TI-Search-Info-By-Collection: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action iterates over `siemplify.target_entities` and uses an `EntityValidator` + to determine the type of each entity. It supports multiple entity types including + IP addresses, domains, file hashes, URLs, emails, and credit cards. It does + not apply specific filters on the entities themselves (like is_internal or is_suspicious) + before processing them. Ping: - ai_description: "### General Description\nThe **Ping** action is designed to verify\ - \ the connectivity between Google SecOps and the Group-IB Threat Intelligence\ - \ (TI) platform. Beyond a simple heartbeat check, it retrieves a list of all data\ - \ collections available to the user based on their current subscription level,\ - \ providing visibility into accessible threat feeds.\n\n### Parameters Description\n\ - | Parameter Name | Description | Type | Mandatory | Notes |\n| :--- | :--- | :---\ - \ | :--- | :--- |\n| None | This action does not require any input parameters.\ - \ | N/A | N/A | N/A |\n\n### Additional Notes\n- This action relies on the integration's\ - \ global configuration (API Login, API Key, and API URL) to authenticate.\n- The\ - \ output includes a JSON object listing the 'granted_collections' which helps\ - \ administrators verify which threat feeds are active.\n\n### Flow Description\n\ - 1. **Initialization**: The action initializes the Siemplify environment and sets\ - \ the script name.\n2. **Connector Setup**: It retrieves the global configuration\ - \ credentials (API Login, API Key, API URL) and initializes the `GIBConnector`\ - \ and `PlaybookAdapter`.\n3. **API Request**: The action sends a GET request to\ - \ the `user/granted_collections` endpoint of the Group-IB TI API.\n4. **Result\ - \ Processing**: \n - If successful, the list of collections is added to the\ - \ action's JSON results, and a 'Connection Established' message is returned.\n\ - \ - If the request fails (e.g., due to authentication or network issues), an\ - \ error message is logged, and the action status is set to failed.\n5. **Termination**:\ - \ The action concludes by reporting the connectivity status and the retrieved\ - \ collection data to the SOAR workbench." + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action is a connectivity test (Ping) that retrieves a list of collections. + It does not perform any of the listed operational tasks (enrichment, containment, + ticketing, etc.). + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: >- + ### General Description + + Tests connectivity to the Group-IB Threat Intelligence API and retrieves available + collections based on the subscription. This action verifies that the integration + is correctly configured and can communicate with the external service. + + + ### Parameters Description + + There are no parameters for this action. + + + ### Additional Notes + + None. + + + ### Flow Description + + 1. Initialize the `SiemplifyAction` and `GIBConnector`. + + 2. Send a request to the `user/granted_collections` endpoint. + + 3. Add the resulting JSON (list of collections) to the action result. + + 4. End the action with a success or failure status. capabilities: can_create_case_comments: false can_create_insight: false @@ -349,8 +578,15 @@ Ping: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to test connectivity and retrieve data (fetches_data=true). + It does not mutate any external or internal systems, nor does it update entities, + create insights, or modify alert data. categories: enrichment: false + reasoning: >- + The action is a 'Ping' action. According to the rules, Ping actions are not + enrichment actions. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -366,3 +602,6 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code does not iterate over `target_entities` or use entity-specific identifiers + to perform its task. It only initializes the connector. diff --git a/content/response_integrations/third_party/partner/group_ib_ti/resources/ai/connectors_ai_description.yaml b/content/response_integrations/third_party/partner/group_ib_ti/resources/ai/connectors_ai_description.yaml new file mode 100644 index 000000000..cb833e99a --- /dev/null +++ b/content/response_integrations/third_party/partner/group_ib_ti/resources/ai/connectors_ai_description.yaml @@ -0,0 +1,136 @@ +TI IoC Hash Connector: + ai_description: >- + ### General Description + + The TI IoC Hash Connector integrates Google SecOps with the Group-IB Threat Intelligence + (TI) portal. Its primary purpose is to automatically retrieve Indicators of Compromise + (IoCs), specifically file hashes, from the Group-IB TI platform. By ingesting + these hashes as alerts, the connector enables security teams to proactively monitor + for malicious file activity within their environment. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | API key | Password | Yes | API key generated at your Group-IB TI Profile. | + + | API login | Email | Yes | Email address used to access the Group-IB TI Portal. + | + + | API URL | String | Yes | The URL for the Group-IB TI Portal. | + + | Case name | String | Yes | The name to display for the created case. | + + | Case severity | String | Yes | The severity level for the case (Informative, + Low, Medium, High, Critical). | + + | Case type | String | Yes | The case type to trigger an action. | + + | DeviceProductField | String | Yes | The field name used to determine the device + product. | + + | EventClassId | String | Yes | The field name used to determine the event name. + | + + | PythonProcessTimeout | String | Yes | The timeout limit (in seconds) for the + python process. | + + | Start date | String | No | Start date for data collection (YYYY-MM-DD). Defaults + to one day back if not provided. | + + | Verify SSL | Boolean | Yes | Whether to verify SSL certificates. | + + + ### Flow Description + + 1. The connector initializes a connection to the Group-IB TI API using the provided + credentials and configuration. + + 2. It retrieves the last processed sequence update number from local storage to + ensure incremental data ingestion. + + 3. If no previous state is found, it uses the configured `Start date` (or defaults + to one day back) to fetch initial data. + + 4. It queries the `ioc/common` collection from the Group-IB TI portal. + + 5. The retrieved data is parsed to extract file hashes (`file_ioc__hash`). + + 6. For each identified hash, the connector creates an alert in Google SecOps, + mapping the data to the required alert format. + + 7. The connector saves the latest sequence update number to storage to maintain + state for subsequent runs. +TI IoC IP Connector: + ai_description: >- + ### General Description + + This connector integrates with the Group-IB Threat Intelligence (TI) portal to + retrieve Indicators of Compromise (IoCs), specifically IP addresses. It periodically + polls the `ioc/common` collection, processes the retrieved data, and creates alerts + within Google SecOps (Chronicle SOAR) to facilitate proactive threat detection + and response. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | API login | Email | Yes | Your email address used to access the Group-IB TI + Portal. | + + | API URL | String | Yes | The URL for the Group-IB TI Portal. | + + | Case name | String | Yes | The name of the case to display in SOAR. | + + | Case severity | String | Yes | The severity level for the created case (e.g., + Informative, Low, Medium, High, Critical). | + + | Case type | String | Yes | The case type to trigger an action. | + + | DeviceProductField | String | Yes | The field name used to determine the device + product. | + + | EventClassId | String | Yes | The field name used to determine the event name. + | + + | PythonProcessTimeout | String | Yes | The timeout limit (in seconds) for the + script execution. | + + | Start date | String | No | The start date (YYYY-MM-DD) to download collection + data. Defaults to one day back if not provided. | + + | API key | Password | Yes | The API key generated from your Group-IB TI Profile. + | + + | Verify SSL | Boolean | Yes | Whether to verify SSL certificates for the API + connection. | + + + ### Flow Description + + 1. Initializes the connection to the Group-IB TI portal using the provided credentials + and API URL. + + 2. Retrieves the last processed sequence update number from the SOAR storage to + ensure incremental data fetching. + + 3. If no previous timestamp exists, it uses the configured `Start date` (or defaults + to one day back) to initialize the sequence update. + + 4. Queries the `ioc/common` collection from the Group-IB TI API. + + 5. Parses the retrieved data, filtering for valid IP addresses. + + 6. Maps the parsed events into the Google SecOps alert format, including metadata + like severity and type. + + 7. Creates and ingests the alerts into the SOAR platform. + + 8. Updates the sequence number in the SOAR storage to track the progress for the + next execution. diff --git a/content/response_integrations/third_party/partner/group_ib_ti/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/partner/group_ib_ti/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..60a46966c --- /dev/null +++ b/content/response_integrations/third_party/partner/group_ib_ti/resources/ai/integration_ai_description.yaml @@ -0,0 +1,23 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: false + reasoning: >- + The integration 'group_ib_ti' is primarily classified as Threat Intelligence because + it provides multiple enrichment actions (e.g., 'Get-Graph-Info', 'Get-TI-Search-Info') + that query the Group-IB database to retrieve reputation, malware family names, + and historical data for indicators like IPs, domains, and hashes. Furthermore, + the integration qualifies as SIEM because it includes connectors ('TI IoC Hash + Connector', 'TI IoC IP Connector') that ingest threat feeds and automatically + create alerts within the Google SecOps platform, enabling proactive monitoring + and detection of malicious activity. It does not perform actions related to EDR + (host containment), Network Security (firewall management), Email Security, IAM, + Cloud Security, ITSM, Vulnerability Management, Asset Inventory, or Collaboration. + siem: true + threat_intelligence: true + vulnerability_management: false diff --git a/content/response_integrations/third_party/partner/houdin_io/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/partner/houdin_io/resources/ai/actions_ai_description.yaml index 209f114ee..0824f5474 100644 --- a/content/response_integrations/third_party/partner/houdin_io/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/partner/houdin_io/resources/ai/actions_ai_description.yaml @@ -1,50 +1,97 @@ Enrich Entities: - ai_description: "### General Description\nThe **Enrich Entities** action scans compatible\ - \ entities\u2014including Public IPv4/IPv6 addresses, URLs, Domains, and File\ - \ Hashes (MD5, SHA1, SHA256)\u2014using the **Houdin.io** platform. It retrieves\ - \ comprehensive threat intelligence by leveraging multiple third-party scanners\ - \ and Houdin's proprietary AI-driven analysis. The action updates entity attributes\ - \ with threat scores and analysis summaries, providing security analysts with\ - \ immediate context within the Google SecOps platform.\n\n### Parameters Description\n\ - | Parameter | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n\ - | **scanOn** | Multi-choice | No | Specifies an array of scanners for Houdin to\ - \ utilize (e.g., `vt`, `urlscan`, `abuseipdb`, `mesmer`). If not provided, the\ - \ platform uses its default scanner configuration. |\n\n### Additional Notes\n\ - - **IP Filtering**: The action automatically filters out internal/private IP addresses,\ - \ only performing scans for global (public) IP entities.\n- **Asynchronous Polling**:\ - \ Although the action logic includes a polling loop, it is marked as asynchronous\ - \ in the configuration. Users should ensure the script timeout in the Google SecOps\ - \ IDE is sufficient for the scanners to complete their analysis.\n- **Data Enrichment**:\ - \ Results are written to the entity's `additional_properties`, specifically updating\ - \ `Houdin-io_Threat_Score`, `Houdin-io_AI_Analysis`, and `Houdin-io_Analysis_sources`.\n\ - \n### Flow Description\n1. **Entity Identification**: The action iterates through\ - \ target entities and selects those matching compatible types: URL, Domain, FileHash,\ - \ or Public IP Address.\n2. **Scan Initiation**: For each compatible entity, the\ - \ action sends a POST request to the Houdin.io API to launch a new scan job, passing\ - \ the optional `scanOn` parameters if configured.\n3. **Result Polling**: The\ - \ action enters a polling phase, periodically sending GET requests to retrieve\ - \ the status and final results of the initiated scans.\n4. **Intelligence Extraction**:\ - \ Upon scan completion, the action parses the response to extract the Mesmer global\ - \ threat score (normalized to a /10 scale) and the AI-generated analysis summary.\n\ - 5. **Internal Update**: The action updates the `additional_properties` of the\ - \ successful entities with the retrieved intelligence and calls the internal update\ - \ method to persist these changes in Google SecOps.\n6. **Output Generation**:\ - \ Finally, the action produces a JSON result containing the full raw scan data\ - \ for each processed entity and ends with a summary message." + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves threat intelligence (reputation, scores, analysis) for + IOCs (IPs, Domains, Hashes, URLs). This matches the 'Enrich IOC' category. It + does not perform containment or other actions. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: >- + Enriches entities by scanning them using the Houdin.io platform. This action processes + specific entity types (Public IP, Domain, File Hash, URL, and Destination URL) + by launching a scan via the Houdin.io API and polling for the results. Once the + analysis is complete, it updates the entity's `additional_properties` with a threat + score, AI analysis summary, and the sources used for the scan. + + + ### Parameters + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | scanOn | multi_choice_parameter | No | An optional array of scanners (e.g., + vt, urlscan, alienvault, abuseipdb, triage, mesmer, servicenow) to be used by + Houdin for the scan. | + + + ### Flow Description + + 1. **Initialization**: The action initializes the HoudinManager using the provided + API Key. + + 2. **Filtering**: It iterates through the target entities, filtering for compatible + types: Public IP (via `isIPExternal` check), Domain, File Hash, URL, and Destination + URL. + + 3. **Scan Launch**: For each compatible entity, it triggers a scan via the Houdin.io + API (`/scan/launch`). + + 4. **Polling**: It polls the Houdin.io API (`/scan/result`) for each scan ID until + results are retrieved. + + 5. **Enrichment**: It parses the scan results, specifically extracting the global + score and summary from the 'mesmer' analysis. + + 6. **Update**: It updates the `additional_properties` of the successful entities + with the retrieved threat intelligence and adds the full result JSON to the action + output. capabilities: can_create_case_comments: false can_create_insight: false can_modify_alert_data: false - can_mutate_external_data: true - can_mutate_internal_data: false + can_mutate_external_data: false + can_mutate_internal_data: true can_update_entities: true - external_data_mutation_explanation: >- - The action performs a POST request to the Houdin.io API to create and launch - new scan jobs for the provided entities. + external_data_mutation_explanation: null fetches_data: true - internal_data_mutation_explanation: null + internal_data_mutation_explanation: >- + Updates the `additional_properties` of the processed entities with threat scores + and analysis summaries. + reasoning: >- + The action fetches threat intelligence data from Houdin.io by launching scans + and polling results. It updates the entity's `additional_properties` with the + retrieved data. It does not modify external systems or alert data. categories: - enrichment: false + enrichment: true + reasoning: >- + The action fetches data (enrichment) and only performs allowed internal mutations + (updating entities). It does not mutate external systems. entity_usage: entity_types: - ADDRESS @@ -56,7 +103,7 @@ Enrich Entities: filters_by_case_identifier: false filters_by_creation_time: false filters_by_entity_type: true - filters_by_identifier: true + filters_by_identifier: false filters_by_is_artifact: false filters_by_is_enriched: false filters_by_is_internal: false @@ -64,43 +111,55 @@ Enrich Entities: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over `siemplify.target_entities` and filters by specific types + (`ADDRESS`, `DOMAIN`, `FILEHASH`, `DestinationURL`). It also performs a check + on the identifier of `ADDRESS` entities to ensure they are external, but this + is not a filter on the `is_internal` attribute. Ping: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action is a connectivity test ('Ping'). It does not match any of the specific + functional categories like Enrich IOC, Contain Host, etc. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description - - Tests the connectivity to the Houdin.io API to ensure the integration is configured - correctly and the service is reachable. This action is primarily used for troubleshooting - and verifying that the provided API credentials and network settings allow communication - with the Houdin.io platform. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | API Key | String | Yes | The API key used for authentication with the Houdin.io - API. | - - | Verify SSL | Boolean | No | If enabled, the action will verify the SSL certificate - of the Houdin.io API endpoint. Defaults to False. | - - - ### Flow Description - - 1. **Initialization**: The action extracts the API Key and SSL verification preference - from the integration configuration. - - 2. **Connectivity Check**: It initializes the HoudinManager and calls the `test_connectivity` - method. - - 3. **API Interaction**: The manager sends a POST request to the Houdin.io `/ping` - endpoint using the provided API key. - - 4. **Outcome**: If the API responds with a success status (HTTP 200), the action - completes with a 'Connection Established' message. If the connection fails or - the API returns an error, the action catches the exception and reports the failure. + General description: This action tests the connectivity to the Houdin.io API to + ensure the integration is properly configured and the service is reachable. Flow + description: 1. The action extracts the 'API Key' and 'Verify SSL' configuration + parameters. 2. It initializes the HoudinManager with the provided credentials. + 3. It sends a POST request to the Houdin.io ping endpoint. 4. It validates the + response status code. 5. It returns a success or failure status based on the connectivity + result. Parameters description: | Parameter | Type | Mandatory | Description | + | --- | --- | --- | --- | | API Key | String | Yes | The API key used for authentication + with the Houdin.io service. | | Verify SSL | Boolean | No | Whether to verify + SSL certificates for the connection. Defaults to False. | Additional notes: This + action is a connectivity test and does not perform any data enrichment or mutation. capabilities: can_create_case_comments: false can_create_insight: false @@ -111,8 +170,16 @@ Ping: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a connectivity test by sending a POST request to the Houdin.io + API. It does not fetch contextual data for entities, nor does it mutate any + external or internal data. categories: enrichment: false + reasoning: >- + The action is a 'Ping' action. According to the instructions, 'Actions named + Ping must not be categorized as enrichment actions.' It also does not fetch + contextual data. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -128,16 +195,48 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code does not reference siemplify.target_entities or any entity objects. + It is a global connectivity test. Scan Artifact: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action submits an artifact to the Houdin.io platform for analysis (matching + 'Submit File') and retrieves the resulting threat intelligence (matching 'Enrich + IOC'). + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: true + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - The **Scan Artifact** action allows users to submit a specific artifact (such - as an IP address, URL, Domain, or File Hash) to the Houdin.io platform for comprehensive - security scanning. It integrates with various third-party scanners to provide - a consolidated view of the artifact's reputation and threat profile. This action - is designed to be used when a specific indicator needs deep analysis beyond standard - enrichment. + The "Scan Artifact" action initiates a security scan on a specified artifact (such + as an IP, URL, Domain, or File Hash) using the Houdin.io platform. It retrieves + the scan results and provides them as the action output. ### Parameters Description @@ -146,42 +245,28 @@ Scan Artifact: | :--- | :--- | :--- | :--- | - | **artifact** | String | Yes | The specific indicator to be scanned. Supported - formats include IPv4, IPv6, URL, Domain, MD5, SHA1, and SHA256. | + | artifact | string | Yes | The artifact to scan (e.g., IPv4, IPv6, URL, Domain, + MD5, SHA1, SHA256). | - | **scanOn** | Multi-choice | No | A list of specific scanners to utilize (e.g., - vt, urlscan, abuseipdb, alienvault, triage, mesmer, servicenow). If left empty, - the platform uses its default scanner set. | + | scanOn | multi_choice_parameter | No | An optional array of scanners to use + (e.g., vt, urlscan, alienvault, abuseipdb, triage, mesmer, servicenow). | ### Flow Description - 1. **Initialization**: The action extracts the API key from the integration configuration - and initializes the Houdin connection manager. + 1. The action extracts the `artifact` and `scanOn` parameters. - 2. **Scan Submission**: It sends a POST request to the Houdin.io API (`scan/launch`) - with the provided artifact and the list of selected scanners. + 2. It calls the Houdin.io API to launch a scan for the provided artifact. - 3. **Asynchronous Polling**: The action enters a polling phase, sending GET requests - to the Houdin API (`scan/result`) to check the status of the scan. It will continue - to poll until the scan is complete or the maximum number of retries is reached. + 3. It polls the Houdin.io API for the scan results until the scan is completed. - 4. **Data Retrieval**: Once the scan is finished, the action retrieves the full - JSON result set containing the findings from all utilized scanners. - - 5. **Output**: The final results are attached to the action as a JSON result and - a specific 'HoudinResult' object for use in subsequent playbook logic. + 4. The final scan result is added to the action output. ### Additional Notes - - This action does not automatically iterate over entities in a Google SecOps - case; the artifact must be explicitly provided as a parameter (often via a placeholder - from a previous step or entity). - - - Because this action involves external scanning which can take time, it is marked - as asynchronous. Users should ensure the action timeout in the Google SecOps IDE - is configured appropriately for long-running scans. + This action is asynchronous. The script timeout value in the Google SecOps IDE + should be adjusted if necessary to accommodate the scan duration. capabilities: can_create_case_comments: false can_create_insight: false @@ -190,12 +275,20 @@ Scan Artifact: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - The action performs a POST request to the Houdin.io API to initiate a new scan - job, which creates a new scan resource and consumes platform credits/quota. + Initiates a scan on the Houdin.io platform via a POST request. fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action initiates a scan on an external platform (Houdin.io) via a POST request, + which constitutes an external mutation. It then polls for and retrieves the + scan results (fetches data). It does not modify internal SOAR data (case/alert + data) or update entities. categories: enrichment: false + reasoning: >- + The action performs a POST request to launch a scan, which is an external mutation. + Therefore, it does not meet the 'External State Preservation' requirement for + an Enrichment Action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -211,3 +304,6 @@ Scan Artifact: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action uses the `artifact` parameter provided by the user, not the `target_entities` + list from the SOAR platform. diff --git a/content/response_integrations/third_party/partner/houdin_io/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/partner/houdin_io/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..33676e028 --- /dev/null +++ b/content/response_integrations/third_party/partner/houdin_io/resources/ai/integration_ai_description.yaml @@ -0,0 +1,24 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: false + reasoning: >- + The houdin_io integration is designed to provide automated AI-driven cyber threat + analysis. Its primary actions, 'Enrich Entities' and 'Scan Artifact', focus on + processing external indicators (IPs, Domains, Hashes, URLs) to retrieve threat + intelligence, including risk scores and analysis summaries. This functionality + aligns perfectly with the 'Threat Intelligence' category, which is defined by + the ability to enrich external indicators to determine their reputation and confirm + if an alert is a True Positive. The integration does not perform functions related + to SIEM log analysis, EDR host containment, network security gateway blocking, + email management, IAM identity control, cloud resource management, ITSM ticketing, + vulnerability scanning, asset inventory management, or collaboration/notification + workflows. + siem: false + threat_intelligence: true + vulnerability_management: false diff --git a/content/response_integrations/third_party/partner/infoblox_nios/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/partner/infoblox_nios/resources/ai/actions_ai_description.yaml index 7bc03f1b5..81ec52c56 100644 --- a/content/response_integrations/third_party/partner/infoblox_nios/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/partner/infoblox_nios/resources/ai/actions_ai_description.yaml @@ -1,74 +1,87 @@ Create Host Record: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action creates a host record in Infoblox. This does not match any of the + provided categories (e.g., Enrichment, Containment, Ticket creation, etc.). + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description - - The **Create Host Record** action adds a new host record to the Infoblox NIOS - system. This action is used for IP Address Management (IPAM) and DNS inventory, - allowing users to define a host with its associated IPv4 and IPv6 addresses, aliases, - and metadata. When the DNS configuration is enabled, it automatically manages - corresponding A, AAAA, and PTR records. + Creates a new host record in Infoblox NIOS. This action allows users to define + a host name, associate IPv4/IPv6 addresses, configure DNS settings, and add metadata + such as comments, aliases, and extended attributes. It performs a POST request + to the Infoblox API to provision the record and returns the created host details. - ### Parameters Description + ### Parameters | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | **Name** | String | Yes | The FQDN of the host (e.g., `server1.example.com`). - It must belong to an existing DNS zone. | - - | **IPv4 Addresses** | String | No | A JSON array of IPv4 address objects (e.g., - `[{"ipv4addr":"192.168.1.100","mac":"00:11:22:33:44:55","configure_for_dhcp":true}]`). + | Name | string | Yes | The FQDN of the host (e.g., server1.auth.threat.zone). | - | **IPv6 Addresses** | String | No | A JSON array of IPv6 address objects (e.g., - `[{"ipv6addr":"2001:db8::1"}]`). | + | IPv4 Addresses | string | No | JSON array of IPv4 address objects. | - | **View** | String | No | The DNS view in which the record resides (default: - `default`). | + | IPv6 Addresses | string | No | JSON array of IPv6 address objects. | - | **Comment** | String | No | Additional information or notes about this host - record. | + | View | string | No | The DNS view (default: "default"). | - | **Aliases** | String | No | Comma-separated list of DNS aliases (CNAMEs) for - this host. | + | Comment | string | No | Additional notes about the host record. | - | **Configure for DNS** | Boolean | No | If set to `false`, the host record will - not have associated DNS records. Default is `true`. | + | Aliases | string | No | Comma-separated list of DNS aliases (CNAMEs). | - | **Extended Attributes** | String | No | Comma-separated key/value pairs for - Infoblox extended attributes (e.g., `Site=New York,Owner=Security`). | + | Configure for DNS | boolean | No | Whether to create associated DNS records + (default: true). | - | **Additional Parameters** | String | No | A JSON object containing additional - parameters supported by the Infoblox WAPI. | + | Extended Attributes | string | No | Comma-separated key/value pairs for extended + attributes. | + | Additional Parameters | string | No | Comma-separated key/value pairs for additional + API parameters. | - ### Flow Description - 1. **Input Validation**: The action validates that the `Name` is provided and - that `IPv4 Addresses`, `IPv6 Addresses`, and `Additional Parameters` are provided - in valid JSON formats. + ### Flow Description - 2. **Attribute Parsing**: It parses the `Extended Attributes` string into the - specific dictionary format required by the Infoblox API. + 1. The action extracts configuration parameters (API root, credentials) and action-specific + inputs. - 3. **API Request**: It sends a POST request to the Infoblox `/record:host` endpoint - with the constructed payload. + 2. It validates the provided inputs (e.g., required strings, IP address objects, + additional parameters). - 4. **Result Processing**: If successful, the action returns the created record's - details in JSON format and populates a 'Hosts' data table in the case wall for - visibility. + 3. It initializes the `APIManager` to communicate with the Infoblox NIOS API. + 4. It executes a POST request to create the host record with the specified attributes. - ### Additional Notes + 5. Upon success, it adds the created host record details to the action results + as a JSON object and a data table. - - While `IPv4 Addresses` and `IPv6 Addresses` are technically optional in the - parameter list, at least one is typically required by Infoblox to create a functional - host record. - - - The `Name` parameter is effectively mandatory as the script performs a manual - validation check and will fail if it is empty. + 6. If an error occurs, it logs the exception and fails the action execution. capabilities: can_create_case_comments: false can_create_insight: false @@ -77,12 +90,20 @@ Create Host Record: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates a new host record and potentially associated DNS records (A, AAAA, PTR) - in the Infoblox NIOS system via a POST request. + Creates a new host record in the Infoblox NIOS system. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a POST request to create a host record in an external Infoblox + system (can_mutate_external_data=true). It does not fetch data from external + systems (fetches_data=false). It does not modify internal SOAR case data, entities, + or alerts (can_mutate_internal_data=false). categories: enrichment: false + reasoning: >- + The action is a creation/mutation action that adds a record to an external system. + It does not fetch data for enrichment purposes, nor does it meet the criteria + for an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -98,61 +119,92 @@ Create Host Record: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over or process `siemplify.target_entities`. It + operates based on parameters provided in the action configuration. Create RPZ A Rule: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: true + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action creates an RPZ A rule, which is a mechanism for DNS-based blocking + or redirection. This aligns with the 'Add IOC To Blocklist' category as it updates + security controls to prevent interaction with an indicator. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - The **Create RPZ A Rule** action allows users to create a Response Policy Zone - (RPZ) Substitute rule within Infoblox NIOS. This rule maps a specific domain name - (A record) or an IPv4 address to a substitute IPv4 address. This is primarily - used for DNS redirection, sinkholing, or blocking access to malicious destinations - by providing an alternative IP response. + Creates an RPZ (Response Policy Zone) A rule in Infoblox NIOS. This action maps + a domain name or an IPv4 address to a substitute IPv4 address, enabling DNS redirection + or blocking capabilities within the Infoblox environment. - ### Parameters Description + ### Flow Description - | Parameter | Type | Mandatory | Description | + 1. **Parameter Extraction**: The action retrieves configuration parameters (API + credentials) and action-specific inputs (Object Type, Name, RP Zone, IPv4 Address, + etc.). - | :--- | :--- | :--- | :--- | + 2. **Validation**: Validates the provided inputs, including the required string + formats and the validity of the IPv4 address. + + 3. **API Interaction**: Initializes the Infoblox API manager and sends a POST + request to create the specified RPZ A rule. - | **Object Type** | DDL | Yes | Determines the type of record to create. Options - are `IP Address` or `Domain Name`. | + 4. **Result Processing**: Adds the API response as a JSON result and constructs + a data table containing the rule details for the action output. - | **Name** | String | Yes | The name or FQDN of the rule to be created. | - | **RP Zone** | String | Yes | The specific Response Policy Zone where the rule - will be assigned. | + ### Parameters Description - | **IPv4 Address** | String | Yes | The substitute IPv4 address that will be returned - by the DNS server for this rule. | + | Parameter | Type | Mandatory | Description | - | **Comment** | String | No | An optional descriptive comment for the rule. | + | :--- | :--- | :--- | :--- | - | **Additional Parameters** | String | No | A JSON-formatted string containing - extra parameters for the Infoblox WAPI request. | + | Object Type | ddl | Yes | The type of object for which to create the record. + Options: 'IP Address', 'Domain Name'. | + | Name | string | Yes | The name of the rule to be created. | - ### Flow Description + | RP Zone | string | Yes | The Response Policy Zone to assign the rule to. | - 1. **Parameter Extraction:** The action retrieves the configuration and action - parameters, including the object type, rule name, target zone, and substitute - IP. + | IPv4 Address | string | Yes | The IPv4 address to be used as the substitute + in the rule. | - 2. **Validation:** It validates that the `Name` and `RP Zone` are non-empty, - the `IPv4 Address` is a valid IPv4 format, and the `Additional Parameters` (if - provided) is a valid JSON object. + | Comment | string | No | An optional comment for the rule. | - 3. **API Preparation:** Based on the `Object Type`, it selects the appropriate - Infoblox WAPI endpoint (`record:rpz:a` for domains or `record:rpz:a:ipaddress` - for IPs). + | Additional Parameters | string | No | A JSON object containing additional parameters + for creating the response policy zone. | - 4. **Rule Creation:** It constructs the request body, ensuring the rule name - is correctly formatted with the zone suffix, and sends a POST request to the Infoblox - API. - 5. **Result Processing:** Upon success, it parses the API response, creates a - data table named 'RPZ A Rule' with the record details, and returns the raw JSON - result. + ### Additional Notes + + This action performs a direct mutation on the Infoblox NIOS system. Ensure that + the provided credentials have the necessary permissions to create RPZ rules. capabilities: can_create_case_comments: false can_create_insight: false @@ -161,12 +213,21 @@ Create RPZ A Rule: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates a new RPZ A rule (DNS record) in the Infoblox NIOS system to redirect - or block traffic. + Creates an RPZ A rule in the Infoblox NIOS system, which modifies DNS resolution + policies. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a POST request to create a rule in an external system (Infoblox + NIOS). It does not fetch data (GET) for enrichment purposes, nor does it modify + internal SOAR case data or entities. It only adds result data to the action + output. categories: enrichment: false + reasoning: >- + The action is a mutation action designed to create a rule in an external system. + It does not fetch data to enrich entities, therefore it is not an enrichment + action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -182,59 +243,86 @@ Create RPZ A Rule: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with `siemplify.target_entities`. It relies entirely + on user-provided parameters to perform its task. Create RPZ AAAA Rule: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: true + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action creates an RPZ AAAA rule, which is used for DNS redirection or blocking. + This aligns with the 'Add IOC To Blocklist' category as it updates security + controls (DNS) to prevent interaction with specific indicators. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - Creates a Response Policy Zone (RPZ) AAAA rule in Infoblox NIOS. This action allows - for DNS redirection or blocking by mapping a domain name or an IPv6 address to - a substitute IPv6 address. It is primarily used for security enforcement within - a DNS environment. - - - ### Parameters Description - + Creates an RPZ (Response Policy Zone) AAAA rule in Infoblox NIOS to map a domain + name or IPv6 address to a substitute IPv6 address for DNS redirection or blocking. + This action allows administrators to configure DNS-based security policies directly + from the SOAR platform. - | Parameter | Type | Mandatory | Description | - | :--- | :--- | :--- | :--- | + ### Flow Description - | Object Type | DDL | Yes | Determines if the rule is for a 'Domain Name' or an - 'IP Address'. This affects the underlying Infoblox record type created. | + 1. **Parameter Extraction**: The action retrieves the required parameters: Object + Type, Name, RP Zone, IPv6 Address, and optional parameters like Comment and Additional + Parameters. - | Name | String | Yes | The name of the rule (e.g., the domain or IP address to - be intercepted). | + 2. **Validation**: It validates the provided inputs, ensuring the Name and RP + Zone are non-empty strings and the IPv6 Address is a valid IPv6 format. - | RP Zone | String | Yes | The specific Response Policy Zone where the rule will - be created. | + 3. **API Interaction**: It initializes the Infoblox API manager and sends a request + to create the RPZ AAAA rule based on the specified object type (Domain Name or + IP Address). - | IPv6 Address | String | Yes | The substitute IPv6 address that the DNS query - will be redirected to. | + 4. **Result Processing**: Upon success, it adds the created rule details as a + JSON result and a data table to the action output. If the creation fails, it logs + the error and sets the execution state to failed. - | Comment | String | No | An optional description or note for the rule. | - | Additional Parameters | String | No | A JSON-formatted string containing extra - parameters supported by the Infoblox WAPI for record creation. | + ### Parameters + | Parameter | Type | Mandatory | Description | - ### Flow Description + | :--- | :--- | :--- | :--- | + | Object Type | ddl | Yes | The type of the object for which to create the record + (Domain Name or IP Address). | - 1. **Initialization**: The action retrieves integration configuration (API Root, - credentials) and user-provided parameters. + | Name | string | Yes | The name of the rule. | - 2. **Validation**: It validates that mandatory strings are non-empty, ensures - the 'IPv6 Address' is a valid IPv6 format, and parses 'Additional Parameters' - if provided. + | RP Zone | string | Yes | The zone to assign the rule to. | - 3. **Logic Branching**: Based on the 'Object Type' selection, it selects the appropriate - Infoblox API identifier and record type (either a standard AAAA record or an IP-address-based - AAAA record). + | IPv6 Address | string | Yes | The IPv6 address of the substitute rule. | - 4. **External Interaction**: It performs a POST request to the Infoblox WAPI to - create the new RPZ rule. + | Comment | string | No | Comment for this rule. | - 5. **Output**: Upon success, it adds the raw JSON response to the action results - and constructs a data table displaying the rule's reference ID, name, and assigned - zone. + | Additional Parameters | string | No | JSON object containing additional parameters + to create the response policy zone. | capabilities: can_create_case_comments: false can_create_insight: false @@ -243,12 +331,18 @@ Create RPZ AAAA Rule: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates a new RPZ AAAA rule in the Infoblox NIOS system via a POST request to - the WAPI, which modifies the DNS policy configuration. + Creates an RPZ AAAA rule in the Infoblox NIOS system. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a POST request to create an RPZ rule in Infoblox NIOS. It + does not fetch external data for enrichment, nor does it modify internal SOAR + entities, insights, or case data. It only adds result data to the action output. categories: enrichment: false + reasoning: >- + The action is a mutation action (creating a rule) and does not fetch data for + enrichment purposes. Therefore, it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -264,71 +358,94 @@ Create RPZ AAAA Rule: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with or filter any entities. It relies entirely + on parameters provided in the action configuration. Create RPZ CNAME Rule: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: true + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action creates a CNAME rule in an RPZ, which is a DNS-based security control + used to block or redirect traffic. This aligns with the 'Add IOC To Blocklist' + category. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description + Creates a CNAME rule in an existing Response Policy Zone (RPZ) within Infoblox + NIOS to override DNS behavior. This action allows administrators to define rules + for specific domains or IP addresses to block, pass through, or substitute DNS + responses. - Adds a CNAME rule to an existing Response Policy Zone (RPZ) in Infoblox NIOS to - override DNS behavior. This action allows administrators to define how specific - domains or IP addresses should be handled (e.g., blocked, passed through, or redirected) - within the DNS infrastructure. It supports various rule types such as Passthru, - Block, and Substitute. + ### Flow - ### Parameters Description + 1. Extracts configuration parameters (API credentials, etc.) and action-specific + inputs. - | Parameter | Type | Mandatory | Description | + 2. Validates the required parameters, including the RP Zone and Rule Name. - | :--- | :--- | :--- | :--- | - - | Name | String | Yes | The rule name in a FQDN format. | - - | RP Zone | String | Yes | The zone to assign the rule to. | + 3. Invokes the Infoblox API to create the specified RPZ CNAME rule. - | Rule Type | DDL | Yes | The type of the rule to create. Options: `Passthru`, - `Block (No such domain)`, `Substitute (Domain name)`, `Block (No data)`. | + 4. Adds the API response to the action result and generates a data table summarizing + the created rule. - | Object Type | DDL | Yes | The type of the object for which to assign the rule. - Options: `Domain Name`, `IP Address`, `Client IP Address`. | - | Substitute Name | String | No | The substitute name to assign (substitute domain - only). Mandatory if 'Rule Type' is 'Substitute (Domain name)'. | - - | Comment | String | No | Comment for this rule. | + ### Parameters - | View | String | No | The DNS view in which the records are located. Defaults - to 'default'. | + | Parameter | Type | Mandatory | Description | - | Additional Parameters | String | No | JSON object containing additional parameters - to create the RPZ rule. | + | :--- | :--- | :--- | :--- | + | Name | string | Yes | The rule name in FQDN format. | - ### Additional Notes + | RP Zone | string | Yes | The zone to assign the rule to. | - - **Conditional Requirement:** If 'Rule Type' is set to 'Substitute (Domain name)', - the 'Substitute Name' parameter must be provided. + | Rule Type | ddl | Yes | The type of the rule to create (e.g., Passthru, Block, + Substitute). | - - **Compatibility Check:** 'Substitute (Domain name)' rule type is not applicable - when 'Object Type' is 'IP Address' or 'Client IP Address'. + | Object Type | ddl | Yes | The type of the object for which to assign the rule + (Domain Name, IP Address, Client IP Address). | - - **Rule Logic:** The action automatically determines the 'canonical' value for - the Infoblox API based on the selected 'Rule Type' (e.g., '*' for Block (No data), - 'rpz-passthru' for Passthru on Client IP). + | Substitute Name | string | No | The substitute name to assign (substitute domain + only). | + | Comment | string | No | Comment for this rule. | - ### Flow Description + | View | string | No | The DNS view in which the records are located. Defaults + to 'default'. | - 1. **Parameter Extraction:** The action retrieves and validates input parameters, - ensuring mandatory fields like 'Name' and 'RP Zone' are present. + | Additional Parameters | string | No | JSON object containing additional parameters + to create the RPZ rule. | - 2. **Logic Determination:** It determines the correct Infoblox API endpoint based - on the 'Object Type' and calculates the 'canonical' value based on the 'Rule Type'. - 3. **API Interaction:** The action sends a POST request to the Infoblox NIOS WAPI - to create the CNAME rule. + ### Additional Notes - 4. **Result Processing:** Upon success, it parses the API response, creates a - data table with the rule details, and adds the raw JSON result to the action output. + - The action performs a direct mutation on the Infoblox NIOS system. Ensure the + provided credentials have sufficient permissions to modify RPZ configurations. capabilities: can_create_case_comments: false can_create_insight: false @@ -337,12 +454,18 @@ Create RPZ CNAME Rule: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates a new CNAME rule in the Infoblox NIOS Response Policy Zone (RPZ) configuration, - which modifies the DNS resolution behavior for the specified target. + Creates a new CNAME rule in the Infoblox Response Policy Zone. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a POST request to the Infoblox API to create a new RPZ CNAME + rule. It does not fetch external data for enrichment, nor does it modify internal + SOAR case data (entities, insights, or comments). categories: enrichment: false + reasoning: >- + The action creates external data (a rule) and does not fetch context or perform + enrichment. Therefore, it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -358,27 +481,88 @@ Create RPZ CNAME Rule: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over or process `siemplify.target_entities`. It + relies entirely on parameters provided in the action configuration. Create RPZ MX Rule: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action creates a specific DNS record (MX rule) in an RPZ. This is a configuration + task and does not fit the provided categories for blocking, ticketing, or enrichment. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - Adds a mail exchange (MX) override rule to a Response Policy Zone (RPZ) in Infoblox - NIOS. This action allows administrators to define custom mail routing policies - within a specific DNS response policy zone.\n\n### Parameters\n| Parameter | Type - | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| Name | String | - Yes | The name of the rule to be created. |\n| RP Zone | String | Yes | The Response - Policy Zone where the rule will be added. |\n| Mail Exchanger | String | Yes | - The mail exchanger (host) for the rule. |\n| Preference | String | Yes | The preference - value for the MX record (0-65535). |\n| Comment | String | No | A descriptive - comment for the rule. |\n| Additional Parameters | String | No | A JSON object - containing any additional Infoblox WAPI parameters. |\n\n### Flow Description\n1. - **Parameter Extraction:** The action retrieves the rule name, target RP zone, - mail exchanger, preference, and optional comments or additional parameters.\n2. - **Validation:** It validates that mandatory fields are present, the preference - is a valid integer within the allowed range (0-65535), and additional parameters - are in valid JSON format.\n3. **API Interaction:** It connects to the Infoblox - NIOS API and performs a POST request to create the `record:rpz:mx` object.\n4. - **Result Processing:** Upon success, it returns the details of the created rule - in a JSON format and populates a data table for the user.\n\n### Additional Notes\n- - The rule name is automatically suffixed with the RP Zone name if not already present. + Creates a Mail Exchange (MX) override rule within a Response Policy Zone (RPZ) + on the Infoblox NIOS platform. This action allows administrators to define specific + mail exchange routing rules for DNS response policies. + + + ### Flow Description + + 1. **Parameter Extraction**: The action retrieves the required configuration (API + root, credentials) and action-specific parameters (RP Zone, Name, Mail Exchanger, + Preference, Comment, and Additional Parameters). + + 2. **Validation**: It validates that the required fields are present and that + the Preference is a valid integer. + + 3. **API Interaction**: It initiates a POST request to the Infoblox NIOS API to + create the new RPZ MX rule. + + 4. **Result Reporting**: Upon success, it adds the created rule details to the + action result JSON and displays a data table containing the rule information. + If the creation fails, it logs the error and reports the failure. + + + ### Parameters + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Name | string | Yes | Specify the name of the rule. | + + | RP Zone | string | Yes | The zone to assign the rule to. | + + | Mail Exchanger | string | Yes | Specify the mail exchanger for the rule. | + + | Preference | string | Yes | Preference value for the rule. | + + | Comment | string | No | Comment for this rule. | + + | Additional Parameters | string | No | JSON object containing additional parameters + to create response policy zone. | + + + ### Additional Notes + + - The action does not interact with entities. It is a configuration management + action for Infoblox DNS settings. capabilities: can_create_case_comments: false can_create_insight: false @@ -387,12 +571,19 @@ Create RPZ MX Rule: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Adds a new mail exchange (MX) override rule to a Response Policy Zone (RPZ) - in Infoblox NIOS. + Creates a new Mail Exchange (MX) rule in the specified Response Policy Zone + (RPZ) on the Infoblox NIOS platform. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a POST request to the Infoblox API to create a new RPZ MX + rule. It does not fetch data, nor does it modify internal SOAR case data (entities, + insights, etc.). categories: enrichment: false + reasoning: >- + The action is a configuration/mutation action that creates a new rule in an + external system. It does not fetch data for enrichment purposes. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -408,59 +599,82 @@ Create RPZ MX Rule: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with any entities. Create RPZ NAPTR Rule: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action creates a NAPTR rule in Infoblox. This is a configuration change + on an external system. It does not match any of the predefined categories such + as enrichment, ticketing, identity management, or host containment. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - Adds a NAPTR (Naming Authority Pointer) override rule in a Response Policy Zone - (RPZ) within Infoblox NIOS. This action is used to control DNS-based service discovery - by specifying how a domain name should be replaced or processed when multiple - rules exist. It allows administrators to define the sequence of rule application - and the preference for specific records. + Creates a NAPTR (Naming Authority Pointer) override rule within a specified Response + Policy Zone (RPZ) on an Infoblox NIOS appliance. This action allows administrators + to configure DNS-based service discovery rules by defining the rule name, zone, + order, preference, and replacement values. - ### Parameters Description + ### Flow + 1. Extracts configuration parameters (API root, credentials). - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | + 2. Extracts action parameters (Name, RP Zone, Order, Preference, Replacement, + Comment, Additional Parameters). - | Name | String | Yes | Specify the name of the rule to be created. | + 3. Validates required fields and integer constraints. - | RP Zone | String | Yes | The Response Policy Zone to which the rule will be - assigned. | + 4. Sends a POST request to the Infoblox NIOS API to create the NAPTR rule. - | Order | String | Yes | Defines the sequence of rule application when multiple - rules exist. Must be a non-negative integer. | + 5. Adds the result to the action output and generates a data table for the created + rule. - | Preference | String | Yes | The preference value for the NAPTR record. Must - be a non-negative integer. | - | Replacement | String | Yes | Specifies the next domain name to look up for non-terminal - NAPTR records. | + ### Parameters - | Comment | String | No | An optional comment or description for the rule. | + | Parameter | Type | Mandatory | Description | - | Additional Parameters | String | No | A JSON object containing any additional - WAPI parameters required for the rule creation. | + | :--- | :--- | :--- | :--- | + | Name | string | Yes | Name of the rule. | - ### Flow Description + | RP Zone | string | Yes | The zone to assign the rule to. | + | Order | string | Yes | Sequence of rule application. | - 1. **Parameter Extraction:** The action retrieves the configuration (API Root, - credentials) and action parameters (Name, RP Zone, Order, Preference, Replacement, - etc.). + | Preference | string | Yes | Preference of the NAPTR record. | - 2. **Validation:** It validates that mandatory strings are non-empty and that - 'Order' and 'Preference' are valid non-negative integers within the allowed range - (0-65535). It also ensures 'Additional Parameters' is a valid JSON object if provided. + | Replacement | string | Yes | Replacement domain name. | - 3. **API Interaction:** The action connects to the Infoblox NIOS API and performs - a POST request to the `record:rpz:naptr` endpoint to create the rule. + | Comment | string | No | Comment for the rule. | - 4. **Result Processing:** Upon success, the action returns the raw JSON response - from Infoblox and constructs a data table displaying the created rule's details - (Reference ID, Name, RP Zone, Replacement, etc.). + | Additional Parameters | string | No | JSON object for extra parameters. | capabilities: can_create_case_comments: false can_create_insight: false @@ -469,12 +683,20 @@ Create RPZ NAPTR Rule: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates a new NAPTR (Naming Authority Pointer) rule within a Response Policy - Zone (RPZ) in the Infoblox NIOS system via a POST request. + Creates a new NAPTR rule in the specified Response Policy Zone on the Infoblox + NIOS appliance. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a POST request to the Infoblox API to create a new NAPTR + rule, which constitutes an external data mutation. It does not fetch data, nor + does it modify internal SOAR data (entities, insights, or comments). categories: enrichment: false + reasoning: >- + The action is a creation/mutation action that modifies external system state + (Infoblox) and does not fetch data for enrichment purposes. Therefore, it is + not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -490,64 +712,90 @@ Create RPZ NAPTR Rule: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with `siemplify.target_entities`. It processes + input parameters directly from the action configuration to create a rule in + Infoblox. Create RPZ PTR Rule: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: true + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action creates a DNS-based rule (RPZ PTR) in Infoblox, which is a security + control mechanism used to override DNS responses. This aligns with the 'Add + IOC To Blocklist' category as it updates security controls to manage traffic/resolution. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description + Creates a reverse DNS lookup override (PTR rule) in a Response Policy Zone (RPZ) + within Infoblox NIOS. This action allows administrators to define custom DNS responses + for specific IP addresses, effectively managing DNS-based security policies. - Adds a reverse DNS lookup override in a Response Policy Zone (RPZ) for an IP address - within Infoblox NIOS. This action allows administrators to define custom PTR records - within an RPZ to redirect or block reverse DNS queries by creating a `record:rpz:ptr` - object. + ### Flow - ### Parameters Description + 1. Extracts and validates the required parameters: `PTR DName` and `RP Zone`. - | Parameter | Type | Mandatory | Description | + 2. Validates the provided `IPv4 Address` or `IPv6 Address` formats. - | :--- | :--- | :--- | :--- | + 3. Ensures at least one of `Name`, `IPv4 Address`, or `IPv6 Address` is provided. - | **RP Zone** | String | Yes | The specific Response Policy Zone where the rule - will be created. | + 4. Sends a request to the Infoblox NIOS API to create the RPZ PTR rule. - | **PTR DName** | String | Yes | The domain name of the RPZ substitute rule object - for the PTR record. | + 5. Adds the creation result to the action output as a JSON object and a data table. - | **Name** | String | No | The name of the RPZ Substitute rule object. | - | **Comment** | String | No | A descriptive comment for the rule. | + ### Parameters - | **IPv4 Address** | String | No | The IPv4 address associated with the substitute - rule. | + | Parameter | Type | Mandatory | Description | - | **IPv6 Address** | String | No | The IPv6 address associated with the substitute - rule. | + | :--- | :--- | :--- | :--- | - | **Additional Parameters** | String | No | A JSON object containing extra parameters - for the Infoblox WAPI request. | + | PTR DName | string | Yes | The domain name of the RPZ substitute rule object + of the PTR record. | + | RP Zone | string | Yes | The zone to assign the rule to. | - ### Additional Notes + | Name | string | No | The name of the RPZ Substitute rule object of the PTR record. + | - At least one of the following parameters must be provided for the action to succeed: - **Name**, **IPv4 Address**, or **IPv6 Address**. The action performs format validation - on IP addresses if they are provided. + | Comment | string | No | Comment for this rule. | + | IPv4 Address | string | No | The IPv4 address of the substitute rule. | - ### Flow Description + | IPv6 Address | string | No | The IPv6 address of the substitute rule. | - 1. **Parameter Extraction:** Retrieves the RP Zone, PTR DName, and optional fields - (Name, Comment, IPs, Additional Parameters) from the action input. + | Additional Parameters | string | No | JSON object containing additional parameters + to create the response policy zone. | - 2. **Validation:** Ensures mandatory fields are non-empty and that at least one - identifying field (Name, IPv4, or IPv6) is populated. It also validates the syntax - of provided IP addresses and parses the 'Additional Parameters' JSON. - 3. **API Interaction:** Executes a POST request to the Infoblox NIOS WAPI endpoint - for RPZ PTR records (`/record:rpz:ptr`). + ### Additional Notes - 4. **Result Processing:** Upon success, the action adds the raw JSON response - to the action results and constructs a data table summarizing the created PTR - rule for display in the case wall. + At least one of 'Name', 'IPv4 Address', or 'IPv6 Address' must be provided for + the action to execute successfully. capabilities: can_create_case_comments: false can_create_insight: false @@ -556,12 +804,18 @@ Create RPZ PTR Rule: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates a new RPZ PTR rule (reverse DNS lookup override) in the Infoblox NIOS - instance via a POST request to the WAPI. + Creates a new RPZ PTR rule in the Infoblox NIOS system. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a POST request to the Infoblox API to create a new RPZ PTR + rule. It does not fetch data, nor does it modify internal SOAR case data or + entities. categories: enrichment: false + reasoning: >- + The action is a mutation action (creates a rule) and does not fetch data for + enrichment purposes. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -577,67 +831,96 @@ Create RPZ PTR Rule: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not use or iterate over `target_entities`. It relies on user-provided + parameters. Create RPZ SRV Rule: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: true + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action creates an SRV record in an RPZ. RPZ rules are a standard mechanism + for DNS-based filtering, redirection, and blocking, which aligns with the 'Add + IOC To Blocklist' category as it modifies DNS resolution behavior to influence + network traffic. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description + Creates an SRV record override in a Response Policy Zone (RPZ) within Infoblox + NIOS. This action allows administrators to define service-based DNS lookups by + specifying the rule name, priority, port, weight, and target within a designated + RPZ. - Adds an SRV record override in a Response Policy Zone (RPZ) for service-based - DNS lookups in Infoblox NIOS. This action allows security teams to redirect or - block specific service lookups by creating a Substitute (SRV Record) Rule within - a specified zone. + ### Flow Description - ### Parameters Description + 1. **Parameter Extraction**: The action retrieves the required configuration parameters + (Name, Priority, RP Zone, Port, Target, Weight) and optional parameters (Comment, + Additional Parameters) from the action settings. - | Parameter | Type | Mandatory | Description | + 2. **Validation**: It validates that the required strings are provided and that + numerical parameters (Priority, Port, Weight) are valid integers. - | :--- | :--- | :--- | :--- | + 3. **API Interaction**: It initializes the Infoblox API manager and sends a POST + request to create the SRV rule in the specified RPZ. - | Name | String | Yes | The name of the rule to be created. | + 4. **Result Reporting**: Upon success, it adds the created rule details to the + action result as a JSON object and a data table for visibility. - | Priority | String | Yes | The priority of the SRV record. Must be a non-negative - integer (0-65535). | - | RP Zone | String | Yes | The name of the response policy zone where the record - will reside. | + ### Parameters - | Port | String | Yes | The port of the SRV record. Must be a non-negative integer - (0-65535). | + | Parameter | Type | Mandatory | Description | - | Target | String | Yes | The target host associated with the record. | + | :--- | :--- | :--- | :--- | - | Weight | String | Yes | The weight of the SRV record. Must be a non-negative - integer (0-65535). | + | Name | string | Yes | The name of the rule. | - | Comment | String | No | An optional comment for the rule. | + | Priority | string | Yes | The priority of the SRV record rule. | - | Additional Parameters | String | No | An optional JSON object containing extra - parameters for the Infoblox API call. | + | RP Zone | string | Yes | The name of the response policy zone in which the record + resides. | + | Port | string | Yes | The port of the SRV record rule. | - ### Flow Description + | Target | string | Yes | The target of the SRV record rule. | - 1. **Parameter Extraction:** The action retrieves the API configuration and the - rule details from the input parameters. + | Weight | string | Yes | The weight of the SRV record rule. | - 2. **Validation:** It validates that mandatory fields (Name, RP Zone, Target) - are provided and that numeric fields (Priority, Port, Weight) are valid integers - within the allowed range (0-65535). + | Comment | string | No | Text associated with the record. | - 3. **API Interaction:** It uses the Infoblox API Manager to send a POST request - to the `/record:rpz:srv` endpoint with the rule details. - - 4. **Result Processing:** If successful, it returns the created rule's details - in JSON format and displays them in a data table. If it fails, an error message - is returned. + | Additional Parameters | string | No | JSON object containing additional parameters + to create the response policy zone. | ### Additional Notes - - The `Priority`, `Port`, and `Weight` parameters are passed as strings but must - represent valid integers between 0 and 65535. - - - The `Additional Parameters` must be a valid JSON object if provided. + This action performs a write operation on the Infoblox NIOS system. Ensure the + provided credentials have sufficient permissions to create records in the target + RPZ. capabilities: can_create_case_comments: false can_create_insight: false @@ -646,12 +929,18 @@ Create RPZ SRV Rule: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates a new SRV record override in the specified Response Policy Zone (RPZ) - on the Infoblox NIOS server. + Creates a new SRV record override in the Infoblox Response Policy Zone. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a POST request to the Infoblox API to create a new SRV record + rule. It does not fetch data from external systems, nor does it modify internal + SOAR case data, entities, or insights. categories: enrichment: false + reasoning: >- + The action is a mutation action that creates a new record in an external system. + It does not retrieve data for enrichment purposes. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -667,52 +956,91 @@ Create RPZ SRV Rule: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with or filter any entities. It operates solely + based on the input parameters provided in the action configuration. Create RPZ TXT Rule: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action creates a specific DNS rule (RPZ TXT) in Infoblox. While RPZ is a + security control, this action is a generic rule creation and does not explicitly + map to the provided categories like 'Add IOC To Blocklist' (which implies a + specific blocklist management workflow) or others. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - The **Create RPZ TXT Rule** action allows users to add a TXT record rule within - a specific Response Policy Zone (RPZ) in Infoblox NIOS. This is typically used - to associate descriptive text or metadata with DNS responses for security policies - or administrative tracking. + This action creates a new Response Policy Zone (RPZ) TXT rule within the Infoblox + NIOS system. It allows users to associate specific text data with a DNS response + by defining a rule within a designated RPZ zone. This is typically used for DNS-based + policy enforcement or information dissemination. - ### Parameters Description + ### Flow Description - | Parameter | Type | Mandatory | Description | + 1. **Parameter Extraction**: The action extracts the required configuration parameters: + `RP Zone`, `Name`, `Text`, `Comment`, and `Additional Parameters`. - | :--- | :--- | :--- | :--- | + 2. **Validation**: It validates that the mandatory string parameters (`RP Zone`, + `Name`, `Text`) are provided and that `Additional Parameters` is a valid JSON + object. - | **RP Zone** | String | Yes | The FQDN of the Response Policy Zone where the - rule will be created. | + 3. **API Interaction**: The action initializes the `APIManager` and sends a POST + request to the Infoblox NIOS API to create the RPZ TXT rule. - | **Name** | String | Yes | The name of the rule (e.g., the domain name being - handled). | + 4. **Result Processing**: Upon success, it adds the created rule details as a + JSON result and a data table to the action output. If the operation fails, it + logs the error and sets the execution state to failed. - | **Text** | String | Yes | The text data to be associated with the TXT record. - | - | **Comment** | String | No | An optional comment to describe the purpose of the - rule. | + ### Parameters Description + + | Parameter | Type | Mandatory | Description | - | **Additional Parameters** | String | No | A JSON-formatted string containing - additional fields supported by the Infoblox WAPI for TXT records. | + | :--- | :--- | :--- | :--- | + | RP Zone | String | Yes | The zone to assign the rule to. | - ### Flow Description + | Name | String | Yes | The name of the rule. | - 1. **Parameter Extraction:** The action retrieves the RP Zone, Name, Text, and - optional fields from the user input. + | Text | String | Yes | Text associated with the record. | - 2. **Validation:** It ensures mandatory strings are non-empty and validates that - 'Additional Parameters' is a valid JSON object. + | Comment | String | No | Comment for this rule. | + + | Additional Parameters | String | No | JSON object containing additional parameters + to create response policy zone. | - 3. **API Interaction:** It constructs a POST request to the Infoblox NIOS WAPI - (`/record:rpz:txt`) with the provided data. The rule name is automatically formatted - to include the zone if not already present. - 4. **Result Processing:** Upon success, the action returns the raw JSON response - and displays a summary table of the created TXT rule in the Google SecOps interface. + ### Additional Notes + + This action does not operate on entities and is strictly a configuration mutation + action for the Infoblox NIOS appliance. capabilities: can_create_case_comments: false can_create_insight: false @@ -721,12 +1049,18 @@ Create RPZ TXT Rule: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates a new TXT record rule within a specified Response Policy Zone (RPZ) - in the Infoblox NIOS system via a POST request. + Creates a new RPZ TXT rule in the Infoblox NIOS system. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a POST request to the Infoblox API to create a new RPZ TXT + rule. It does not fetch data from external systems, nor does it modify internal + SOAR case data or entities. categories: enrichment: false + reasoning: >- + The action is a mutation action (creates a rule) and does not fetch data for + enrichment, therefore it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -742,74 +1076,93 @@ Create RPZ TXT Rule: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with or filter any entities; it operates on configuration + parameters provided by the user. Create Response Policy Zone: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action creates a Response Policy Zone in Infoblox. This does not match any + of the provided categories (e.g., it is not an IOC blocklist, ticket, or identity + management action). + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description - - Creates a new Response Policy Zone (RPZ) in Infoblox NIOS to define custom DNS - responses. This action allows administrators to programmatically configure DNS - security policies, such as blocking specific domains or redirecting traffic, by - creating a dedicated zone with specific policies, severities, and types. + Creates a new Response Policy Zone (RPZ) in the Infoblox NIOS system. This action + allows users to define custom DNS response policies by specifying the FQDN, policy + type, severity, and optional parameters like substitute names or comments. It + interacts with the Infoblox API to provision the zone and returns the created + zone details in a data table. - ### Parameters Description + ### Parameters | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | FQDN | String | Yes | The name of the DNS zone in FQDN format. | - - | Substitute Name | String | No | The alternative name of the redirect target, - used when the policy involves substitution. | + | FQDN | string | Yes | The name of this DNS zone in FQDN format. | - | Comment | String | No | A descriptive comment for the zone. | + | Substitute Name | string | No | The alternative name of the redirect target + as a substitute response policy zone. | - | RPZ Policy | DDL | No | The override policy for the zone. Options include: DISABLED, - GIVEN, NODATA, NXDOMAIN, PASSTHRU, SUBSTITUTE. Default is GIVEN. | + | Comment | string | No | Comment for the zone. | - | RPZ Severity | DDL | No | The severity level assigned to the zone. Options include: - CRITICAL, MAJOR, WARNING, INFORMATIONAL. Default is MAJOR. | + | RPZ Policy | ddl | No | The override policy of the response policy zone. Options: + DISABLED, GIVEN, NODATA, NXDOMAIN, PASSTHRU, SUBSTITUTE. Default: GIVEN. | - | RPZ Type | DDL | No | The type of the Response Policy Zone. Options include: - FEED, FIREEYE, LOCAL. Default is LOCAL. | + | RPZ Severity | ddl | No | The severity of the response policy zone. Options: + CRITICAL, MAJOR, WARNING, INFORMATIONAL. Default: MAJOR. | - | Fireeye Rule Mapping | String | No | A JSON object string containing rules to - map FireEye alerts to the zone. | - - | Additional Parameters | String | No | A JSON object string containing any additional - parameters supported by the Infoblox WAPI for zone creation. | - - - ### Additional Notes + | RPZ Type | ddl | No | The type of the Response Policy Zone. Options: FEED, FIREEYE, + LOCAL. Default: LOCAL. | - - This action does not operate on entities; it is a management action that requires - manual input of the FQDN. + | Fireeye Rule Mapping | string | No | Rules to map FireEye alerts. | - - If 'Fireeye Rule Mapping' or 'Additional Parameters' are provided, they must - be valid, parseable JSON objects. + | Additional Parameters | string | No | JSON object containing additional parameters + to create the response policy zone. | ### Flow Description - 1. **Parameter Initialization**: The action retrieves the Infoblox connection - details and the user-provided parameters (FQDN, Policy, etc.). + 1. **Parameter Extraction**: The action extracts the provided configuration parameters + (FQDN, policy, severity, etc.) from the action settings. - 2. **Validation**: It validates that the FQDN is a non-empty string and attempts - to parse 'Fireeye Rule Mapping' and 'Additional Parameters' as JSON objects. + 2. **Validation**: It validates the required FQDN string and parses optional JSON + parameters (FireEye mapping and Additional Parameters). - 3. **API Request**: The action calls the Infoblox WAPI via a POST request to the - `zone_rp` endpoint, passing the constructed configuration body. + 3. **API Interaction**: It initializes the Infoblox API manager and sends a POST + request to the Infoblox NIOS API (`/zone_rp`) to create the new Response Policy + Zone. - 4. **Response Handling**: Upon a successful API call, the action parses the returned - zone data. - - 5. **Output Generation**: It adds the raw JSON response to the action results - and constructs a data table named "RP Zone" containing the details of the newly - created zone. - - 6. **Finalization**: The action completes with a success message indicating the - zone was created. + 4. **Result Processing**: Upon success, it adds the created zone details to the + action result as a JSON object and a data table. If the creation fails, it logs + the error and sets the execution state to failed. capabilities: can_create_case_comments: false can_create_insight: false @@ -818,12 +1171,20 @@ Create Response Policy Zone: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates a new Response Policy Zone (RPZ) configuration in the external Infoblox - NIOS system via a POST request to the WAPI. + Creates a new Response Policy Zone (RPZ) in the Infoblox NIOS system. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a POST request to the Infoblox API to create a new Response + Policy Zone (can_mutate_external_data=true). It does not fetch data from external + systems (fetches_data=false). It does not modify internal SOAR case data, entities, + or alerts (can_mutate_internal_data=false). categories: enrichment: false + reasoning: >- + The action creates a new resource in an external system (Infoblox) and does + not retrieve data or perform enrichment. Therefore, it is not an enrichment + action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -839,74 +1200,95 @@ Create Response Policy Zone: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not operate on entities. It takes configuration parameters directly + from the action settings to perform its task. DHCP Lease Lookup: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: true + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves contextual metadata (DHCP lease info) for a resource (IP/MAC), + which aligns with the 'Enrich Asset' category. It does not perform threat intelligence + lookups (Enrich IOC), nor does it modify alerts, tickets, or external configurations. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description - - Retrieves DHCP lease details from Infoblox NIOS for a specific MAC address, IP - address, or other identifiers. This action is essential for incident response - and network forensics, as it helps identify the device and user associated with - a specific network address at a given time. It queries the Infoblox WAPI `/lease` - endpoint and returns detailed information about the lease's state, duration, and - client metadata. - + Retrieves DHCP lease details from Infoblox NIOS based on provided search criteria. + This action allows analysts to query for lease information using various identifiers + such as IP address, MAC address, hostname, or DUID. The action fetches the relevant + lease records from the Infoblox API and presents them in a structured table and + JSON format for further investigation. - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - | IP Address | string | No | The IPv4 or IPv6 address to search for in the DHCP - leases. | - - | Hardware | string | No | The MAC address for IPv4 leases. Supports regex or - exact search. | + ### Flow Description - | Hostname | string | No | The hostname sent via DHCP option 12. Supports regex - or exact search. | + 1. **Parameter Extraction**: The action extracts search parameters (IP Address, + Hardware, Hostname, IPv6 DUID, Protocol, Fingerprint, Username, and Limit) from + the action configuration. - | IPv6 DUID | string | No | The IPv6 DUID identifier for IPv6 leases. Supports - regex or exact search. | + 2. **Validation**: It validates the provided parameters, ensuring the IP address + format is correct and the limit is a valid integer. - | Protocol | ddl | No | Filters results by protocol: BOTH, IPV4, or IPV6. Default - is Both. | + 3. **API Interaction**: It initializes the Infoblox API manager and performs a + GET request to the Infoblox `/lease` endpoint using the provided filters. - | Fingerprint | string | No | The DHCP client fingerprint. Supports case-insensitive - or regex search. | + 4. **Result Processing**: The retrieved lease records are processed, converted + into a readable CSV format, and added to the action results as a data table and + raw JSON. - | Username | string | No | The user associated with the lease request. Supports - case-insensitive or regex search. | - | Limit | string | No | Maximum number of objects to return. Default is 100. | + ### Parameters + | Parameter | Type | Mandatory | Description | - ### Flow Description + | :--- | :--- | :--- | :--- | - 1. **Initialization**: The action initializes the API manager and extracts user-provided - parameters. + | IP Address | string | No | Lease IP address (IPv4 or IPv6). | - 2. **Validation**: It validates the 'Limit' parameter to ensure it is a positive - integer and verifies the format of the 'IP Address' if provided. + | Hardware | string | No | MAC address for IPv4 leases. Regex or exact search + supported. | - 3. **Data Retrieval**: It sends a GET request to the Infoblox NIOS `/lease` endpoint, - applying filters for IP, MAC, hostname, DUID, fingerprint, and username as specified. + | Hostname | string | No | Hostname sent via DHCP option 12. Regex/exact search. + | - 4. **Processing**: The action iterates through the results, mapping them to a - structured data model and preparing a subset (up to 20 records) for display in - a data table. + | IPv6 DUID | string | No | IPv6 DUID identifier for IPv6 leases. Regex/exact + search. | - 5. **Completion**: It outputs the full result set as JSON and populates the 'DHCP - Lease Lookup Data' table in the Google SecOps UI. + | Protocol | ddl | No | One of: BOTH, IPV4, IPV6; exact match only. Default: Both. + | + | Fingerprint | string | No | DHCP client fingerprint; case-insensitive or regex + search. | - ### Additional Notes + | Username | string | No | User associated with lease request; case-insensitive/regex + search. | - - This action does not automatically iterate over entities in the case scope; - it relies on the parameters provided in the action configuration. - - - Regex search is supported for Hardware, Hostname, IPv6 DUID, Fingerprint, and - Username parameters. + | Limit | string | No | Maximum numbers of objects to be returned. Default: 100. + | capabilities: can_create_case_comments: false can_create_insight: false @@ -917,8 +1299,16 @@ DHCP Lease Lookup: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the Infoblox API to retrieve DHCP lease + information. It does not modify any external systems, nor does it update internal + SOAR entities, insights, or case data. It is a read-only lookup action. categories: enrichment: true + reasoning: >- + The action fetches data from an external source (Infoblox) to provide context + (DHCP lease details). It does not mutate external systems or modify internal + SOAR data, satisfying the criteria for an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -934,51 +1324,71 @@ DHCP Lease Lookup: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over `siemplify.target_entities`. It relies entirely + on user-provided parameters to perform its lookup, therefore it does not run + on specific entity types. Delete RPZ Rule: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action deletes an RPZ rule in Infoblox. RPZ rules are typically used for + DNS-based blocking. Deleting such a rule is equivalent to removing an IOC from + a blocklist. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: true + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description + Deletes a specific Response Policy Zone (RPZ) rule from the Infoblox NIOS system + using the provided Reference ID. This action interacts with the Infoblox API to + remove the rule, effectively modifying the external DNS filtering configuration. - Deletes a specific Response Policy Zone (RPZ) rule from Infoblox NIOS. This action - is designed to remove existing rules by targeting their unique internal reference - ID. It supports all RPZ record types (such as A, AAAA, CNAME, TXT, etc.) because - the Infoblox API handles the deletion based on the object's specific reference - identifier. - - ### Parameters Description + ### Parameters | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Reference ID | String | Yes | The unique reference identifier (often starting - with `record:rpz:...`) of the RPZ rule to be deleted. | + | Reference ID | string | Yes | The unique reference ID of the RPZ rule to be + deleted. | ### Flow Description - 1. **Parameter Extraction**: The action retrieves the Infoblox connection details - (API Root, Username, Password) and the mandatory `Reference ID` from the action - parameters. - - 2. **Validation**: It validates that the `Reference ID` is a non-empty string. - - 3. **API Interaction**: The action initializes the `APIManager` and executes a - `DELETE` request to the Infoblox WAPI endpoint using the provided reference ID. + 1. The action extracts the 'Reference ID' parameter provided by the user. - 4. **Error Handling**: The action includes specific error handling for `ItemNotFoundException` - (404 errors), providing a clear message if the rule does not exist. It also catches - general Infoblox and system exceptions. + 2. It initializes the `APIManager` using the configured Infoblox NIOS integration + credentials. - 5. **Completion**: If the deletion is successful, the action returns a success - message and sets the execution state to completed. + 3. It executes a DELETE request to the Infoblox API using the provided 'Reference + ID' to remove the corresponding RPZ rule. - - ### Additional Notes - - This action does not process entities from the Google SecOps case. It operates - strictly on the provided `Reference ID` parameter. Users typically obtain this - ID from the output of a search or creation action within the same integration. + 4. The action returns a success message if the deletion is successful, or an error + message if the rule is not found or if the API request fails. capabilities: can_create_case_comments: false can_create_insight: false @@ -987,12 +1397,18 @@ Delete RPZ Rule: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Deletes a specific RPZ rule record from the Infoblox NIOS server, which modifies - the active DNS security policy configuration. + Deletes an RPZ rule from the Infoblox NIOS system. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a DELETE request to the Infoblox API to remove a specific + RPZ rule. It does not fetch data, nor does it modify internal SOAR entities + or case data. categories: enrichment: false + reasoning: >- + The action performs a mutation (deletion) on an external system and does not + retrieve data for enrichment purposes. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1008,24 +1424,69 @@ Delete RPZ Rule: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not operate on entities. It uses a direct input parameter 'Reference + ID' to identify the rule to delete. Delete Response Policy Zone: - ai_description: "### General Description\nDeletes an existing Response Policy Zone\ - \ (RPZ) from the Infoblox NIOS server. This action is used to programmatically\ - \ remove DNS security policies that are no longer required, identified by their\ - \ unique internal reference ID.\n\n### Parameters Description\n| Parameter | Type\ - \ | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| Reference ID |\ - \ String | Yes | The unique internal reference ID (e.g., `zone_rp/ZG5zLnpvbmUkLl9kZWZhdWx0LmNvbS5leGFtcGxl:example.com/default`)\ - \ of the response policy zone to be deleted. |\n\n### Flow Description\n1. **Initialization**:\ - \ The action initializes the Infoblox API manager using the provided integration\ - \ credentials (API Root, Username, and Password).\n2. **Parameter Validation**:\ - \ It validates that the `Reference ID` is provided and is a non-empty string.\n\ - 3. **API Execution**: The action sends a `DELETE` request to the Infoblox WAPI\ - \ endpoint corresponding to the specific resource reference.\n4. **Error Handling**:\ - \ \n * If the reference ID is not found (404), it returns a specific 'not found'\ - \ error message.\n * If the API returns a success, it confirms the deletion.\n\ - \ * General Infoblox or connection errors are caught and reported as failures.\n\ - 5. **Completion**: The action terminates, returning a success message and a boolean\ - \ result indicating whether the deletion was successful." + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action deletes a Response Policy Zone in Infoblox. This is a configuration + management task and does not align with the provided SOC response categories + such as enrichment, ticket management, or host containment. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: >- + Deletes a specific Response Policy Zone (RPZ) from the Infoblox NIOS system. This + action is used to remove existing policy zones by their reference ID. + + + ### Parameters + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Reference ID | string | Yes | The unique reference ID of the Response Policy + Zone to be deleted. | + + + ### Flow Description + + 1. The action extracts the `Reference ID` from the provided parameters. + + 2. It initializes the `APIManager` using the integration's configuration (API + root, credentials, and SSL settings). + + 3. It sends a `DELETE` request to the Infoblox API endpoint corresponding to the + provided `Reference ID`. + + 4. The action handles potential errors, such as `ItemNotFoundException` if the + zone does not exist, or general API errors, and returns a success or failure status. capabilities: can_create_case_comments: false can_create_insight: false @@ -1034,12 +1495,20 @@ Delete Response Policy Zone: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Deletes a Response Policy Zone resource from the Infoblox NIOS server via a - DELETE request. + Removes an existing Response Policy Zone from the Infoblox system using the + provided reference ID. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a DELETE request to the Infoblox API to remove a Response + Policy Zone. It does not fetch data, nor does it modify any internal SOAR data + or entities. categories: enrichment: false + reasoning: >- + The action is a management/mutation action that deletes data in an external + system. It does not fetch data and does not meet the criteria for an enrichment + action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1055,76 +1524,106 @@ Delete Response Policy Zone: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with the `target_entities` list. It operates based + on a provided `Reference ID` parameter. Get Response Policy Zone Details: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves configuration details for a Response Policy Zone. It does + not match any of the defined categories such as Enrich IOC, Enrich Asset, or + Update Alert, as it is a specific configuration retrieval task for DNS infrastructure. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description - Retrieves configuration details for a specified Response Policy Zone (RPZ) from - Infoblox NIOS. This action allows users to query for zone information using filters - such as FQDN, DNS view, and comments. It is primarily used for administrative - visibility and auditing of DNS security policies. + the Infoblox NIOS system. This action allows users to query for RPZ information + based on specific filters such as FQDN, DNS view, or comments. - ### Parameters Description + ### Flow Description - | Parameter | Type | Mandatory | Description | + 1. The action extracts the provided input parameters: `FQDN`, `View`, `Comment`, + and `Limit`. - | :--- | :--- | :--- | :--- | + 2. It initializes a connection to the Infoblox NIOS API using the configured credentials. - | FQDN | String | No | The name of the DNS zone in FQDN format to filter the search. - | + 3. It performs a GET request to the Infoblox API to retrieve the RPZ details matching + the provided filters. - | View | String | No | The name of the DNS view in which the zone resides (e.g., - "external"). Defaults to "default". | + 4. If RPZ zones are found, it formats the results into a JSON object and a data + table for display in the action results. - | Comment | String | No | A comment string to filter the zones by (supports partial - matching). | + 5. If no zones are found, it returns an appropriate message. - | Limit | String | No | Maximum number of objects to be returned by the API. Defaults - to 100. | + ### Parameters - ### Flow Description + | Parameter | Type | Mandatory | Description | - 1. **Parameter Initialization**: The action extracts the integration configuration - (API Root, credentials) and the action parameters (FQDN, View, Comment, Limit). + | :--- | :--- | :--- | :--- | - 2. **Validation**: The 'Limit' parameter is validated to ensure it is a positive - integer. + | FQDN | string | No | The FQDN of the DNS zone to retrieve. | - 3. **API Interaction**: The action uses the `APIManager` to perform a GET request - to the Infoblox `/zone_rp` endpoint, applying the provided filters and handling - pagination if necessary. + | View | string | No | The name of the DNS view in which the zone resides (default: + "default"). | - 4. **Data Processing**: The raw JSON response is captured. If results are found, - the action maps the data to the `RPZone` model. + | Comment | string | No | A comment to filter the zones by. | - 5. **Output Generation**: The action adds the full JSON result to the execution - context and creates a data table named "Response Policy Zones" in the case, displaying - key attributes like Reference ID, FQDN, Policy, and Severity. + | Limit | string | No | The maximum number of objects to be returned (default: + "100"). | ### Additional Notes - - This action does not require or process specific entities from the Google SecOps - case; it operates based on the provided input parameters. - - - If no matching zones are found, the action completes with a success status but - notifies the user that no criteria were met. + This action is a read-only operation and does not modify any data on the Infoblox + appliance or within the Google SecOps platform. capabilities: can_create_case_comments: false can_create_insight: false can_modify_alert_data: false can_mutate_external_data: false - can_mutate_internal_data: true + can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null fetches_data: true - internal_data_mutation_explanation: >- - The action creates a data table named 'Response Policy Zones' within the Google - SecOps case to display retrieved configuration details. + internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the Infoblox API to retrieve configuration + details for Response Policy Zones. It does not modify any external system state + (no POST/PUT/DELETE), nor does it modify internal Google SecOps data (no entity + updates, insights, or case comments). categories: enrichment: false + reasoning: >- + The action retrieves configuration data from an external system but does not + perform enrichment on specific entities or alerts within the SOAR platform. + It is a general information retrieval action, not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1140,68 +1639,104 @@ Get Response Policy Zone Details: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with or filter by any Google SecOps entities. It + operates independently of the target_entities list. IP Lookup: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: true + enrich_ioc: true + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves contextual metadata (IPAM info) for an IP address, which + aligns with 'Enrich Asset' (contextual metadata for a resource) and 'Enrich + IOC' (reputation/prevalence/intelligence for an indicator). + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - Retrieves IP Address Management (IPAM) information from Infoblox NIOS based on - specific search criteria. This action allows users to query for details about - a single IP address, an entire network (CIDR), or a range of IP addresses. It - returns comprehensive data including status, MAC address, network associations, - and extended attributes. - + Retrieves IP Address Management (IPAM) information from Infoblox NIOS for a specified + IP address, network, or IP range. This action provides contextual metadata such + as IP status, usage, MAC address, and extended attributes, which helps in identifying + and managing network resources. - ### Parameters - | Parameter | Type | Mandatory | Description | + ### Flow Description - | :--- | :--- | :--- | :--- | + 1. **Parameter Extraction**: The action extracts configuration parameters (API + root, credentials) and action parameters (IP Address, Network, From/To IP, Status, + Extended Attributes, Limit). - | IP Address | String | No | The specific IP address to retrieve information for. - | + 2. **Validation**: It validates that at least one of the primary search parameters + (IP Address, Network, or IP Range) is provided and ensures that only one is specified. + It also validates the format of the provided IP addresses, networks, and the limit + integer. - | Network | String | No | The network in FQDN/CIDR format (e.g., 192.168.1.0/24). - | + 3. **API Interaction**: The action initializes the Infoblox API manager and performs + a lookup request to the Infoblox NIOS server based on the provided criteria. - | From IP | String | No | The start of the IP range. Must be used with 'To IP'. - | + 4. **Data Processing**: The retrieved records are processed into a structured + format, and the raw JSON response is added to the action results. - | To IP | String | No | The end of the IP range. Must be used with 'From IP'. - | + 5. **Output Generation**: The action generates a data table containing the IPAM + details (Reference ID, IP Address, Status, Types, Network, MAC Address, Names, + Usage, Comment, Is Conflict, Extended Attributes) and displays it in the action + results. - | Status | DDL | No | Filter by device status: All, Active, Used, or Unused. Default - is 'All'. | - | Extended Attributes | String | No | Comma-separated key/value filters (e.g., - 'Site=New York'). | + ### Parameters - | Limit | String | No | Maximum number of records to return. Default is 100. | + | Parameter | Type | Mandatory | Description | + | :--- | :--- | :--- | :--- | - ### Additional Notes + | IP Address | string | No | The IP address to retrieve information for. Cannot + be used with Network or IP Range. | - - You must provide exactly one of the following: 'IP Address', 'Network', or both - 'From IP' and 'To IP'. + | Network | string | No | The network in FQDN/CIDR format. Cannot be used with + IP Address or IP Range. | - - The action will fail if multiple search types are provided simultaneously. + | From IP | string | No | The beginning of the IP range. Must be used with To + IP. | + | To IP | string | No | The end of the IP range. Must be used with From IP. | - ### Flow Description + | Status | ddl | No | The status of the IP device (All, Active, Used, Unused). + Default is 'All'. | - 1. **Parameter Extraction & Validation**: The action extracts input parameters - and ensures that exactly one search mode (IP, Network, or Range) is selected. - It also validates the format of IP and network strings. + | Extended Attributes | string | No | Comma-separated key/value formatted filter + for extended attributes (e.g., 'Site=New York'). | - 2. **API Connection**: Initializes a connection to the Infoblox NIOS WAPI using - provided credentials. + | Limit | string | No | Maximum number of objects to be returned. Default is '100'. + | - 3. **Data Retrieval**: Executes a GET request to the appropriate Infoblox endpoint - (`/ipv4address` or `/ipv6address`) with pagination support based on the provided - limit. - 4. **Data Processing**: Parses the raw API response into a structured format using - the `IPLookup` data model, flattening attributes for display. + ### Additional Notes - 5. **Output Generation**: Populates the action results with the raw JSON data - and creates an 'IP Lookup Data' table for the case wall. + Either the 'IP Address', 'Network', or the 'From IP'/'To IP' pair must be configured + for the action to run. Specifying more than one of these sets will result in an + error. capabilities: can_create_case_comments: false can_create_insight: false @@ -1212,8 +1747,16 @@ IP Lookup: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the Infoblox API to retrieve IPAM information. + It does not modify any external systems (no POST/PUT/DELETE). It does not modify + internal SOAR data (entities, insights, or case comments), only adding result + data (JSON and table) to the action output. categories: - enrichment: false + enrichment: true + reasoning: >- + The action fetches data from an external system (Infoblox) and does not mutate + any external or internal data. It meets the criteria for an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1229,38 +1772,91 @@ IP Lookup: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over `siemplify.target_entities`. It uses `extract_action_param` + to retrieve parameters directly from the action configuration. Therefore, it + does not run on entities. List Host Info: - ai_description: "### General Description\nThe **List Host Info** action retrieves\ - \ detailed host records from Infoblox NIOS based on user-defined search criteria.\ - \ It is designed to provide visibility into host configurations, including hostnames,\ - \ associated IPv4 and IPv6 addresses (A/AAAA records), PTR records, DNS view information,\ - \ and any configured extensible attributes (EAs). This action is primarily used\ - \ for asset discovery and verifying DNS/IPAM configurations within the Infoblox\ - \ environment.\n\n### Parameters Description\n| Parameter | Type | Mandatory |\ - \ Description |\n| :--- | :--- | :--- | :--- |\n| **IPv4 Address** | String |\ - \ No | Filters host records by a specific IPv4 address. |\n| **Name** | String\ - \ | No | Filters host records by the hostname. |\n| **IPv6 Address** | String\ - \ | No | Filters host records by a specific IPv6 address. |\n| **Extended Attributes**\ - \ | String | No | A comma-separated list of key/value pairs (e.g., \"Site=New\ - \ York,Department=IT\") used to filter records based on Infoblox extensible attributes.\ - \ |\n| **Limit** | String | No | Specifies the maximum number of host records\ - \ to return from the API. Defaults to 100. |\n\n### Flow Description\n1. **Initialization:**\ - \ The action initializes the Infoblox API manager and extracts the provided search\ - \ parameters (Name, IPv4, IPv6, Extended Attributes, and Limit).\n2. **Validation:**\ - \ It validates that the provided IP addresses follow standard IPv4/IPv6 formats\ - \ and ensures the 'Limit' parameter is a valid positive integer.\n3. **API Query:**\ - \ The action performs a GET request to the Infoblox NIOS WAPI `/record:host` endpoint,\ - \ applying the specified filters. It utilizes a paginator to handle large result\ - \ sets up to the defined limit.\n4. **Data Transformation:** The raw JSON response\ - \ is processed. If records are found, they are mapped to the Host datamodel.\n\ - 5. **Output Generation:** \n - The full raw data is attached to the action's\ - \ JSON results.\n - A data table named \"Hosts\" is created, displaying key\ - \ attributes (Reference ID, Name, View, Zone, IP Addresses, etc.) for up to 20\ - \ records.\n - An output message summarizes the number of hosts found.\n\n\ - ### Additional Notes\n- This action does not process Google SecOps entities; it\ - \ operates strictly on the input parameters provided in the action configuration.\n\ - - If no search criteria are provided, the action will return all host records\ - \ available up to the specified limit." + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: true + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves host records (hostname, IP, attributes) from Infoblox, + which provides contextual metadata for a resource, matching the 'Enrich Asset' + category. It also searches for the asset in the product, matching the 'Search + Asset' category. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: true + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: >- + Retrieves host records from Infoblox NIOS, including hostname, associated IPv4/IPv6 + addresses, PTR records, DNS view information, and configured extensible attributes. + This action allows users to query the Infoblox database based on specific host + identifiers or attributes to gather contextual information about network assets. + + + ### Flow Description + + 1. **Parameter Extraction**: The action extracts configuration parameters (API + root, credentials) and action-specific parameters (Name, IPv4 Address, IPv6 Address, + Extended Attributes, Limit). + + 2. **Validation**: Validates the provided IP addresses and the limit parameter + to ensure they meet the required format and constraints. + + 3. **API Interaction**: Connects to the Infoblox NIOS API to search for host records + matching the provided criteria. + + 4. **Result Processing**: If records are found, it formats the data into a CSV-compatible + table and a JSON object, which are then added to the action results for the analyst + to review. + + + ### Parameters + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Name | String | No | The hostname for the record. | + + | IPv4 Address | String | No | IPv4 address information. | + + | IPv6 Address | String | No | IPv6 address information. | + + | Extended Attributes | String | No | Comma-separated key/value formatted filter + for extended attributes, e.g., "Site=New York,OtherProp=MyValue". | + + | Limit | String | No | Maximum number of objects to be returned. Defaults to + 100. | + + + ### Additional Notes + + This action is read-only and does not modify any data in Infoblox or the SOAR + platform. It is designed to provide asset context. capabilities: can_create_case_comments: false can_create_insight: false @@ -1271,8 +1867,17 @@ List Host Info: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the Infoblox API to retrieve host information. + It does not perform any POST, PUT, or DELETE operations, meaning it does not + mutate external data. It does not modify internal SOAR data (entities, insights, + or case comments), it only adds result data (tables/JSON) to the action output. categories: - enrichment: false + enrichment: true + reasoning: >- + The action fetches contextual data (host records) from an external system (Infoblox) + to assist in investigations. It does not mutate external systems or modify internal + SOAR data. Therefore, it qualifies as an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1288,50 +1893,98 @@ List Host Info: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over or process `siemplify.target_entities`. It + relies entirely on user-provided input parameters (Name, IP addresses) to perform + its query. List Network Info: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: true + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves network configuration metadata from Infoblox, which aligns + with the 'Enrich Asset' category (returning contextual metadata for a resource). + It does not search for assets associated with an alert, nor does it search historical + logs/telemetry events. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description\n\nThe **List Network Info** action retrieves a list of - defined IPv4 and IPv6 networks and subnets from the Infoblox NIOS IPAM (IP Address - Management) system. This action is designed for general network discovery and - inventory management, allowing users to query the IPAM database for network configurations, - utilization data, and associated metadata.\n\n### Parameters Description\n\n| - Parameter | Type | Mandatory | Default | Description |\n| :--- | :--- | :--- | - :--- | :--- |\n| **Network** | String | No | N/A | The network address in CIDR - notation (e.g., \"192.168.1.0/24\"). If provided, the action filters for this - specific network. |\n| **Limit** | String | No | 100 | The maximum number of network - objects to be returned from the Infoblox server. |\n| **Extended Attributes** - | String | No | N/A | A comma-separated key/value formatted filter for extended - attributes (e.g., \"Site=New York,Environment=Production\"). |\n\n### Flow Description\n\n1. - **Parameter Extraction and Validation:** The action retrieves the integration - configuration and action parameters. It validates that the **Limit** is a positive - integer and that the **Network** (if provided) is in a valid CIDR format.\n2. - **API Request Construction:** The action constructs a GET request to the Infoblox - `/network` endpoint. If **Extended Attributes** are provided, they are parsed - and added as query parameters.\n3. **Data Retrieval:** The action performs a paginated - request to Infoblox to fetch the network information based on the specified criteria.\n4. - **Result Processing:** The raw JSON response is captured. The action then maps - the results to a structured `Network` data model, extracting fields such as Network - View, Utilization, and Comments.\n5. **Output Generation:** The action adds the - full JSON result to the execution context and creates a data table (showing up - to 20 records) for display in the Google SecOps case wall.\n\n### Additional Notes\n\n- - This action does not operate on specific entities (like IP or Hostname entities) - but rather performs a global query against the Infoblox IPAM database.\n- If no - parameters are provided, the action will return all defined networks up to the - specified limit. + Lists defined IPv4/IPv6 networks and subnets in Infoblox IPAM. This action retrieves + network configuration details based on provided filters and displays them in a + table format. + + + ### Flow + + 1. Extracts action parameters: `Network`, `Extended Attributes`, and `Limit`. + + 2. Validates the `Limit` and `Network` address format. + + 3. Queries the Infoblox API to retrieve network information matching the criteria. + + 4. Adds the raw JSON results to the action output. + + 5. If networks are found, formats the data into a table and adds it to the action + output. + + + ### Parameters + + | Parameter | Type | Mandatory | Description | + + | --- | --- | --- | --- | + + | Network | string | No | The network address in CIDR notation (e.g., "192.168.1.0/24"). + | + + | Limit | string | No | Maximum number of objects to be returned. Defaults to + 100. | + + | Extended Attributes | string | No | Comma-separated key/value formatted filter + for extended attributes (e.g., "Site=New York"). | capabilities: can_create_case_comments: false can_create_insight: false can_modify_alert_data: false can_mutate_external_data: false - can_mutate_internal_data: true + can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null fetches_data: true - internal_data_mutation_explanation: >- - The action adds a data table and JSON results to the action execution context - for display in the SOAR interface. + internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the Infoblox API to retrieve network information. + It does not modify any external systems or internal SOAR data (entities, insights, + comments). categories: enrichment: false + reasoning: >- + The action does not operate on entities (it does not take entities as input + or update them). Therefore, it does not meet the criteria for an Enrichment + Action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1347,29 +2000,72 @@ List Network Info: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not reference `siemplify.target_entities` and operates independently + of any specific entity. Ping: - ai_description: "### General Description\nThe **Ping** action is a diagnostic tool\ - \ used to verify the connectivity between Google SecOps and the Infoblox NIOS\ - \ server. It ensures that the provided integration credentials (Username, Password)\ - \ and the API Root URL are correct and that the network path is open.\n\n### Parameters\ - \ Description\nThere are no specific input parameters for this action. It relies\ - \ entirely on the global integration configuration parameters:\n* **API Root**:\ - \ The base URL of the Infoblox NIOS WAPI.\n* **Username**: The account username\ - \ for authentication.\n* **Password**: The account password for authentication.\n\ - \n### Additional Notes\n* This action is typically used during the initial setup\ - \ of the Infoblox NIOS integration or for troubleshooting communication issues.\n\ - * It performs a simple `GET` request to the Infoblox schema endpoint (`/?_schema`)\ - \ to validate the connection.\n\n### Flow Description\n1. **Initialization**:\ - \ The action initializes the Siemplify context and logs the start of the process.\n\ - 2. **Parameter Retrieval**: It extracts the global integration configuration (API\ - \ Root, Username, Password).\n3. **Manager Setup**: An `APIManager` instance is\ - \ created using the retrieved credentials.\n4. **Connectivity Test**: The manager\ - \ executes a `GET` request to the Infoblox WAPI schema endpoint.\n5. **Result\ - \ Handling**: \n * If the request is successful, it logs a success message\ - \ and sets the execution state to completed.\n * If an exception occurs (e.g.,\ - \ authentication failure, timeout), it logs the error and sets the execution state\ - \ to failed.\n6. **Finalization**: The action ends by returning the connectivity\ - \ status and a descriptive message to the SOAR platform." + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action is a connectivity test ('Ping'). It does not fetch IOC data, update + alerts, or perform any of the other listed actions. It is a diagnostic tool + and does not match any of the defined product categories. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: >- + ### General Description + + This action tests the connectivity between the Google SecOps platform and the + Infoblox NIOS server. It verifies that the provided credentials and API root are + valid by attempting to retrieve the API schema. + + + ### Parameters Description + + There are no parameters for this action. + + + ### Additional Notes + + This action is intended for diagnostic purposes to ensure the integration is configured + correctly. + + + ### Flow Description + + 1. Extracts the integration configuration parameters (API Root, Username, Password) + from the environment. + + 2. Initializes the `APIManager` with the provided credentials. + + 3. Executes a `GET` request to the Infoblox API schema endpoint (`/?_schema`). + + 4. Returns a success message if the connection is established, or a failure message + if an exception occurs. capabilities: can_create_case_comments: false can_create_insight: false @@ -1380,8 +2076,16 @@ Ping: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to verify connectivity to the Infoblox server. + It does not modify any external or internal data, nor does it update entities + or create insights. categories: enrichment: false + reasoning: >- + The action is a 'Ping' action. According to the instructions, 'Actions named + Ping must not be categorized as enrichment actions.' Therefore, it is not an + enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1397,64 +2101,92 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over `target_entities` or use any entity-specific + identifiers. It is a global connectivity test. Search RPZ Rule: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action searches for RPZ rules in Infoblox. It does not match any of the + provided categories (e.g., it is not an IOC enrichment, asset enrichment, or + alert update). + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - Searches for specific Response Policy Zone (RPZ) rules within Infoblox NIOS. This - action allows users to query the Infoblox WAPI for various RPZ record types (such - as A, CNAME, MX, or TXT) based on a rule name. It is primarily used for auditing - existing security policies or verifying the presence of specific DNS block/allow - rules. + This action searches for Response Policy Zone (RPZ) rules within the Infoblox + NIOS platform based on user-defined criteria. It allows users to query specific + object types and filter by rule name, returning the results in both JSON format + and a structured data table for easy analysis. - ### Parameters Description + ### Flow Description - | Parameter | Type | Mandatory | Description | + 1. The action initializes the connection to the Infoblox NIOS API using the provided + credentials. - | :--- | :--- | :--- | :--- | + 2. It extracts the action parameters: `Object Type` (mandatory), `Rule Name`, + `Output Fields`, and `Limit`. - | **Object Type** | DDL | Yes | The Infoblox object type to search for. Supported - types include `record:rpz:a`, `record:rpz:cname`, `record:rpz:txt`, etc. | + 3. It validates the `Limit` parameter to ensure it is a positive integer. - | **Rule Name** | String | No | The full name of the rule to search for (e.g., - `malicious.domain.com`). | + 4. It constructs the API request with the specified filters. - | **Output Fields** | String | No | A comma-separated list of specific fields - to retrieve from the Infoblox object (e.g., `address, comment`). | + 5. It executes the search query against the Infoblox API. - | **Limit** | String | No | The maximum number of rule objects to return in the - results. Defaults to 100. | + 6. If results are found, it formats them into a data table and adds the raw JSON + results to the action output. - ### Additional Notes - - - This action does **not** operate on entities from the alert context. It relies - entirely on the manual input provided in the parameters. + ### Parameters Description - - The action automatically includes default fields (`name`, `view`) in the output - even if not explicitly requested. + | Parameter | Type | Mandatory | Description | - - Results are displayed in a data table (up to 20 records) and the full raw data - is available in the JSON result. + | :--- | :--- | :--- | :--- | + | Object Type | String | Yes | The Infoblox object type to search (e.g., `record:rpz:cname`). + | - ### Flow Description + | Rule Name | String | No | The full rule name to search for. | - 1. **Initialization**: Extracts integration configuration (API Root, Credentials) - and action parameters. + | Output Fields | String | No | Comma-separated fields to include in the returned + object. | - 2. **Validation**: Validates the `Limit` parameter to ensure it is a positive - integer and processes the `Output Fields` string into a list. + | Limit | String | No | Maximum number of objects to be returned (default: 100). + | - 3. **API Request**: Executes a paginated GET request to the Infoblox WAPI endpoint - corresponding to the selected `Object Type` and `Rule Name`. - 4. **Data Transformation**: Parses the returned JSON data into `RPZRule` data - models. + ### Additional Notes - 5. **Output**: Adds the full result set to the action's JSON output and constructs - a data table for the SOAR case wall showing the rule details. + The `Limit` parameter must be a positive integer. If not provided, it defaults + to 100. The `Object Type` parameter is mandatory and must be one of the supported + Infoblox object types. capabilities: can_create_case_comments: false can_create_insight: false @@ -1465,8 +2197,16 @@ Search RPZ Rule: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the Infoblox API to search for RPZ rules. + It does not modify any external or internal data. It does not interact with + SOAR entities. categories: enrichment: false + reasoning: >- + The action does not operate on SOAR entities (it does not use `target_entities`), + and it does not enrich existing alert or entity data. Therefore, it is not an + enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1482,71 +2222,95 @@ Search RPZ Rule: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code does not reference `target_entities` or perform any operations on SOAR + entities. It is a standalone search action. Update RPZ CNAME Rule: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action updates an existing RPZ CNAME rule in Infoblox. This is a configuration + change on an external security appliance. It does not match any of the specific + categories like 'Enrich IOC', 'Contain Host', or 'Update Ticket'. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- Updates an existing Response Policy Zone (RPZ) CNAME rule in Infoblox NIOS to - modify DNS behavior. This action allows for the modification of rule types, names, - and associated metadata for existing DNS security policies. - + modify DNS behavior. This action performs a configuration update on the external + Infoblox system based on the provided parameters. - ### Parameters Description + ### Flow - | Parameter | Type | Mandatory | Description | + 1. Extract action parameters (Reference ID, Rule Type, Name, RP Zone, etc.) from + the configuration. - | :--- | :--- | :--- | :--- | + 2. Validate that mandatory parameters (Reference ID, Name, RP Zone) are provided. - | Reference ID | String | Yes | The unique reference ID of the existing RPZ rule - to be updated. | + 3. Parse any additional parameters provided as a JSON string. - | Rule Type | DDL | Yes | The behavior of the rule. Options include: 'Passthru', - 'Block (No such Domain)', 'Block (No data)', and 'Substitute (Domain name)'. | + 4. Call the Infoblox API to update the specified RPZ CNAME rule using a PUT request. - | Name | String | Yes | The rule name in FQDN format. | + 5. Add the result JSON and a data table containing the updated rule details to + the action output. - | RP Zone | String | Yes | The Response Policy Zone to which the rule belongs. - | - | Comment | String | No | An optional comment describing the rule or the update. - | + ### Parameters - | Substitute Name | String | No | The substitute domain name to assign. This is - mandatory if the 'Rule Type' is set to 'Substitute (Domain name)'. | + | Parameter | Type | Mandatory | Description | - | View | String | No | The DNS view where the records are located. Defaults to - 'default'. | + | :--- | :--- | :--- | :--- | - | Additional Parameters | String | No | A JSON object string containing any additional - Infoblox WAPI parameters for the rule update. | + | Reference ID | string | Yes | The reference ID of the existing RPZ rule to update. + | + | Rule Type | ddl | Yes | The type of the rule to update (Passthru, Block (No + such Domain), Block (No data), Substitute (Domain name)). | - ### Additional Notes + | Name | string | Yes | The rule name in a FQDN format. | - - If 'Rule Type' is 'Substitute (Domain name)', the 'Substitute Name' parameter - must be provided. + | RP Zone | string | Yes | The zone to assign the rule to. | - - The action will fail if the 'Reference ID' does not exist or if the 'Substitute - (Domain name)' type is attempted on IP-based RPZ rules. + | Comment | string | No | Comment for this rule. | + | Substitute Name | string | No | The substitute name to assign (substitute domain + only). | - ### Flow Description - - 1. **Parameter Extraction**: The action retrieves all input parameters, including - the mandatory 'Reference ID', 'Rule Type', 'Name', and 'RP Zone'. + | View | string | No | The DNS view in which the records are located. Defaults + to 'default'. | - 2. **Validation**: It validates that mandatory strings are non-empty and parses - 'Additional Parameters' if provided as a JSON string. + | Additional Parameters | string | No | JSON object containing additional parameters + to update the RPZ rule. | - 3. **Logic Determination**: Based on the selected 'Rule Type', the script determines - the correct 'canonical' value (e.g., '*' for Block (No data), 'rpz-passthru' for - Passthru, or the 'Substitute Name' for substitution rules). - 4. **API Interaction**: The action performs a PUT request to the Infoblox WAPI - using the provided 'Reference ID' to update the rule configuration. + ### Additional Notes - 5. **Result Processing**: Upon success, the action returns the updated rule details - in a JSON format and creates a data table named 'RPZ CNAME Rule' for the case - wall. + This action performs a direct mutation on the Infoblox NIOS system. Ensure the + provided Reference ID corresponds to an existing rule. capabilities: can_create_case_comments: false can_create_insight: false @@ -1555,12 +2319,18 @@ Update RPZ CNAME Rule: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates an existing RPZ CNAME rule configuration in the Infoblox NIOS system - via a PUT request to the WAPI. + Updates an existing RPZ CNAME rule in the Infoblox NIOS system. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a PUT request to the Infoblox API to update an existing + RPZ CNAME rule. It does not fetch data for enrichment, nor does it modify internal + SOAR case data or entities. categories: enrichment: false + reasoning: >- + The action is a mutation action (updates external configuration) and does not + fetch data for enrichment purposes. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1576,3 +2346,6 @@ Update RPZ CNAME Rule: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with `siemplify.target_entities`. It uses parameters + provided in the action configuration. diff --git a/content/response_integrations/third_party/partner/infoblox_nios/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/partner/infoblox_nios/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..e4f84e74a --- /dev/null +++ b/content/response_integrations/third_party/partner/infoblox_nios/resources/ai/integration_ai_description.yaml @@ -0,0 +1,23 @@ +product_categories: + asset_inventory: true + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: true + reasoning: >- + The infoblox_nios integration provides capabilities for managing DNS Firewall + protections (RPZs) and retrieving IPAM/DHCP/Host information. It qualifies for + 'Network Security' because it allows security teams to define RPZ rules that block + or redirect malicious DNS traffic at the gateway level. It also qualifies for + 'Asset Inventory' because it provides actions like 'IP Lookup', 'List Host Info', + and 'DHCP Lease Lookup', which retrieve contextual metadata about network assets + (IP, MAC, Hostname, etc.). It does not qualify for 'Threat Intelligence' because + it does not provide reputation scores or malware family data, nor does it qualify + for other categories like SIEM, EDR, or ITSM as it does not perform log analysis, + process-level inspection, or ticket management. + siem: false + threat_intelligence: false + vulnerability_management: false diff --git a/content/response_integrations/third_party/partner/infoblox_threat_defense_with_ddi/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/partner/infoblox_threat_defense_with_ddi/resources/ai/actions_ai_description.yaml index 7911363f6..9e10aa97f 100644 --- a/content/response_integrations/third_party/partner/infoblox_threat_defense_with_ddi/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/partner/infoblox_threat_defense_with_ddi/resources/ai/actions_ai_description.yaml @@ -1,11 +1,44 @@ Create Custom List: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action creates a custom list in Infoblox. This does not match any of the + specific categories like 'Enrich IOC', 'Contain Host', or 'Create Ticket'. It + is a configuration management action. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - Creates a new custom list in the Infoblox Threat Defense platform. This action - allows users to define a named collection of indicators (such as IPv4 addresses, - IPv6 addresses, or domain names) that can be utilized within security policies - for filtering or threat management. + Creates a new custom list within the Infoblox Threat Defense platform. This action + allows users to define a new list by specifying its name, type, and optional attributes + such as description, confidence level, threat level, and tags. The action interacts + with the Infoblox API to provision the list and returns the created list details + in the action results. ### Parameters Description @@ -14,51 +47,41 @@ Create Custom List: | :--- | :--- | :--- | :--- | - | **Name** | string | Yes | The unique name of the Custom List to be created. - | - - | **Type** | string | Yes | The category or type of the Custom List (default is - 'custom_list'). | - - | **Items** | string | No | A comma-separated string of indicators (IPs or domains) - to populate the list initially. | - - | **Description** | string | No | A brief explanation of the list's purpose. | + | Name | string | Yes | The name of the Custom List to create. | - | **Confidence Level** | ddl | No | The confidence score associated with the list - indicators (High, Medium, Low). | - - | **Threat Level** | ddl | No | The severity of the threat associated with the - list (High, Medium, Low, Info). | - - | **Tags** | string | No | A JSON-formatted string of tags to categorize the list. + | Type | string | Yes | The type of Custom List to create (default: 'custom_list'). | + | Items | string | No | Comma-separated items to include in the Custom List. | - ### Additional Notes + | Description | string | No | A description for the Custom List. | + + | Confidence Level | ddl | No | The confidence level for this list (Options: High, + Medium, Low; default: 'High'). | - - The **Items** parameter must contain valid IPv4, IPv6, or domain name formats; - otherwise, the action will fail during validation. + | Threat Level | ddl | No | The threat level for this list (Options: High, Medium, + Low, Info; default: 'Low'). | - - The **Tags** parameter must be a valid JSON object string (e.g., `{"key": "value"}`). + | Tags | string | No | Tags to categorize and organize the Custom List. | ### Flow Description - 1. **Parameter Extraction:** The action retrieves configuration settings (API - Root, Key) and user-provided action parameters. + 1. **Parameter Extraction**: The action retrieves the required configuration (API + root, key, SSL verification) and action-specific parameters. - 2. **Validation:** It validates that mandatory strings are present and that any - provided indicators in the 'Items' list match expected network patterns (IP/Domain). + 2. **Input Validation**: Validates that the 'Name' and 'Type' parameters are provided + and that any provided items are valid indicators. - 3. **Payload Construction:** A JSON payload is built containing the list metadata - and items. + 3. **Payload Construction**: Builds the JSON payload containing the list details, + including optional fields like description, confidence level, threat level, and + tags. - 4. **API Interaction:** The action sends a POST request to the Infoblox `/api/atcfw/v1/named_lists` - endpoint. + 4. **API Interaction**: Sends a POST request to the Infoblox API endpoint (`/api/atcfw/v1/named_lists`) + to create the custom list. - 5. **Result Processing:** Upon success, the action returns the raw JSON response - and generates a 'Custom List Details' data table in the Google SecOps interface. + 5. **Result Reporting**: Adds the API response as a JSON result and generates + a data table summarizing the created custom list details in the action output. capabilities: can_create_case_comments: false can_create_insight: false @@ -67,12 +90,19 @@ Create Custom List: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates a new custom list resource in the Infoblox Threat Defense platform via - a POST request. + Creates a new custom list in the Infoblox Threat Defense platform. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a POST request to create a custom list in the external Infoblox + system. It does not fetch data from external sources, nor does it modify internal + SOAR entities, alerts, or case data. It is a configuration management action. categories: enrichment: false + reasoning: >- + The action creates a new resource in an external system (Infoblox) and does + not retrieve data or perform enrichment. Therefore, it is not an enrichment + action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -88,59 +118,86 @@ Create Custom List: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not operate on entities; it creates a custom list based on provided + parameters and does not reference `target_entities`. Create Network List: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action creates a network list in Infoblox. This does not fit the specific + categories provided (like Create Ticket, Blocklist, etc.). It is a configuration/management + action. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description + Creates a new network list in the Infoblox Threat Defense system to define where + security policies should be applied. This action allows users to specify a name, + a list of items (such as IP addresses or CIDRs), and an optional description for + the new network list. - This action creates a new network list within Infoblox Threat Defense. Network - lists are used to group IP addresses or CIDR blocks, which can then be referenced - in security policies to control traffic or apply specific security rules. This - is a management action used to define network boundaries or groups for security - enforcement. + ### Flow Description - ### Parameters Description + 1. The action retrieves the necessary integration configuration (API root, API + key, SSL verification settings). - | Parameter | Type | Mandatory | Description | + 2. It extracts the action parameters: Name, Items, and Description. - | :--- | :--- | :--- | :--- | - - | Name | String | Yes | The unique name for the network list to be created. | + 3. It validates that the Name and Items parameters are provided and non-empty. - | Items | String | Yes | A comma-separated string of items (e.g., IP addresses - or CIDR blocks) to include in the network list. | + 4. It converts the comma-separated Items string into a list format. - | Description | String | No | An optional text description providing context or - purpose for the network list. | + 5. It sends a POST request to the Infoblox API to create the network list with + the provided details. + 6. Upon success, it adds the API response as a JSON result and a data table to + the action output. - ### Additional Notes - * The **Items** parameter must be provided as a comma-separated string; the action - will automatically parse this into a list for the API request. + ### Parameters Description - * The action performs validation to ensure that both **Name** and **Items** are - non-empty strings before attempting the API call. + | Parameter | Type | Mandatory | Description | + | :--- | :--- | :--- | :--- | - ### Flow Description + | Name | string | Yes | The name of the network list to be created. | - 1. **Parameter Extraction:** The action retrieves the 'Name', 'Items', and 'Description' - from the input parameters. + | Items | string | Yes | A comma-separated list of items (e.g., IP addresses, + CIDRs) to include in the network list. | - 2. **Validation:** It validates that the mandatory 'Name' and 'Items' fields are - not empty strings. + | Description | string | No | An optional description for the network list. | - 3. **Data Preparation:** The comma-separated 'Items' string is converted into - a Python list format. - 4. **API Interaction:** The action initializes the Infoblox API Manager and sends - a POST request to the `/api/atcfw/v1/network_lists` endpoint with the network - list details. + ### Additional Notes - 5. **Result Processing:** The action parses the API response, populates a 'Network - List Details' data table with the created list's metadata (ID, Name, Description, - Policy ID), and returns the raw JSON result. + - The action requires valid API credentials and connectivity to the Infoblox Threat + Defense API. If the creation fails, the action will return an error message and + set the execution state to failed. capabilities: can_create_case_comments: false can_create_insight: false @@ -149,12 +206,19 @@ Create Network List: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates a new network list resource in the Infoblox Threat Defense platform - via a POST request. + Creates a new network list in the Infoblox Threat Defense system. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a POST request to create a network list in an external system + (Infoblox). It does not fetch data, update entities, or create insights. It + uses standard output methods (add_result_json, add_data_table) which do not + constitute internal data mutation. categories: enrichment: false + reasoning: >- + The action creates a new resource in an external system rather than retrieving + data, so it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -170,15 +234,51 @@ Create Network List: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not operate on entities. It takes input parameters directly + from the user configuration. Create Security Policy: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action creates a new security policy in Infoblox. This does not match any + of the provided categories (e.g., Enrich IOC, Create Ticket, Contain Host). + It is a configuration management action. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - Creates a new security policy in the Infoblox Threat Defense platform. This action - allows administrators to define policy names, descriptions, security rules, and - associations with network lists, DNS Forwarding Proxies (DFPs), and roaming device - groups. It also supports advanced security features like DNS rebinding protection - and safe search filtering. + This action creates a new security policy within the Infoblox Threat Defense system. + It allows users to define policy attributes such as name, description, rules, + associated network lists, DNS Forwarding Proxies (DFPs), roaming device groups, + and various security settings like DNS rebinding protection and safe search. The + action constructs a payload based on the provided parameters and sends a POST + request to the Infoblox API to provision the new policy. ### Parameters Description @@ -187,75 +287,75 @@ Create Security Policy: | :--- | :--- | :--- | :--- | - | Policy Name | string | True | The unique name for the security policy. | - - | Description | string | False | A brief description of the policy's purpose. - | + | Policy Name | string | Yes | The name of the security policy to create. | - | Rules | string | False | A JSON array of rule objects defining actions (e.g., - block, allow) and data types. | + | Description | string | No | A description for the security policy. | - | Network Lists | string | False | Comma-separated IDs of network lists to associate - with this policy. | + | Rules | string | No | A JSON array of objects defining security rules (action, + type, data, policy_name, redirect_name). | - | DFPS | string | False | Comma-separated IDs of DNS Forwarding Proxies to associate - with this policy. | + | Network Lists | string | No | Comma-separated IDs of network lists to associate + with the policy. | - | Roaming Device Groups | string | False | Comma-separated IDs of roaming device - groups to associate with this policy. | + | DFPS | string | No | Comma-separated IDs of DNS Forwarding Proxies to associate + with the policy. | - | Block DNS Rebinding | boolean | False | If true, enables protection against - DNS rebinding attacks. Default is false. | + | Roaming Device Groups | string | No | Comma-separated IDs of Roaming Device + Groups to associate with the policy. | - | Safe Search | boolean | False | If true, enables safe search filtering for the - policy. Default is false. | + | Block DNS Rebinding | boolean | No | Whether to block DNS rebinding attacks + (default: false). | - | Tags | string | False | A JSON object containing key-value pairs to categorize - the policy. | + | Safe Search | boolean | No | Whether to enable safe search filtering (default: + false). | - | Additional Parameters | string | False | A JSON object for advanced fields such - as precedence, access_codes, or doh_enabled. | + | Tags | string | No | JSON object containing tags to categorize the policy. | - - ### Additional Notes - - - The 'Rules' parameter must be a valid JSON array string. - - - The 'Tags' and 'Additional Parameters' must be valid JSON object strings. - - - 'Network Lists', 'DFPS', and 'Roaming Device Groups' expect comma-separated - integers. + | Additional Parameters | string | No | JSON object for additional settings (e.g., + precedence, access_codes, doh_enabled). | ### Flow Description - 1. **Parameter Extraction:** The action retrieves all user-provided parameters - and validates that the mandatory 'Policy Name' is present. + 1. **Initialization**: The action extracts integration configuration (API root, + key, SSL verification) and action parameters. - 2. **Payload Construction:** It parses the input strings into their respective - formats (e.g., converting CSV strings to integer lists and JSON strings to Python - dictionaries). + 2. **Validation**: It validates that the mandatory `Policy Name` is provided. - 3. **API Interaction:** The action sends a POST request to the Infoblox API endpoint - `/api/atcfw/v1/security_policies` with the constructed payload. + 3. **Payload Construction**: It parses the input parameters, including converting + comma-separated lists to integer lists and parsing JSON strings for rules, tags, + and additional parameters. - 4. **Result Processing:** Upon success, the action returns the raw JSON response - of the created policy and generates a data table titled 'Security Policy Details' - for the case wall. + 4. **API Execution**: It sends a POST request to the Infoblox API to create the + security policy. + + 5. **Result Handling**: Upon success, it adds the resulting JSON and a data table + containing the policy details to the SOAR action results. capabilities: can_create_case_comments: false can_create_insight: false can_modify_alert_data: false can_mutate_external_data: true - can_mutate_internal_data: false + can_mutate_internal_data: true can_update_entities: false external_data_mutation_explanation: >- - Creates a new security policy configuration within the Infoblox Threat Defense - platform via a POST request. + Creates a new security policy in the Infoblox Threat Defense system. fetches_data: false - internal_data_mutation_explanation: null + internal_data_mutation_explanation: >- + Adds result JSON and a data table to the SOAR action results. + reasoning: >- + The action performs a POST request to create a security policy in an external + system (Infoblox), which constitutes external data mutation. It does not fetch + data from external systems. It performs internal mutation by adding result JSON + and a data table to the SOAR action results, but it does not update entities, + create insights, modify alert data, or create case comments. categories: enrichment: false + reasoning: >- + The action creates a new security policy in an external system. It does not + fetch data, nor does it perform any of the allowed internal mutations (Case + Comments, Insights, Entity Updates) that would qualify it as an enrichment action. + Therefore, it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -271,62 +371,67 @@ Create Security Policy: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code does not reference `target_entities` or any entity-specific logic. + It operates on global configuration parameters to create a security policy in + the external system. DHCP Lease Lookup: - ai_description: >- - ### General Description - - The **DHCP Lease Lookup** action retrieves detailed DHCP lease information from - Infoblox DDI based on user-defined filter criteria. This action is designed to - help security analysts identify IP address assignments, hostnames, and hardware - (MAC) addresses associated with network devices, providing critical context during - investigations. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | **DHCP Lease Filter** | string | No | A logical expression used to filter DHCP - leases (e.g., `address == "192.168.1.1"` or `hostname == "ubuntu"`). | - - | **Offset** | string | No | The starting point for pagination (default is "0"). - | - - | **Limit** | string | No | The maximum number of lease records to return (default - is "100"). | - - | **Order By** | string | No | A comma-separated list of fields to sort the results - by, supporting ascending (`asc`) or descending (`desc`) order. | - - - ### Additional Notes - - - This action does not operate on specific entities within the Google SecOps case; - it relies entirely on the provided filter string to query the Infoblox database. - - - The results are presented both as a raw JSON object and as a formatted data - table named "DHCP Leases". - - - ### Flow Description - - 1. **Parameter Extraction**: The action retrieves the API configuration and user-provided - filter, pagination, and sorting parameters. - - 2. **Validation**: The `Offset` and `Limit` parameters are validated to ensure - they are non-negative integers. - - 3. **API Request**: A GET request is sent to the Infoblox `/api/ddi/v1/dhcp/lease` - endpoint using the specified filters. - - 4. **Data Processing**: The retrieved lease records are parsed and converted into - a flat format suitable for display. - - 5. **Output Generation**: The action populates the JSON result with the full API - response and creates a data table containing the lease details for visibility - in the case wall. + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: true + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves DHCP lease information, which provides contextual metadata + (IP, MAC, Hostname) for network assets. This aligns with the 'Enrich Asset' + category. It does not perform IOC enrichment, containment, or ticket management. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: "### General Description\nThis action retrieves DHCP lease information\ + \ from Infoblox Threat Defense with DDI based on specified filter criteria. It\ + \ allows analysts to query for network lease records, such as IP addresses, hostnames,\ + \ and hardware addresses, to assist in asset identification and network troubleshooting.\n\ + \n### Flow Description\n1. **Initialization**: Extracts configuration parameters\ + \ (API root, API key, SSL verification) and action parameters (DHCP Lease Filter,\ + \ Offset, Limit, Order By).\n2. **Validation**: Validates the `Offset` and `Limit`\ + \ parameters to ensure they are non-negative integers.\n3. **Data Retrieval**:\ + \ Queries the Infoblox API to fetch DHCP lease records matching the provided filter\ + \ criteria.\n4. **Result Processing**: \n - Adds the raw JSON response to the\ + \ action results.\n - If records are found, converts them into a structured\ + \ format and adds a data table titled \"DHCP Leases\" to the action results.\n\ + \ - Sets an output message indicating the number of records retrieved.\n\n\ + ### Parameters Description\n| Parameter | Type | Mandatory | Description |\n|\ + \ :--- | :--- | :--- | :--- |\n| DHCP Lease Filter | string | No | Filter DHCP\ + \ leases by specific criteria (e.g., address == \u201C127.0.0.1\u201D and hostname\ + \ == \u201Cubuntu\u201D). |\n| Offset | string | No | Specify the offset from\ + \ where to start pagination. Default is \"0\". |\n| Limit | string | No | Specify\ + \ the maximum number of results to return. Default is \"100\". |\n| Order By |\ + \ string | No | Comma-separated JSON fields to sort the results. Use asc or desc\ + \ for sort direction. Supports dot notation for nested fields. |\n\n### Additional\ + \ Notes\n- This action is a read-only operation and does not modify any data in\ + \ Infoblox or the SOAR platform.\n- The action result includes both a raw JSON\ + \ object and a formatted table for easier viewing in the SOAR interface." capabilities: can_create_case_comments: false can_create_insight: false @@ -337,8 +442,19 @@ DHCP Lease Lookup: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the Infoblox API to retrieve DHCP lease + information. It does not modify any external systems or internal SOAR data (entities, + insights, or alerts). It only populates the action result with JSON and a data + table. categories: enrichment: false + reasoning: >- + The action fetches data from an external system (Infoblox) but does not meet + the criteria for an enrichment action. Enrichment actions are restricted to + updating entities, creating insights, or adding comments. This action only adds + a result table and JSON to the action result, which does not qualify as an internal + mutation of the case data. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -354,73 +470,61 @@ DHCP Lease Lookup: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over or process `siemplify.target_entities`. It + relies entirely on user-provided parameters to perform the lookup. DNS Record Lookup: - ai_description: >- - ### General Description - - - The **DNS Record Lookup** action performs a DNS record query to retrieve associated - IP addresses or domains from Infoblox Threat Defense. This action is designed - as a search tool that allows analysts to query the Infoblox DDI database for specific - DNS records using customizable filters, tags, and sorting parameters. It is particularly - useful for infrastructure discovery, verifying DNS configurations, and investigating - domain-to-IP mappings during security incidents. - - - ### Parameters Description - - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | **DNS Record Filter** | String | No | A logical expression used to filter DNS - records (e.g., `type=='PTR' and absolute_zone_name == 'Test'`). | - - | **Tag Filter** | String | No | A logical expression used to filter DNS records - based on specific tags (e.g., `'nios/federation_enabled'==true`). | - - | **Offset** | String | No | The starting point for pagination. Defaults to "0". - | - - | **Limit** | String | No | The maximum number of results to return. Defaults - to "100". | - - | **Order By** | String | No | A comma-separated list of JSON fields to sort the - results. Supports `asc` or `desc` directions and dot notation for nested fields. - | - - - ### Additional Notes - - - - This action does not operate on specific entities within a case; it is a global - lookup tool based on the provided input parameters. - - - The action displays up to 20 records in the "DNS Records" data table for quick - reference, while the full result set is available in the JSON output. - - - ### Flow Description - - - 1. **Parameter Extraction:** The action retrieves the user-provided filters, pagination - settings (Offset, Limit), and sorting preferences (Order By). - - 2. **Validation:** The `Offset` and `Limit` parameters are validated to ensure - they are non-negative integers, with `Limit` specifically required to be greater - than zero. - - 3. **API Execution:** The action initializes the Infoblox API Manager and performs - a GET request to the DNS record endpoint using the configured filters and pagination - parameters. - - 4. **Data Transformation:** The retrieved DNS records are parsed and mapped to - a structured data model. The action flattens the data for tabular display. - - 5. **Result Reporting:** The full API response is attached as a JSON result to - the action. Additionally, a summary table titled "DNS Records" is created containing - the first 20 records for immediate visibility in the Google SecOps interface. + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action performs a GET request to retrieve DNS records from Infoblox. This + matches the 'Search Events' category as it returns historical logs or telemetry + data. It does not match 'Enrich IOC' as it does not return reputation or threat + intelligence. It does not mutate any external or internal data. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: true + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: "Performs a DNS record query to retrieve associated IPs or domains\ + \ from the Infoblox Threat Defense with DDI platform. This action allows users\ + \ to filter DNS records by specific criteria or tags, and supports pagination\ + \ and sorting of the results. The retrieved records are displayed in a data table\ + \ and added to the action's result JSON.\\n\\n### Flow:\\n1. Extract action parameters\ + \ (DNS Record Filter, Tag Filter, Offset, Limit, Order By).\\n2. Initialize the\ + \ APIManager with integration credentials.\\n3. Execute the `dns_record_lookup`\ + \ API call to fetch DNS records.\\n4. Parse the API response into `DNSRecord`\ + \ data models.\\n5. Add the raw JSON response to the action results.\\n6. Display\ + \ the records in a data table.\\n\\n### Parameters:\\n| Parameter | Type | Mandatory\ + \ | Description |\\n| :--- | :--- | :--- | :--- |\\n| DNS Record Filter | string\ + \ | No | Filter DNS records by specific criteria (e.g., type==\u201DPTR\u201D\ + \ and absolute_zone_name == \u201CTest\u201D). |\\n| Tag Filter | string | No\ + \ | Filter DNS records by specific tags (e.g., 'nios/federation_enabled'==true).\ + \ |\\n| Offset | string | No | Specify the offset from where to start pagination.\ + \ Defaults to \"0\". |\\n| Limit | string | No | Specify the maximum number of\ + \ results to return. Defaults to \"100\". |\\n| Order By | string | No | Comma-separated\ + \ JSON fields to sort the results. |\\n\\n### Additional Notes:\\nNone." capabilities: can_create_case_comments: false can_create_insight: false @@ -431,8 +535,16 @@ DNS Record Lookup: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action makes a GET request to retrieve DNS records (fetches_data=true). + It does not mutate any external or internal data. It does not update entities, + create insights, or modify alert data. categories: - enrichment: false + enrichment: true + reasoning: >- + The action fetches DNS records from an external source (Infoblox) without modifying + any external or internal state. It meets the criteria for an enrichment action + as it proactively retrieves data. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -448,41 +560,101 @@ DNS Record Lookup: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over `siemplify.target_entities` or use entity-specific + identifiers. It performs a general lookup based on user-provided filters, so + it does not run on any specific entity types. Get Custom List: - ai_description: "### General Description\nRetrieves the contents and metadata of\ - \ custom lists from Infoblox Threat Defense. This action allows users to fetch\ - \ specific lists by their unique ID, search for lists by a combination of name\ - \ and type, or list all available custom lists using tag-based filters and pagination.\ - \ The retrieved data includes list IDs, names, descriptions, confidence levels,\ - \ threat levels, and item counts.\n\n### Parameters Description\n| Parameter |\ - \ Description | Type | Mandatory |\n| :--- | :--- | :--- | :--- |\n| Custom List\ - \ ID | The unique identifier of the Custom List to retrieve. If provided, this\ - \ takes precedence over other search parameters. | String | No |\n| Name | The\ - \ name of the custom list to search for. Must be used in conjunction with the\ - \ 'Type' parameter for a specific lookup. | String | No |\n| Type | The category\ - \ of the custom list (e.g., 'custom_list'). Defaults to 'custom_list'. | String\ - \ | No |\n| Tag Filter | A logical expression to filter results by tags (e.g.,\ - \ `'tag_name'='tag_value'`). | String | No |\n| Tag Sort Filter | Specifies the\ - \ tag field by which to sort the results. | String | No |\n| Offset | The starting\ - \ point for pagination (default is 0). | String | No |\n| Limit | The maximum\ - \ number of results to return in a single request (default is 100). | String |\ - \ No |\n\n### Additional Notes\n- The action logic follows a hierarchy: if `Custom\ - \ List ID` is provided, it performs a direct lookup. If both `Name` and `Type`\ - \ are provided, it searches for that specific pair. Otherwise, it performs a general\ - \ query using the provided tag filters and pagination settings.\n- Parameters\ - \ like `Offset`, `Limit`, and `Custom List ID` are validated as non-negative integers\ - \ before the API call is made.\n\n### Flow Description\n1. **Parameter Initialization**:\ - \ Extracts configuration (API Root, API Key) and action parameters from the Siemplify\ - \ environment.\n2. **Validation**: Validates that `Offset`, `Limit`, and `Custom\ - \ List ID` (if provided) are valid integers.\n3. **API Request**: \n - If a\ - \ `Custom List ID` is provided, it calls the specific list endpoint.\n - If\ - \ `Name` and `Type` are both provided, it queries the API for that specific list.\n\ - \ - Otherwise, it calls the base custom lists endpoint with optional tag filters\ - \ and pagination.\n4. **Data Processing**: Parses the raw JSON response into a\ - \ structured `CustomList` data model.\n5. **Output Generation**: \n - Adds\ - \ the full raw response to the action's JSON results.\n - Constructs a data\ - \ table titled 'Custom List Details' containing key fields like ID, Name, and\ - \ Threat Level for display in the SOAR interface." + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves custom list configuration data from Infoblox. It does not + match any of the defined categories, as it is not an enrichment, containment, + or alert management action. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: >- + ### General Description + + Retrieves the contents of a custom list from the Infoblox Threat Defense platform. + This action allows users to query for specific custom lists by ID, name, or type, + and supports filtering and sorting by tags. The retrieved data is formatted into + a table and JSON output for display within the SOAR platform. + + + ### Flow Description + + 1. **Parameter Extraction**: The action extracts integration configuration (API + root, API key, SSL verification) and action-specific parameters (Custom List ID, + Name, Type, Tag Filter, Tag Sort Filter, Offset, Limit). + + 2. **Validation**: Validates input parameters, ensuring numeric fields like Offset + and Limit are valid integers. + + 3. **API Interaction**: Calls the Infoblox API to fetch the custom list(s) based + on the provided criteria. + + 4. **Data Processing**: Processes the API response, converting the results into + a structured format (CSV) using the `CustomList` data model. + + 5. **Output Generation**: Adds the raw JSON response and a formatted data table + to the action results for analyst review. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Custom List ID | string | No | The unique identifier of the custom list to retrieve. + | + + | Name | string | No | The name of the custom list. | + + | Type | string | No | The type of the custom list (default: 'custom_list'). | + + | Tag Filter | string | No | Filter security policy by specific tags in the format: + ''=''. | + + | Tag Sort Filter | string | No | Sort Custom List by Tags (e.g., 'Test1'). | + + | Offset | string | No | Specify the offset from where to start pagination (default: + '0'). | + + | Limit | string | No | Specify the maximum number of results to return (default: + '100'). | + + + ### Additional Notes + + If no specific parameters are provided, the action attempts to retrieve a list + of custom lists based on the default pagination settings. The action does not + modify any external or internal system state. capabilities: can_create_case_comments: false can_create_insight: false @@ -493,8 +665,18 @@ Get Custom List: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to retrieve custom list data from the Infoblox + API. It does not modify external systems, nor does it update internal SOAR entities, + insights, or alert data. It simply presents the retrieved information in the + action results. categories: enrichment: false + reasoning: >- + The action retrieves configuration data (custom lists) from an external system. + It does not gather supplemental context about alerts or entities, nor does it + update entity profiles or create insights. Therefore, it does not meet the criteria + for an Enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -510,52 +692,79 @@ Get Custom List: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with `siemplify.target_entities`. It operates on + global configuration parameters and API queries, not on specific SOAR entities. Get Indicator Intel Lookup Result: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves threat intelligence (Dossier lookup results) for an indicator, + which aligns with the 'Enrich IOC' category. It does not perform any other operations + like ticket creation, host containment, or alert modification. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description - Retrieves the results of a previously initiated Dossier lookup job from Infoblox - Threat Defense. This action is used to fetch detailed threat intelligence for - indicators (such as IP addresses, URLs, Hostnames, Emails, or Hashes) after a - lookup has been asynchronously started using a Job ID. + Threat Defense. This action fetches detailed threat intelligence data associated + with a specific Job ID and presents it within the SOAR platform. - ### Parameters Description + ### Flow Description - | Parameter | Type | Mandatory | Description | + 1. The action extracts the mandatory `Job ID` parameter provided by the user. - | :--- | :--- | :--- | :--- | + 2. It initializes the `APIManager` to communicate with the Infoblox Threat Defense + API. - | Job ID | String | Yes | Specify the unique Job ID of the Dossier lookup job - to retrieve the results for. This ID is typically obtained from the output of - an initiation action. | + 3. It performs a GET request to retrieve the lookup results for the specified + `Job ID`. + 4. If results are found, it processes the data, creates a CSV-formatted table + of the findings, and adds it to the action results. - ### Additional Notes - - - This action does not process entities in the current scope; it relies entirely - on the provided `Job ID` parameter. + 5. It also attaches the raw JSON response to the action results for comprehensive + visibility. - - The action displays up to 20 records in the 'Dossier Lookup Results' data table - for readability, while the full response is available in the JSON result. + ### Parameters - ### Flow Description + | Parameter | Type | Mandatory | Description | - 1. **Parameter Extraction**: The action retrieves the `Job ID` from the input - parameters and the API configuration from the integration settings. + | :--- | :--- | :--- | :--- | - 2. **Validation**: It ensures the `Job ID` is a valid, non-empty string. + | Job ID | string | Yes | The unique identifier of the Dossier lookup job to retrieve + results for. | - 3. **API Interaction**: It calls the Infoblox API via a GET request to the Dossier - jobs results endpoint using the provided `Job ID`. - 4. **Data Processing**: The response is parsed, and individual result items are - mapped to a structured data model. + ### Additional Notes - 5. **Output Generation**: The action populates a data table with a summary of - the results and attaches the complete raw response as a JSON object for further - downstream processing. + This action is designed to be used after the 'Initiate Indicator Intel Lookup + With Dossier' action, which generates the `Job ID` required here. capabilities: can_create_case_comments: false can_create_insight: false @@ -566,8 +775,19 @@ Get Indicator Intel Lookup Result: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to retrieve data from an external system (Infoblox). + It does not modify any external systems (no POST/PUT/DELETE). It does not modify + internal SOAR data (entities, insights, or case comments), but rather appends + result data (tables and JSON) to the action output, which is standard for data + retrieval actions. categories: enrichment: true + reasoning: >- + The action fetches threat intelligence data (Dossier lookup results) from an + external source. It does not mutate external systems, nor does it perform any + internal mutations (like updating entities or creating insights). It strictly + retrieves and displays information, fitting the criteria for an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -583,76 +803,112 @@ Get Indicator Intel Lookup Result: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over or process `siemplify.target_entities`. It + operates based on a provided `Job ID` parameter, which is an external reference, + not a SOAR entity. Get Network List: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves network list configuration data from Infoblox. It does + not match any of the defined product categories such as enrichment, ticket management, + or containment. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - Retrieves the contents of network lists from Infoblox Threat Defense. This action - allows users to fetch details for a specific network list by its ID or to query - multiple network lists using a logical filter expression. The retrieved data includes - network list names, descriptions, and associated security policy IDs, which are - presented as both a raw JSON result and a formatted data table within the case. + Retrieves network lists from Infoblox Threat Defense. This action fetches configuration + data regarding network lists, allowing analysts to view existing lists, their + descriptions, and associated security policies. - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | + ### Flow Description - | Network List ID | string | No | The unique identifier of the network list to - retrieve. If provided, the action fetches only this specific list and ignores - the 'Security Network Filter'. | + 1. The action extracts integration configuration parameters (API root, API key, + SSL verification) and action-specific parameters (Network List ID, Security Network + Filter, Offset, Limit). - | Security Network Filter | string | No | A logical expression string (e.g., `name - == 'net_list1'`) used to filter network lists when no specific ID is provided. - | + 2. It validates the provided parameters to ensure they are in the correct format + (e.g., integers for Offset and Limit). - | Offset | string | No | The starting index for pagination (default is '0'). | + 3. It initiates a GET request to the Infoblox API to retrieve the requested network + list(s). - | Limit | string | No | The maximum number of results to return (default is '100'). - | + 4. The retrieved data is returned as a JSON result and formatted into a data table + for display in the SOAR platform. - ### Additional Notes + ### Parameters Description - - If a 'Network List ID' is provided, the 'Security Network Filter' is ignored - by the API. + | Parameter | Type | Mandatory | Description | - - The action displays up to 20 records in the 'Network List' data table for readability, - while the full response is available in the JSON result. + | :--- | :--- | :--- | :--- | + | Network List ID | string | No | The unique identifier of the network list to + retrieve. | - ### Flow Description + | Security Network Filter | string | No | A logical expression string to filter + the network lists (e.g., name == 'net_list1'). | - 1. **Parameter Initialization**: Extracts the API configuration and action parameters - (ID, Filter, Offset, Limit). + | Offset | string | No | The pagination offset to start retrieving results from. + Default is '0'. | - 2. **Validation**: Validates that the 'Network List ID', 'Offset', and 'Limit' - are valid non-negative integers. + | Limit | string | No | The maximum number of results to return. Default is '100'. + | - 3. **API Interaction**: Calls the Infoblox API's network lists endpoint. If an - ID is provided, it targets the specific resource; otherwise, it applies the filter - and pagination parameters. - 4. **Data Processing**: Parses the API response into the `NetworkList` data model. + ### Additional Notes - 5. **Output Generation**: Adds the full JSON response to the action results and - constructs a CSV-formatted data table named 'Network List' for the SOAR interface. + If a 'Network List ID' is provided, the action will attempt to retrieve that specific + list. Otherwise, it will retrieve a list of network lists based on the provided + filter, offset, and limit. capabilities: can_create_case_comments: false can_create_insight: false can_modify_alert_data: false can_mutate_external_data: false - can_mutate_internal_data: true + can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null fetches_data: true - internal_data_mutation_explanation: >- - The action adds a data table named 'Network List' to the Google SecOps case - to display the retrieved information. + internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the Infoblox API to retrieve network list + data. It does not modify any external systems (no POST/PUT/DELETE). It does + not modify internal SOAR case data (entities, insights, comments). It simply + outputs the retrieved data to the action result. categories: enrichment: false + reasoning: >- + The action retrieves configuration data (network lists) from an external system. + It does not perform enrichment on entities, nor does it meet the criteria for + an enrichment action as it does not gather context about alerts or entities. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -668,80 +924,65 @@ Get Network List: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over or process any entities from the SOAR platform. + It operates independently of the entity model. Get SOC Insights Assets: - ai_description: >- - ### General Description - - The **Get SOC Insights Assets** action retrieves a list of assets associated with - a specific Infoblox SOC Insight ID. This action is used to identify which devices - or users were involved in a particular security insight, providing critical context - for incident response. It allows for granular filtering by IP address, MAC address, - operating system version, and associated user, as well as time-based filtering - for asset changes. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | **Insight ID** | String | Yes | The unique identifier of the SOC Insight to - retrieve assets from. | - - | **Asset IP** | String | No | Filter the results to include only assets with - this specific IP address. | - - | **MAC Address** | String | No | Filter the results to include only assets with - this specific MAC address. | - - | **OS Version** | String | No | Filter the results by the operating system version - of the asset. | - - | **User** | String | No | Filter the results by the user associated with the - asset. | - - | **Limit** | String | No | The maximum number of results to return (Default is - 100). | - - | **From** | String | No | Filter for assets changed after this time (Format: - YYYY-MM-DDTHH:mm:ss.SSS). | - - | **To** | String | No | Filter for assets changed before this time (Format: YYYY-MM-DDTHH:mm:ss.SSS). - | - - - ### Additional Notes - - - The action returns a maximum of 20 records in the visible data table for performance - reasons, though the full list (up to the specified limit) is available in the - JSON result. - - - Time parameters must follow the ISO-like format `YYYY-MM-DDTHH:mm:ss.SSS` to - be processed correctly by the Infoblox API. - - - ### Flow Description - - 1. **Parameter Extraction**: The action retrieves the mandatory `Insight ID` and - optional filters (IP, MAC, OS, User, Time range, and Limit) from the input. - - 2. **Validation**: It validates that the `Insight ID` is not empty and that the - `Limit` is a valid positive integer. - - 3. **API Request**: It utilizes the `APIManager` to send a GET request to the - Infoblox `/api/v1/insights/{insight_id}/assets` endpoint with the provided query - parameters. - - 4. **Data Processing**: The response is parsed. If assets are found, they are - mapped to the `SOCInsightAsset` data model. - - 5. **Output Generation**: The action adds the raw JSON response to the execution - results and constructs a CSV-formatted data table named "Assets" containing key - details like Asset IP, MAC Address, Threat Level, OS Version, and User. - - 6. **Completion**: The action concludes by providing a summary message of the - number of assets found or an error message if the Insight ID is invalid. + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: true + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: true + reasoning: >- + The action retrieves asset metadata (IP, MAC, OS, User) associated with an insight, + which aligns with 'Enrich Asset'. It also fetches information about the insight + itself, aligning with 'Get Alert Information'. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: "### General Description\nRetrieves a list of associated assets\ + \ for a specific SOC Insight ID from Infoblox Threat Defense. This action allows\ + \ analysts to query asset details such as IP addresses, MAC addresses, OS versions,\ + \ and associated users, providing context for security insights.\n\n### Flow Description\n\ + 1. **Configuration**: The action initializes the connection to the Infoblox API\ + \ using the provided API root, API key, and SSL verification settings.\n2. **Parameter\ + \ Extraction**: It extracts the required `Insight ID` and optional filters (`Asset\ + \ IP`, `MAC Address`, `OS Version`, `User`, `Limit`, `From`, `To`) from the action\ + \ parameters.\n3. **Data Retrieval**: It calls the Infoblox API to fetch asset\ + \ data associated with the specified Insight ID, applying any provided filters.\n\ + 4. **Result Processing**: \n - The raw JSON response is added to the action\ + \ result.\n - If assets are found, the data is formatted into a CSV table and\ + \ added to the action result for display.\n - If no assets are found, an appropriate\ + \ message is returned.\n\n### Parameters Description\n| Parameter | Type | Mandatory\ + \ | Description |\n| :--- | :--- | :--- | :--- |\n| Insight ID | string | Yes\ + \ | The ID of the insight to retrieve assets from. |\n| Asset IP | string | No\ + \ | Filter assets by IP address. |\n| MAC Address | string | No | Filter assets\ + \ by MAC address. |\n| OS Version | string | No | Filter assets by operating system\ + \ version. |\n| User | string | No | Filter assets by associated user. |\n| Limit\ + \ | string | No | Specify the maximum number of results to return (default: 100).\ + \ |\n| From | string | No | Filter by assets changed after this time (YYYY-MM-DDTHH:mm:ss.SSS).\ + \ |\n| To | string | No | Filter by assets changed before this time (YYYY-MM-DDTHH:mm:ss.SSS).\ + \ |" capabilities: can_create_case_comments: false can_create_insight: false @@ -752,8 +993,16 @@ Get SOC Insights Assets: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to retrieve asset information from Infoblox + based on an Insight ID. It does not mutate external systems or modify internal + case data (entities, insights, etc.). It only adds result data to the action + execution. categories: - enrichment: false + enrichment: true + reasoning: >- + The action fetches data from an external source (Infoblox) and does not mutate + any external or internal systems. It meets the criteria for an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -769,68 +1018,103 @@ Get SOC Insights Assets: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over `siemplify.target_entities`. It uses an `Insight + ID` parameter provided by the user. Get SOC Insights Comments: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: true + reasoning: >- + The action fetches information about an insight from the Infoblox product. This + aligns with the 'Get Alert Information' category. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description + Retrieves comments associated with a specific SOC Insight from Infoblox Threat + Defense. This action fetches the comment history for a given insight ID, allowing + analysts to review changes and updates made to the insight. - Retrieves all comments associated with a specific SOC Insight from Infoblox Threat - Defense. This action allows analysts to review the history and notes attached - to an insight, with optional time-based filtering to narrow down the results. + ### Parameters - ### Parameters Description | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Insight ID | String | Yes | The unique identifier of the SOC Insight to retrieve - comments for. | + | Insight ID | string | Yes | The unique identifier of the SOC insight. | - | From | String | No | Filter comments changed after this time (Format: YYYY-MM-DDTHH:mm:ss.SSS). + | From | string | No | Filter comments changed after this time (YYYY-MM-DDTHH:mm:ss.SSS). | - | To | String | No | Filter comments changed before this time (Format: YYYY-MM-DDTHH:mm:ss.SSS). + | To | string | No | Filter comments changed before this time (YYYY-MM-DDTHH:mm:ss.SSS). | - ### Flow Description + ### Additional Notes - 1. **Parameter Extraction**: The action retrieves the Insight ID and optional - time filters from the user input. - 2. **Validation**: Ensures the Insight ID is provided and formatted correctly. + If no comments are found, the action will output a message indicating that no + comments were found for the provided Insight ID. - 3. **API Interaction**: Queries the Infoblox API endpoint for comments related - to the specified Insight ID. - 4. **Data Processing**: Parses the returned comments and maps them to a structured - format. + ### Flow Description - 5. **Output Generation**: Populates a data table named "SOC Insight Comments" - with the retrieved details and attaches the full JSON response to the action results. + 1. Extracts configuration parameters (API root, key, SSL verification). - ### Additional Notes + 2. Extracts action parameters (Insight ID, From, To). + + 3. Validates the Insight ID. + + 4. Calls the Infoblox API to fetch comments for the specified insight. - - The data table displays a maximum of 20 records to maintain performance. + 5. Formats the comments into a data table and adds it to the action result. - - If no comments are found for the given ID, the action will report success but - indicate that the list is empty. + 6. Adds the raw JSON response to the action result. capabilities: can_create_case_comments: false can_create_insight: false can_modify_alert_data: false can_mutate_external_data: false - can_mutate_internal_data: true + can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null fetches_data: true - internal_data_mutation_explanation: >- - Adds a data table named "SOC Insight Comments" to the Google SecOps case containing - the retrieved comment details. + internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to retrieve comments for a specific SOC insight. + It does not modify any external or internal data. It does not update entities + or create insights. categories: enrichment: false + reasoning: >- + The action fetches data (comments) but does not enrich entities or alerts (it + operates on insights). Therefore, it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -846,54 +1130,94 @@ Get SOC Insights Comments: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over `target_entities` or use entity-specific identifiers. + It operates on an `Insight ID` provided as a parameter. Get SOC Insights Events: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves a list of events based on an Insight ID and various filters. + This matches the 'Search Events' category, as it returns a collection of historical + logs/telemetry data. It does not match 'Enrich IOC' or 'Enrich Asset' as it + doesn't operate on those entities. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: true + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: "Retrieves a list of events associated with a specific SOC Insight\ - \ ID from Infoblox Threat Defense. This action allows analysts to drill down into\ - \ the specific activities and detections that triggered a SOC insight, providing\ - \ granular visibility into threat families, device names, and policy actions.\ - \ It supports extensive filtering by device IP, query strings, DNS query types,\ - \ threat sources, and indicators. The results are presented as a data table in\ - \ the case wall and a full JSON response for further processing.\n\n### Parameters\ - \ Description\n\n| Parameter | Type | Mandatory | Description |\n| :--- | :---\ - \ | :--- | :--- |\n| Insight ID | String | Yes | The unique identifier of the\ - \ SOC insight to retrieve events for. |\n| Device IP | String | No | Filter events\ - \ by the IP address of the involved device. |\n| Query | String | No | Filter\ - \ events by a specific query string. |\n| Query Type | String | No | Filter events\ - \ by DNS query type (e.g., A, TXT, MX). |\n| Source | String | No | Filter events\ - \ by the threat intelligence source or feed (e.g., DFP). |\n| Indicator | String\ - \ | No | Filter events by a specific threat indicator such as a domain, IP, or\ - \ hash. |\n| Threat Level | DDL | No | Filter by threat level. Options: All, Info,\ - \ Low, Medium, High. |\n| Confidence Level | DDL | No | Filter by confidence level.\ - \ Options: All, Low, Medium, High. |\n| Limit | String | No | Maximum number of\ - \ results to return (default is 100). |\n| From | String | No | Filter by events\ - \ detected after this time (Format: YYYY-MM-DDTHH:mm:ss.SSS). |\n| To | String\ - \ | No | Filter by events detected before this time (Format: YYYY-MM-DDTHH:mm:ss.SSS).\ - \ |\n\n### Flow Description\n\n1. **Parameter Extraction and Validation**: The\ - \ action extracts the Insight ID and optional filters. It validates that the Insight\ - \ ID is a non-empty string and that the Limit is a valid positive integer.\n2.\ - \ **API Interaction**: It calls the Infoblox API GET endpoint for SOC Insight\ - \ events, passing the Insight ID as a path parameter and the filters as query\ - \ parameters.\n3. **Data Transformation**: The raw JSON response is parsed, and\ - \ individual event records are mapped to the SOCInsightEvent data model.\n4. **Output\ - \ Generation**: \n * If events are found, it constructs a CSV-formatted data\ - \ table named \"SOC Insight Events\" containing key fields like Confidence Level,\ - \ Device Name, Action, and Threat Family.\n * It attaches the full JSON response\ - \ to the action results.\n * It provides a summary message indicating the number\ - \ of events retrieved." + \ from Infoblox Threat Defense. This action allows analysts to drill down into\ + \ the details of a generated insight by fetching the underlying events, which\ + \ can be filtered by various criteria such as device IP, query type, threat level,\ + \ and confidence level.\n\n### Flow Description\n1. **Configuration**: The action\ + \ initializes the API connection using the provided API root, API key, and SSL\ + \ verification settings.\n2. **Parameter Extraction**: It extracts the mandatory\ + \ `Insight ID` and optional filters (e.g., `Device IP`, `Query`, `Threat Level`,\ + \ `Confidence Level`, `Limit`, `From`, `To`) from the action parameters.\n3. **Data\ + \ Retrieval**: It calls the Infoblox API to fetch the events associated with the\ + \ specified `Insight ID`, applying any provided filters.\n4. **Result Processing**:\ + \ \n - If events are found, it formats the data into a table and adds it to\ + \ the action result.\n - It also adds the full raw JSON response to the action\ + \ result for detailed analysis.\n - If no events are found, it returns a message\ + \ indicating that no events were found for the given ID.\n\n### Parameters Description\n\ + | Parameter | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n\ + | Insight ID | string | Yes | The unique identifier of the SOC insight to retrieve\ + \ events from. |\n| Device IP | string | No | Filter events by the IP address\ + \ of the device. |\n| Query | string | No | Filter events by a specific query\ + \ string. |\n| Query Type | string | No | Filter events by DNS query type (e.g.,\ + \ TXT, A, MX). |\n| Source | string | No | Filter events by the threat intelligence\ + \ source or feed. |\n| Indicator | string | No | Filter events by a specific threat\ + \ indicator (e.g., domain, IP, hash). |\n| Threat Level | ddl | No | Filter by\ + \ threat level (All, Info, Low, Medium, High). |\n| Confidence Level | ddl | No\ + \ | Filter by confidence level (All, Low, Medium, High). |\n| Limit | string |\ + \ No | Specify the maximum number of results to return (Default: 100). |\n| From\ + \ | string | No | Filter by events detected after this time (Format: YYYY-MM-DDTHH:mm:ss.SSS).\ + \ |\n| To | string | No | Filter by events detected before this time (Format:\ + \ YYYY-MM-DDTHH:mm:ss.SSS). |" capabilities: can_create_case_comments: false can_create_insight: false can_modify_alert_data: false can_mutate_external_data: false - can_mutate_internal_data: true + can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null fetches_data: true - internal_data_mutation_explanation: >- - Adds a data table named 'SOC Insight Events' to the case wall containing details - of the retrieved events. + internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to retrieve events for a specific SOC insight. + It does not modify any external or internal data. It adds a data table to the + action result, which is not considered an internal mutation (like updating entities + or creating insights). categories: enrichment: false + reasoning: >- + The action retrieves events for a specific insight ID. It does not operate on + entities or alerts to enrich them, nor does it meet the strict criteria for + an enrichment action (which typically involves updating entities or creating + insights). It is a data retrieval action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -909,69 +1233,65 @@ Get SOC Insights Events: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not use `target_entities`. It takes an `Insight ID` as a parameter + to fetch data. Get SOC Insights Indicators: - ai_description: >- - ### General Description - - Retrieves a list of threat indicators associated with a specific SOC Insight from - Infoblox Threat Defense. This action allows analysts to drill down into the specific - indicators (such as domains or IPs) that triggered or are related to a security - insight, providing context on the threat actor, confidence levels, and actions - taken. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Insight ID | String | Yes | The unique identifier of the SOC insight to retrieve - indicators from. | - - | Confidence | String | No | Filter results by a specific confidence score. | - - | Indicator | String | No | Filter results by a specific indicator value (e.g., - a domain name). | - - | Actor | String | No | Filter results by a specific threat actor name. | - - | From | String | No | Filter for indicators seen after this timestamp (Format: - YYYY-MM-DDTHH:mm:ss.SSS). | - - | To | String | No | Filter for indicators seen before this timestamp (Format: - YYYY-MM-DDTHH:mm:ss.SSS). | - - | Action | String | No | Filter by the action taken on the indicator (e.g., 'block', - 'allow'). | - - | Limit | String | No | The maximum number of results to return (Default is 100). - | - - - ### Flow Description - - 1. **Parameter Extraction**: The action extracts the mandatory `Insight ID` and - optional filters like `Confidence`, `Actor`, and time ranges. - - 2. **Validation**: It validates that the `Insight ID` is provided and that the - `Limit` is a valid positive integer. - - 3. **API Request**: It calls the Infoblox API endpoint `/api/v1/insights/{insight_id}/indicators` - with the specified query parameters. - - 4. **Data Processing**: The retrieved indicators are parsed into a structured - format using the `SOCInsightIndicator` model. - - 5. **Output Generation**: The action generates a data table named 'SOC Insight - Indicators' (displaying up to 20 records) and attaches the full raw JSON response - to the action results. - - - ### Additional Notes - - - This action does not run on entities; it requires a specific Insight ID, which - is typically obtained from a previous step or a SOC Insight alert. + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: true + reasoning: >- + The action fetches information about a SOC Insight from the Infoblox platform. + This aligns with the 'Get Alert Information' category, as it retrieves details + about a security-relevant object (Insight) from the 3rd party product. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: "Retrieves a list of indicators associated with a specific SOC Insight\ + \ from Infoblox Threat Defense. This action allows users to filter indicators\ + \ by confidence, indicator value, threat actor, time range, and action taken.\n\ + \n### Flow Description\n1. **Parameter Extraction**: The action extracts the required\ + \ `Insight ID` and optional filters (Confidence, Indicator, Actor, From, To, Action,\ + \ Limit) from the configuration.\n2. **Validation**: Validates that the `Insight\ + \ ID` is provided and the `Limit` is a valid integer.\n3. **API Interaction**:\ + \ Connects to the Infoblox API to fetch the indicators associated with the specified\ + \ `Insight ID` using the provided filters.\n4. **Result Processing**: \n - If\ + \ indicators are found, it formats the data into a table and adds it to the action\ + \ results.\n - The full raw JSON response is added to the action results.\n\ + \ - If no indicators are found, an appropriate message is returned.\n\n### Parameters\n\ + | Parameter | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n\ + | Insight ID | string | Yes | The ID of the insight to retrieve indicators from.\ + \ |\n| Confidence | string | No | Filter by confidence score. |\n| Indicator |\ + \ string | No | Filter by specific indicator value. |\n| Actor | string | No |\ + \ Filter by threat actor. |\n| From | string | No | Filter by indicators seen\ + \ after this time (format: YYYY-MM-DDTHH:mm:ss.SSS). |\n| To | string | No | Filter\ + \ by indicators seen before this time (format: YYYY-MM-DDTHH:mm:ss.SSS). |\n|\ + \ Action | string | No | Filter by action taken. |\n| Limit | string | No | Specify\ + \ the maximum number of results to return (default: 100). |\n\n### Additional\ + \ Notes\n- This action is read-only and does not modify any external or internal\ + \ system state." capabilities: can_create_case_comments: false can_create_insight: false @@ -982,8 +1302,17 @@ Get SOC Insights Indicators: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the Infoblox API to retrieve indicator + data for a specific SOC Insight. It does not perform any write operations to + external systems, nor does it modify internal case data, entities, or insights. + It simply presents the retrieved data in the action results. categories: enrichment: false + reasoning: >- + The action retrieves data (indicators) but does not operate on or enrich specific + SecOps entities (e.g., IP, FileHash). Therefore, it does not meet the criteria + for an Enrichment Action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -999,14 +1328,48 @@ Get SOC Insights Indicators: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over or interact with `siemplify.target_entities`. + It operates based on an `Insight ID` provided as a parameter. Get Security Policies: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves security policies from Infoblox. This does not match any + of the provided categories (Enrich IOC, Enrich Asset, Update Alert, etc.). + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - Retrieves all configured security policies and their associated metadata from - the Infoblox Threat Defense platform. This action is primarily used for auditing, - visibility, and policy management within a SOAR workflow, allowing users to fetch - a list of security policies based on specific filters and tags. + Retrieves a list of configured security policies and their metadata from the Infoblox + Threat Defense with DDI platform. This action allows users to query policies based + on specific filters, tags, and sorting criteria, providing visibility into the + current security policy configuration. ### Parameters Description @@ -1015,51 +1378,43 @@ Get Security Policies: | :--- | :--- | :--- | :--- | - | Security Policy Filter | String | No | A logical expression string used to filter - security policies (e.g., `name=='sec_policy_a'`). | + | Security Policy Filter | string | No | A logical expression string to filter + security policies (e.g., name== 'sec_policy_a'). | - | Tag Filter | String | No | Filters the security policy list by specific tags - using the format: `''=''`. | + | Tag Filter | string | No | Filter security policy by specific tags format: ''=''. + | - | Tag Sort Filter | String | No | Sorts the resulting security policy list based - on Tags. | + | Tag Sort Filter | string | No | Sort security policy list by Tags. | - | Offset | String | No | Specifies the starting point (offset) for pagination. - Defaults to "0". | + | Offset | string | No | Specify the offset from where to start pagination. | - | Limit | String | No | Specifies the maximum number of results to return in a - single request. Defaults to "100". | + | Limit | string | No | Specify the maximum number of results to return. | ### Additional Notes - - This action does not operate on specific entities (like IPs or Domains) but - rather fetches global configuration data from the Infoblox environment. - - - The action includes built-in validation for the `Offset` and `Limit` parameters - to ensure they are non-negative integers. + - The action uses pagination parameters (Offset and Limit) to manage the volume + of returned data. - - A maximum of 20 records will be displayed in the Siemplify Data Table for UI - performance, while the full result set is available in the JSON output. + - Results are displayed in a data table if any policies are found. ### Flow Description - 1. **Parameter Initialization**: The action extracts integration configuration - (API Root, API Key) and user-provided action parameters. + 1. Initialize integration parameters (API root, API key, SSL verification). - 2. **Validation**: It validates that the `Offset` and `Limit` parameters are valid - integers. + 2. Extract action parameters (filters, sorting, pagination). - 3. **API Interaction**: It calls the Infoblox API (`GET /api/atcfw/v1/security_policies`) - with the provided filters and pagination settings. + 3. Validate pagination parameters (Offset and Limit). - 4. **Data Processing**: The raw API response is parsed into `SecurityPolicy` data - models. + 4. Call the Infoblox API to retrieve security policies based on the provided filters. - 5. **Output Generation**: The action populates a JSON result with the full API - response and constructs a data table titled "Security Policies" containing key - fields like Policy ID, Name, Description, and Default Action. + 5. Process the API response into a list of `SecurityPolicy` objects. + + 6. Add the raw JSON response to the action results. + + 7. If policies are found, construct and add a data table to the action results + for display. capabilities: can_create_case_comments: false can_create_insight: false @@ -1070,8 +1425,17 @@ Get Security Policies: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to retrieve security policies from the Infoblox + API. It does not modify external data, nor does it modify internal SecOps data + (entities, insights, or comments). It simply displays the retrieved information + in the action results. categories: enrichment: false + reasoning: >- + The action retrieves configuration data (security policies) from an external + system. It does not fetch context about specific alerts or entities, nor does + it meet the criteria for an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1087,67 +1451,65 @@ Get Security Policies: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with `target_entities`. It retrieves global security + policies from the Infoblox API. Host Lookup: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: true + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves host information (IPAM data) from Infoblox, which provides + contextual metadata for assets. This matches the 'Enrich Asset' category. It + does not perform IOC enrichment, ticket management, or containment actions. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description - - Retrieves host asset information from Infoblox IPAM (IP Address Management). This - action allows users to search for host records using specific filtering criteria, - tags, and sorting options. It is primarily used for asset discovery and inventory - management within the Infoblox environment. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Host Filter | String | No | A logical expression to filter hosts (e.g., `name=="webserver01"` - or `ip_address=="192.168.1.100"`). | - - | Tag Filter | String | No | A logical expression to filter hosts by their assigned - tags (e.g., `'Tenable_scan'=='true'`). | - - | Offset | String | No | The starting index for pagination. Defaults to "0". | - - | Limit | String | No | The maximum number of host records to return. Defaults - to "100". | - - | Order By | String | No | Comma-separated fields to sort the results (e.g., `name - asc`). Supports dot notation for nested fields. | - - - ### Flow Description - - 1. **Parameter Extraction:** The action retrieves the filter criteria, pagination - settings (Offset/Limit), and sorting preferences from the user input. - - 2. **Validation:** It validates that the `Offset` and `Limit` parameters are valid - non-negative integers using internal utility functions. - - 3. **API Request:** It sends a GET request to the Infoblox `/api/ddi/v1/ipam/host` - endpoint via the `APIManager` with the specified query parameters. - - 4. **Data Processing:** The raw JSON response is captured and added to the action's - result JSON. - - 5. **Output Generation:** The action processes the results into `Host` data models - and populates a data table named "Hosts" with the retrieved host details (up to - a maximum of 20 records for display) and provides the full JSON result for further - playbook processing. - - - ### Additional Notes - - - This action does not automatically process entities present in the SecOps case; - it relies entirely on the provided filter parameters. - - - If no records match the filters, the action completes successfully with a message - indicating no records were found. - - - The `Limit` parameter controls the API response size, while the UI table is - capped at 20 records. + General description: This action retrieves host information from the Infoblox + IPAM system based on provided filter criteria. It allows users to query host records + using specific filters, tags, and pagination settings. The action fetches data + from the Infoblox API and presents the results in both a JSON format and a structured + data table for easier analysis. Parameters description: | Parameter | Type | Mandatory + | Description | | --- | --- | --- | --- | | Host Filter | string | No | Filter + IPAM hosts by specific criteria (e.g., name=="webserver01" or ip_address=="192.168.1.100"). + | | Tag Filter | string | No | Filter IP addresses by specific tags (e.g. 'Tenable_scan'=='true'). + | | Offset | string | No | Specify the offset from where to start pagination. + Defaults to "0". | | Limit | string | No | Specify the maximum number of results + to return. Defaults to "100". | | Order By | string | No | Comma-separated JSON + fields to sort the results. Use asc or desc for sort direction. | Additional notes: + The action validates that Offset and Limit are non-negative integers. If no host + records are found, the action returns a message indicating no records were found. + Flow description: 1. The action initializes the Infoblox API manager using the + configured API root, API key, and SSL verification settings. 2. It extracts and + validates the provided action parameters (Host Filter, Tag Filter, Offset, Limit, + Order By). 3. It performs a GET request to the Infoblox IPAM host endpoint (/api/ddi/v1/ipam/host) + with the specified filters and pagination parameters. 4. The raw JSON response + is added to the action results. 5. If host records are returned, the action converts + the data into a flat CSV format and adds it to a data table named 'Hosts'. 6. + A success message is generated indicating the number of records retrieved. capabilities: can_create_case_comments: false can_create_insight: false @@ -1158,8 +1520,17 @@ Host Lookup: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the Infoblox API to retrieve host information. + It does not modify any external systems or internal Google SecOps data (such + as entities, insights, or alert data). It only reports the retrieved data back + to the user via result JSON and a data table. categories: - enrichment: false + enrichment: true + reasoning: >- + The action is designed to fetch contextual information (host details) from an + external system (Infoblox) without modifying any external or internal state. + This aligns with the definition of an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1175,67 +1546,67 @@ Host Lookup: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not operate on target entities. It uses input parameters to + query the Infoblox API directly, so the entity_types list is empty. IP Lookup: - ai_description: >- - ### General Description - - The **IP Lookup** action retrieves detailed information about IP addresses from - the Infoblox IPAM (IP Address Management) system. It allows users to query the - Infoblox database using flexible filters, including IP address state, tags, and - specific scopes. This action is primarily used for asset discovery and network - visibility within a SOAR workflow. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | **IP Filter** | String | No | A logical expression to filter IP addresses (e.g., - `address=="192.168.1.100"`). | - - | **Address State** | DDL | No | Filters results by the state of the IP address. - Options: `Any`, `Free`, `Used`. Default is `Used`. | - - | **Scope** | String | No | Limits the lookup to a specific network scope or view. - | - - | **Tag Filter** | String | No | Filters results based on metadata tags (e.g., - `'Department'=='IT'`). | - - | **Offset** | String | No | The starting point for pagination (default is `0`). - | - - | **Limit** | String | No | The maximum number of records to return (default is - `100`). | - - | **Order By** | String | No | Specifies the sorting order of the results using - JSON fields. | - - - ### Additional Notes - - - This action does not automatically process entities from the current case; it - relies entirely on the provided input parameters. - - - Results are returned as a JSON object and displayed in a data table (up to 20 - records). - - - ### Flow Description - - 1. **Parameter Extraction**: The action retrieves configuration and input parameters, - validating that `Offset` and `Limit` are valid integers. - - 2. **API Request**: It constructs a query and sends a GET request to the Infoblox - IPAM API endpoint. - - 3. **Data Processing**: The raw API response is parsed using the `IPLookup` data - model to extract fields like address, hostname, state, and hardware address. - - 4. **Output Generation**: The action populates the execution result with the full - JSON response and creates a data table for the user interface. + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: true + enrich_ioc: true + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves IP address information, including hostnames and hardware + addresses, which provides context for assets and indicators. This matches 'Enrich + IOC' and 'Enrich Asset'. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: "Retrieves IP address information from Infoblox. This action queries\ + \ the Infoblox DDI API to fetch IP address details based on provided filters such\ + \ as IP address, state, scope, and tags. \n\n### Flow Description\n1. **Parameter\ + \ Extraction**: The action extracts configuration parameters (API root, API key,\ + \ SSL verification) and action-specific parameters (IP Filter, Address State,\ + \ Scope, Tag Filter, Offset, Limit, Order By).\n2. **API Initialization**: An\ + \ `APIManager` instance is initialized with the provided credentials.\n3. **Data\ + \ Retrieval**: The action calls the `ip_lookup` method of the `APIManager`, which\ + \ performs a GET request to the Infoblox IPAM address endpoint.\n4. **Result Processing**:\ + \ The retrieved IP records are processed into `IPLookup` data models.\n5. **Output\ + \ Generation**: The action adds the raw JSON response to the action result and\ + \ generates a data table titled \"IP Lookup Data\" containing the processed IP\ + \ information.\n\n### Parameters Description\n| Parameter | Type | Mandatory |\ + \ Description |\n| :--- | :--- | :--- | :--- |\n| IP Filter | string | No | Filter\ + \ IP addresses by specific criteria (e.g., address==\"192.168.1.100\" or state==\"\ + USED\"). |\n| Address State | ddl | No | Filter by IP address state (e.g., 'Any',\ + \ 'Free', 'Used'). Defaults to 'Used'. |\n| Scope | string | No | Specify the\ + \ scope for IP address lookup. |\n| Tag Filter | string | No | Filter IP addresses\ + \ by specific tags (e.g. 'Tenable_scan'=='true'). |\n| Offset | string | No |\ + \ Specify the offset from where to start pagination. Defaults to \"0\". |\n| Limit\ + \ | string | No | Specify the maximum number of results to return. Defaults to\ + \ \"100\". |\n| Order By | string | No | Comma-separated JSON fields to sort the\ + \ results. Use asc or desc for sort direction. |\n\n### Additional Notes\n- If\ + \ no IP data is found, the action returns a message indicating that no data was\ + \ found.\n- The action supports pagination via the Offset and Limit parameters." capabilities: can_create_case_comments: false can_create_insight: false @@ -1246,8 +1617,16 @@ IP Lookup: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to retrieve IP address information from Infoblox. + It does not modify any external or internal systems. It adds a data table to + the action result, which is not considered internal data mutation (like updating + entities or creating insights). categories: - enrichment: false + enrichment: true + reasoning: >- + The action fetches data from an external source (Infoblox) and does not mutate + any external or internal systems. It meets the criteria for an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1263,69 +1642,72 @@ IP Lookup: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over `target_entities`. It uses input parameters + to perform a lookup. Indicator Threat Lookup With TIDE: - ai_description: >- - ### General Description - - The **Indicator Threat Lookup With TIDE** action allows users to query Infoblox - TIDE (Threat Intelligence Data Exchange) for detailed threat intelligence regarding - specific indicators. It supports searching for IPs, Hosts, URLs, Emails, and Hashes, - or filtering by broader criteria like domains, threat classes, and targets. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | **Indicator Type** | Dropdown | No | The category of indicator to search for - (e.g., IP, Host, URL, Email, Hash). Defaults to 'All'. | - - | **Indicator Value** | String | No | The specific value of the indicator to look - up. | - - | **Domain** | String | No | Comma-separated list of domains to filter the search. - | - - | **Top-Level Domain** | String | No | Comma-separated list of top-level domains - (TLDs) to filter the search. | - - | **Threat Class** | String | No | Comma-separated list of threat classes (e.g., - malware, phishing) to search for. | - - | **Target** | String | No | Comma-separated list of targets to filter the search. - | - - | **Expiration** | String | No | Period of time after which data is no longer - considered active (ISO8601 format). | - - | **Limit** | String | No | Maximum number of results to return. Defaults to 1000. - | - - - ### Additional Notes - - This action does not automatically process entities from the current Google SecOps - case. It is a manual lookup tool that relies on the values provided in the action - parameters. If 'Indicator Type' is set to 'All', the 'Indicator Value' is ignored - in favor of other filters like Domain or Threat Class. - - - ### Flow Description - - 1. **Parameter Extraction**: Retrieves API credentials and user-defined search - filters (Indicator Type, Value, Domain, etc.) from the action parameters. - - 2. **API Request**: Executes a GET request to the Infoblox TIDE `/tide/api/data/threats` - endpoint using the provided filters. - - 3. **Data Processing**: Parses the JSON response into a list of threat records - using the `IndicatorThreatLookupTideResult` model. - - 4. **Output Generation**: Returns the raw JSON response for downstream logic and - constructs a data table displaying key threat fields including Indicator, Type, - Threat Level, Class, Property, Profile, and Detection status. + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves threat intelligence (reputation, threat class, etc.) for + an indicator from Infoblox TIDE. This matches the 'Enrich IOC' category. It + does not perform any other actions like blocking, ticketing, or updating alerts. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: "### General Description\nThis action retrieves threat intelligence\ + \ details for a specified indicator (IP, URL, Host, Email, or Hash) using the\ + \ Infoblox Threat Defense (TIDE) service. It allows analysts to query the TIDE\ + \ database based on various criteria such as indicator type, threat class, and\ + \ target, providing valuable context for security investigations.\n\n### Flow\ + \ Description\n1. **Parameter Extraction**: The action extracts input parameters,\ + \ including the indicator type, indicator value, and optional filters (Domain,\ + \ TLD, Threat Class, Target, Expiration, Limit).\n2. **API Interaction**: It initializes\ + \ the `APIManager` and performs a GET request to the Infoblox TIDE API endpoint\ + \ (`/tide/api/data/threats`) with the provided filters.\n3. **Data Processing**:\ + \ The action processes the API response, mapping the threat data to `IndicatorThreatLookupTideResult`\ + \ models.\n4. **Output Generation**: \n - The raw JSON response is added to\ + \ the action results.\n - If threat records are found, a data table titled\ + \ \"TIDE Indicator Threat Lookup Results\" is constructed and displayed, showing\ + \ key details like Indicator, Type, Threat Level, Class, Property, Profile, and\ + \ Detection status.\n\n### Parameters Description\n| Parameter | Type | Mandatory\ + \ | Description |\n| :--- | :--- | :--- | :--- |\n| Indicator Type | ddl | No\ + \ | Specify the type of indicator to search for (Host, IP, URL, Email, Hash, All).\ + \ Defaults to 'All'. |\n| Indicator Value | string | No | Specify the indicator\ + \ value(s) based on the indicator type you want to search for. |\n| Domain | string\ + \ | No | Specify the comma-separated domain(s) to search for. |\n| Top-Level Domain\ + \ | string | No | Specify the comma-separated top-level domain(s) to search for.\ + \ |\n| Threat Class | string | No | Specify the comma-separated threat class(es)\ + \ to search for. |\n| Target | string | No | Specify the comma-separated target(s)\ + \ to search for. |\n| Expiration | string | No | Period of time after which data\ + \ is no longer considered active. |\n| Limit | string | No | Specify the maximum\ + \ number of results to return. Defaults to '1000'. |\n\n### Additional Notes\n\ + - This action is a read-only lookup and does not modify any external systems or\ + \ internal case data. \n- If no threat data is found, the action returns a message\ + \ indicating no data was found." capabilities: can_create_case_comments: false can_create_insight: false @@ -1336,8 +1718,17 @@ Indicator Threat Lookup With TIDE: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the Infoblox TIDE API to retrieve threat + intelligence for a specified indicator. It does not modify any external or internal + data. It simply presents the retrieved information in the action results via + data tables and JSON output. categories: enrichment: true + reasoning: >- + The action fetches threat intelligence data from an external source (Infoblox + TIDE) and presents it in the action results. It does not mutate any external + or internal state. This fits the definition of an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1353,34 +1744,91 @@ Indicator Threat Lookup With TIDE: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over `siemplify.target_entities`. It uses input + parameters to perform a lookup, meaning it does not run on specific entities. "Initiate Indicator Intel Lookup With Dossier": - ai_description: "### General Description\nInitiates an indicator investigation using\ - \ Infoblox Dossier. This action allows for the lookup of threat intelligence data\ - \ for various indicator types including IP addresses, Hostnames, URLs, Emails,\ - \ and Hashes. Users can choose to receive immediate results or a Job ID for asynchronous\ - \ processing.\n\n### Parameters Description\n\n| Parameter | Type | Mandatory\ - \ | Description |\n| :--- | :--- | :--- | :--- |\n| Indicator Type | DDL | Yes\ - \ | The type of indicator to search for. Options: IP, Host, URL, Email, Hash.\ - \ Default is Host. |\n| Indicator Value | String | Yes | The specific value of\ - \ the indicator to be investigated. |\n| Source | String | No | Comma-separated\ - \ list of specific threat intelligence sources to query within Dossier. |\n| Wait\ - \ for Results | Boolean | No | If set to true, the action waits for the API to\ - \ return the full dossier report. If false (default), it returns a Job ID and\ - \ status. |\n\n### Additional Notes\nThis action does not automatically process\ - \ entities from the Google SecOps case; it relies on the manual input provided\ - \ in the 'Indicator Value' parameter. If 'Wait for Results' is set to false, the\ - \ resulting Job ID can be used in the 'Get Indicator Intel Lookup Result' action\ - \ to retrieve the data at a later time.\n\n### Flow Description\n1. **Parameter\ - \ Extraction:** Retrieves the indicator type, value, sources, and wait preference\ - \ from the action parameters.\n2. **Validation:** Ensures the indicator value\ - \ is provided and non-empty, and trims whitespace from the source string if provided.\n\ - 3. **API Request:** Calls the Infoblox Dossier API endpoint corresponding to the\ - \ specified indicator type.\n4. **Response Handling:** \n * If 'Wait for Results'\ - \ is true: Parses the returned dossier results and populates a data table with\ - \ source, status, and data details.\n * If 'Wait for Results' is false: Captures\ - \ the Job ID and status for the initiated lookup.\n5. **Result Reporting:** Adds\ - \ the raw JSON response to the action results and updates the case with a summary\ - \ message and a data table." + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves threat intelligence (reputation, etc.) for an indicator + using Infoblox Dossier. This matches the 'Enrich IOC' category. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: >- + ### General Description + + Initiates an indicator investigation using Infoblox Dossier. This action queries + the Infoblox Threat Defense platform to retrieve threat intelligence for a specified + indicator (IP, Host, URL, Email, or Hash). Depending on the configuration, it + either waits for the results to be returned or initiates a job and returns a Job + ID for later retrieval. + + + ### Flow Description + + 1. **Parameter Extraction**: The action retrieves the `Indicator Type`, `Indicator + Value`, `Source`, and `Wait for Results` parameters from the configuration. + + 2. **API Interaction**: It calls the Infoblox API (`/tide/api/services/intel/lookup/indicator/{type}`) + to initiate the intel lookup. + + 3. **Result Processing**: + - If `Wait for Results` is set to `true`, the action processes the returned + data and displays it in a data table. + - If `Wait for Results` is set to `false`, the action returns the `Job ID` + and `Status` in a data table. + 4. **Output**: The raw API response is added to the action results as JSON, and + a summary table is generated for the analyst. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Indicator Type | ddl | Yes | The type of indicator to search for (IP, Host, + URL, Email, Hash). | + + | Indicator Value | string | Yes | The actual value of the indicator to investigate. + | + + | Source | string | No | Comma-separated threat intelligence sources to query. + | + + | Wait for Results | boolean | No | If set to true, the action waits for the lookup + to complete and displays results; otherwise, it returns a Job ID. | + + + ### Additional Notes + + This action does not modify any external or internal systems; it is strictly an + enrichment and information-gathering tool. capabilities: can_create_case_comments: false can_create_insight: false @@ -1391,8 +1839,17 @@ Indicator Threat Lookup With TIDE: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to retrieve threat intelligence for an indicator. + It does not modify external systems or internal case data (entities/insights). + It adds a data table to the action result, which is standard output and not + considered internal mutation. categories: - enrichment: false + enrichment: true + reasoning: >- + The action fetches threat intelligence data for an indicator. It does not mutate + external systems or modify internal case data. It meets the criteria for an + enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1408,25 +1865,77 @@ Indicator Threat Lookup With TIDE: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action takes the indicator value as a parameter and does not iterate over + or process `siemplify.target_entities`. Ping: - ai_description: "### General Description\nVerifies connectivity to the Infoblox\ - \ Threat Defense with DDI server by performing a test API call. This action is\ - \ primarily used to validate that the integration's configuration parameters,\ - \ such as the API Root and API Key, are correct and that the Google SecOps environment\ - \ can successfully communicate with the Infoblox API.\n\n### Parameters Description\n\ - This action does not have any input parameters. It uses the global integration\ - \ configuration.\n\n### Additional Notes\nAs a standard 'Ping' action, it does\ - \ not process entities or modify any data within the SOAR or the external Infoblox\ - \ system.\n\n### Flow Description\n1. **Parameter Initialization**: The action\ - \ retrieves the global configuration parameters: API Root, API Key, and SSL verification\ - \ status.\n2. **API Manager Setup**: It initializes the `APIManager` with the\ - \ provided credentials and connection settings.\n3. **Connectivity Test**: The\ - \ action executes the `test_connectivity` method, which sends a GET request to\ - \ the `/api/authn/v1/account` endpoint.\n4. **Status Evaluation**: \n * If\ - \ the API call is successful, the action returns a success message and sets the\ - \ execution state to completed.\n * If an exception occurs (e.g., authentication\ - \ failure or connection timeout), the action logs the error, returns a failure\ - \ message, and sets the execution state to failed." + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action is a connectivity test. It does not perform any of the defined functional + outcomes such as enriching IOCs, updating tickets, or modifying alerts. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: >- + ### General Description + + This action tests the connectivity between the Google SecOps SOAR platform and + the Infoblox Threat Defense with DDI server to ensure the integration is configured + correctly. It verifies that the provided API credentials have valid access to + the Infoblox API. + + + ### Flow Description + + 1. The action initializes the `SiemplifyAction` and retrieves the required integration + parameters (API Root, API Key, and Verify SSL). + + 2. It instantiates the `APIManager` using these credentials. + + 3. The action calls the `test_connectivity` method, which performs a GET request + to the Infoblox `/api/authn/v1/account` endpoint. + + 4. If the request is successful, the action returns a success message. If the + request fails, it logs the error and returns a failure status. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | --- | --- | --- | --- | + + | N/A | N/A | N/A | There are no parameters for this action. | + + + ### Additional Notes + + This action is strictly for connectivity testing and does not perform any data + retrieval or modification. capabilities: can_create_case_comments: false can_create_insight: false @@ -1437,8 +1946,15 @@ Ping: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the Infoblox API to verify connectivity. + It does not modify external or internal data, update entities, or create insights. categories: enrichment: false + reasoning: >- + The action is a 'Ping' action. According to the instructions, 'Actions named + Ping must not be categorized as enrichment actions.' Therefore, it is not an + enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1454,39 +1970,77 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with any entities. It performs a global connectivity + check against the Infoblox API. Remove Custom List: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action deletes a custom list in Infoblox. This is a configuration management + action. It does not match any of the specific categories like 'Remove IOC From + Blocklist' (which implies removing an indicator from a list, not deleting the + list itself) or 'Update Alert'. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- Deletes a specified custom list from the Infoblox Threat Defense system. This - action is used to manage threat intelligence resources by removing named lists - that are no longer required. It requires the unique identifier of the custom list - and performs a destructive operation on the external system. + action allows administrators to remove existing custom lists by providing their + unique identifier. ### Parameters - | Parameter Name | Type | Mandatory | Description | + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Custom List ID | string | Yes | The unique numerical ID of the custom list to - remove. The action validates that this is a positive integer before execution. - | + | Custom List ID | string | Yes | The unique identifier of the custom list to + be removed. Must be a positive integer. | ### Flow Description - 1. **Initialization**: Retrieves integration configuration (API Root, API Key, - SSL verification) and the 'Custom List ID' parameter. + 1. **Configuration Retrieval**: The action retrieves the necessary integration + configuration (API Root, API Key, Verify SSL) to establish a connection with the + Infoblox Threat Defense system. - 2. **Validation**: Validates that the provided 'Custom List ID' is a valid positive + 2. **Parameter Extraction**: The action extracts the `Custom List ID` provided + by the user. + + 3. **Validation**: The `Custom List ID` is validated to ensure it is a positive integer. - 3. **API Interaction**: Executes a DELETE request to the Infoblox API endpoint - `/api/atcfw/v1/named_lists/{custom_list_id}`. + 4. **API Execution**: The action initializes the `APIManager` and sends a `DELETE` + request to the Infoblox API endpoint (`/api/atcfw/v1/named_lists/{custom_list_id}`) + to remove the specified custom list. - 4. **Result Handling**: If the deletion is successful, it returns a success message. - If the list is not found or an error occurs (e.g., the list is currently in use - by a policy), it captures the error and fails the action. + 5. **Result Handling**: The action returns a success message if the list is deleted, + or an error message if the operation fails (e.g., invalid ID, API error). capabilities: can_create_case_comments: false can_create_insight: false @@ -1495,12 +2049,19 @@ Remove Custom List: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Deletes a custom list resource from the Infoblox Threat Defense platform using - a DELETE request. + Deletes a custom list from the Infoblox Threat Defense system. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a DELETE request to an external API to remove a custom list + configuration. It does not fetch data, nor does it modify internal SOAR data + (entities, insights, etc.). categories: enrichment: false + reasoning: >- + The action is a destructive mutation (deletion) of an external configuration + object, not an enrichment action. It does not fetch data or perform any of the + allowed internal mutations. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1516,14 +2077,48 @@ Remove Custom List: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not operate on entities. It takes a 'Custom List ID' as a parameter + and performs a management operation on the Infoblox system. Remove Network List: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action removes a network list from the Infoblox environment. This is an + administrative configuration change and does not match any of the specific IOC, + asset, or alert management categories provided. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - Removes an existing network list from the Infoblox Threat Defense environment. - This action is used to manage network security configurations by deleting specific - network lists that are no longer required. It requires the unique identifier of - the network list to perform the deletion. + Removes a network list from the Infoblox Threat Defense environment. This action + performs a DELETE request to the Infoblox API using the provided Network List + ID. ### Parameters Description @@ -1532,32 +2127,30 @@ Remove Network List: | :--- | :--- | :--- | :--- | - | Network List ID | String | Yes | The unique identifier (ID) of the network list - to be removed. Although provided as a string, the action validates that it is - a positive integer. | + | Network List ID | string | Yes | The ID of the network list to be removed. | ### Additional Notes - - The action will fail if the network list ID does not exist or if the network - list is currently assigned to an active security policy. - - - This action performs a permanent deletion in the external Infoblox system. + - The `Network List ID` parameter is validated as a positive integer before the + API call is made. ### Flow Description - 1. **Parameter Extraction**: Retrieves the `Network List ID` from the action parameters - and integration configuration (API Root, API Key). + 1. Extracts integration parameters (API root, API key, SSL verification) from + the configuration. + + 2. Extracts the `Network List ID` from the action parameters. + + 3. Validates that the `Network List ID` is a positive integer. - 2. **Validation**: Validates that the `Network List ID` is a valid positive integer. + 4. Initializes the `APIManager` and calls the `remove_network_list` method. - 3. **API Interaction**: Initializes the Infoblox API Manager and sends a `DELETE` - request to the Infoblox endpoint associated with the specific network list ID. + 5. Performs a DELETE request to the Infoblox API endpoint `/api/atcfw/v1/network_lists/{network_list_id}`. - 4. **Result Handling**: If the API returns a success status, the action completes - with a success message. If an error occurs (e.g., list not found or dependency - error), it captures the exception and reports a failure. + 6. Returns a success message if the deletion is successful, or an error message + if the operation fails. capabilities: can_create_case_comments: false can_create_insight: false @@ -1566,12 +2159,17 @@ Remove Network List: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Deletes an existing network list from the Infoblox Threat Defense environment - using a DELETE request to the external API. + Deletes the specified network list from the Infoblox Threat Defense environment. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a DELETE request to the Infoblox API to remove a network + list. It does not fetch data, nor does it modify internal SOAR data or entities. categories: enrichment: false + reasoning: >- + The action performs a DELETE operation on an external system (Infoblox) and + does not fetch data, therefore it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1587,13 +2185,47 @@ Remove Network List: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not operate on entities. It takes a `Network List ID` as a parameter + to perform an administrative action on the Infoblox platform. Remove Security Policy: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action deletes a security policy from the Infoblox Threat Defense system. + This is a configuration change and does not match any of the provided categories + (e.g., Enrichment, Containment, Ticket management, etc.). + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description Deletes a specified security policy from the Infoblox Threat Defense system. This - action is primarily used to unblock indicators or manage firewall configurations - by removing obsolete or incorrect security policies using their unique identifier. + action is used to remove an existing security policy by its unique identifier. ### Parameters Description @@ -1602,31 +2234,32 @@ Remove Security Policy: | :--- | :--- | :--- | :--- | - | Security Policy ID | String | Yes | The unique numerical ID of the security - policy to be deleted. The action validates that this value is a positive integer - before proceeding. | + | Security Policy ID | string | Yes | The unique identifier of the security policy + to be deleted. This must be a valid integer. | ### Flow Description - 1. **Parameter Extraction**: Retrieves the integration configuration (API Root, - API Key) and the action parameter (Security Policy ID). + 1. **Initialization**: The action extracts the integration configuration (API + root, API key, and SSL verification settings). - 2. **Validation**: Validates that the `Security Policy ID` is a non-empty string - and represents a positive integer. + 2. **Parameter Extraction**: The action extracts the `Security Policy ID` from + the provided parameters. - 3. **API Interaction**: Initializes the `APIManager` and executes a `DELETE` request - to the Infoblox security policies endpoint using the provided ID. + 3. **Validation**: The `Security Policy ID` is validated to ensure it is a non-empty, + positive integer. - 4. **Result Handling**: If the deletion is successful, the action completes with - a success message. If the API returns an error (e.g., policy not found or insufficient - permissions), the action fails and logs the error details. + 4. **API Interaction**: The action initializes the `APIManager` and sends a `DELETE` + request to the Infoblox Threat Defense API to remove the specified security policy. + + 5. **Completion**: The action returns a success message if the policy is removed, + or an error message if the operation fails. ### Additional Notes - This action does not process entities from the Google SecOps case; it operates - strictly based on the provided `Security Policy ID` parameter. + This action performs a destructive operation on the external system (Infoblox + Threat Defense). Ensure the `Security Policy ID` is correct before executing. capabilities: can_create_case_comments: false can_create_insight: false @@ -1635,12 +2268,18 @@ Remove Security Policy: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Deletes a security policy configuration from the Infoblox Threat Defense platform - via a DELETE API request. + Deletes a security policy from the Infoblox Threat Defense system. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action makes a DELETE request to remove a security policy from the Infoblox + Threat Defense system. It does not fetch data, nor does it modify internal SOAR + data (entities, insights, etc.). categories: enrichment: false + reasoning: >- + The action performs a DELETE operation on an external system (Infoblox) to remove + a security policy. It does not fetch data, so it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1656,75 +2295,95 @@ Remove Security Policy: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not use entities. It operates on a specific `Security Policy + ID` provided as a parameter. Update Custom List: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action updates the metadata of a custom list in Infoblox. It does not add + or remove IOCs, nor does it perform any of the other defined actions like ticket + creation, alert updates, or host containment. Therefore, it does not match any + of the provided product categories. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description - - Updates the configuration of an existing custom list in the Infoblox Threat Defense - platform. This action allows for the modification of metadata such as the list's - name, description, confidence level, threat level, and associated tags. It ensures - data consistency by fetching the current state of the list before applying updates, - allowing users to modify only specific fields while preserving others. + Updates the metadata of an existing custom list in Infoblox Threat Defense. This + action allows users to modify the name, description, confidence level, threat + level, and tags of a specific custom list while preserving its existing items. - ### Parameters Description - - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Custom List ID | String | Yes | The unique identifier of the custom list to - be updated. Must be a positive integer. | + ### Flow Description - | Name | String | No | The new name for the custom list. If not provided, the - existing name is retained. | + 1. **Parameter Extraction**: The action retrieves the provided configuration parameters, + including the mandatory `Custom List ID` and optional metadata fields. - | Description | String | No | The new description for the custom list. Use the - keyword `empty` to remove the existing description. | + 2. **Data Retrieval**: It fetches the current details of the specified custom + list from Infoblox to ensure existing data (like the list items) is preserved. - | Confidence Level | DDL | No | The confidence level for the custom list. Options: - High, Medium, Low. | + 3. **Payload Construction**: A new payload is constructed by merging the provided + updates with the existing list data. - | Threat Level | DDL | No | The threat level for the custom list. Options: High, - Medium, Low, Info. | + 4. **Update Execution**: The action sends a PUT request to the Infoblox API to + update the custom list metadata. - | Tags | String | No | A JSON object string representing tags to categorize the - list. Use the keyword `empty` to remove all existing tags. | + 5. **Result Display**: The updated list details are returned and displayed in + a data table within the SecOps platform. - ### Additional Notes + ### Parameters Description - - The action uses a 'fetch-then-update' logic to ensure that fields not specified - in the action parameters remain unchanged in the external system. + | Parameter | Type | Mandatory | Description | - - The `empty` keyword is a special trigger used to explicitly clear the `Description` - or `Tags` fields. + | :--- | :--- | :--- | :--- | - - Tags must be provided as a valid JSON object string (e.g., `{"key": "value"}`). + | Custom List ID | string | Yes | The unique identifier of the custom list to + update. | + | Name | string | No | The new name for the custom list. | - ### Flow Description + | Description | string | No | The new description for the custom list. Use 'empty' + to remove the description. | - 1. **Parameter Initialization:** The action extracts the integration configuration - (API Root, API Key) and the action-specific parameters. + | Confidence Level | ddl | No | The new confidence level (High, Medium, Low). + | - 2. **Validation:** Validates that the `Custom List ID` is a valid positive integer. + | Threat Level | ddl | No | The new threat level (High, Medium, Low, Info). | - 3. **Data Retrieval:** Calls the Infoblox API to fetch the current details of - the specified custom list. This is necessary to populate the update payload with - existing values for any parameters not provided by the user. + | Tags | string | No | The new tags to categorize the list. Use 'empty' to remove + tags. | - 4. **Payload Construction:** Merges the user-provided updates with the existing - data. It specifically handles the `empty` keyword to nullify fields and converts - level strings to uppercase as required by the API. - 5. **API Execution:** Sends a `PUT` request to the Infoblox endpoint to update - the custom list resource. + ### Additional Notes - 6. **Result Processing:** Parses the API response, adds the raw JSON result to - the action output, and constructs a data table titled "Custom List Details" for - the case wall. + This action only updates the metadata of the custom list. It does not add or remove + items (IOCs) from the list. To modify list items, use the dedicated 'Update Custom + List Items' action. capabilities: can_create_case_comments: false can_create_insight: false @@ -1733,12 +2392,19 @@ Update Custom List: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Modifies the properties (name, description, levels, and tags) of an existing - custom list resource in the Infoblox Threat Defense platform via a PUT request. + Updates the metadata (name, description, confidence level, threat level, tags) + of a custom list in Infoblox. fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action fetches existing custom list data to preserve its current state (items) + and then performs a PUT request to update the list's metadata in the external + Infoblox system. It does not modify internal SecOps data, entities, or alerts. categories: enrichment: false + reasoning: >- + The action mutates external data (updates a custom list configuration), which + violates the 'Read-Only' requirement for enrichment actions. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1754,61 +2420,63 @@ Update Custom List: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not operate on entities. It takes a 'Custom List ID' as a parameter + and performs operations on that specific list in the external system. Update Custom List Items: - ai_description: >- - ### General Description - - Updates the items within an existing Infoblox Custom List. This action allows - users to programmatically manage threat intelligence lists by adding or removing - specific indicators such as IPv4 addresses, IPv6 addresses, or domain names. It - is primarily used for maintaining blocklists or allowlists within the Infoblox - Threat Defense platform. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | **Custom List ID** | String | Yes | The unique identifier of the Custom List - to update. Although provided as a string, the action validates that it is a positive - integer. | - - | **Action** | DDL | Yes | Specifies the operation to perform. Options are **Add** - (to insert new items) or **Remove** (to delete existing items). | - - | **Items** | String | Yes | A comma-separated list of indicators to be processed. - Supported formats include IPv4, IPv6, and domain names. | - - - ### Flow Description - - 1. **Parameter Extraction and Validation**: The action retrieves the Custom List - ID, the desired action (Add/Remove), and the list of items. It validates that - the ID is a valid positive integer and that every item in the list conforms to - IP or domain name syntax. - - 2. **API Request Construction**: Based on the selected action, the code prepares - a JSON payload for a PATCH request. If the action is 'Add', items are placed in - the `inserted_items_described` field; if 'Remove', they are placed in `deleted_items_described`. - - 3. **External Mutation**: The action sends a PATCH request to the Infoblox API - endpoint `/api/atcfw/v1/named_lists/{custom_list_id}/items` to update the list - state. - - 4. **Result Processing**: The action parses the response from Infoblox, calculates - the number of items added, removed, or updated, and outputs a summary message - along with the raw JSON result. - - - ### Additional Notes - - - This action does not process entities from the SecOps environment; it relies - entirely on the provided 'Items' parameter. - - - The action will fail if the 'Items' string is empty or contains invalid indicator - formats. + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: true + add_ioc_to_blocklist: true + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action updates items in a custom list in Infoblox Threat Defense. This list + can be used for blocklisting or allowlisting indicators, thus matching the 'Add/Remove + IOC To Blocklist/Allowlist' categories. + remove_ioc_from_allowlist: true + remove_ioc_from_blocklist: true + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: "### General Description\nThis action updates items in an existing\ + \ custom list within the Infoblox Threat Defense platform. It allows analysts\ + \ to dynamically add or remove indicators (such as IP addresses or domains) from\ + \ a specified custom list, facilitating automated management of threat intelligence\ + \ or security policy lists.\n\n### Parameters Description\n| Parameter | Type\ + \ | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| Custom List ID\ + \ | string | Yes | The unique identifier of the Custom List to be updated. |\n\ + | Action | ddl | Yes | The operation to perform on the list. Options are 'Add'\ + \ or 'Remove'. |\n| Items | string | Yes | A comma-separated list of indicators\ + \ (IPs, domains) to be added to or removed from the list. |\n\n### Flow Description\n\ + 1. **Initialization**: The action extracts the configuration parameters (API root,\ + \ API key, SSL verification) and the action-specific parameters (Custom List ID,\ + \ Action, Items).\n2. **Validation**: \n - Validates that the `Custom List\ + \ ID` is a positive integer.\n - Converts the `Items` string into a list and\ + \ validates that each item is a properly formatted IPv4, IPv6, or domain name.\n\ + 3. **Execution**: \n - Initializes the `APIManager` to communicate with the\ + \ Infoblox Threat Defense API.\n - Sends a `PATCH` request to the `/api/atcfw/v1/named_lists/{custom_list_id}/items`\ + \ endpoint with the specified action and items.\n4. **Result Handling**: \n \ + \ - Processes the API response to determine which items were successfully added,\ + \ removed, or updated.\n - Generates an output message summarizing the operation\ + \ results.\n - Adds the full API response as a JSON result to the action output." capabilities: can_create_case_comments: false can_create_insight: false @@ -1817,12 +2485,21 @@ Update Custom List Items: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Adds or removes indicators (IPs, domains) from a named custom list in the Infoblox - Threat Defense platform using a PATCH request. + The action modifies a custom list in Infoblox Threat Defense by adding or removing + indicators. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a PATCH request to an external API (Infoblox) to modify + a custom list. It does not fetch data for enrichment, nor does it modify internal + SOAR data, entities, or alerts. It is a pure mutation action on an external + system. categories: enrichment: false + reasoning: >- + The action is a mutation action that modifies an external system (Infoblox) + and does not fetch data for enrichment purposes. Therefore, it does not meet + the criteria for an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1838,53 +2515,100 @@ Update Custom List Items: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not operate on entities. It takes parameters directly from the + action configuration and does not iterate over or filter any entities. Update Network List: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action updates a network list configuration in Infoblox. While network lists + can be used for security policies, this action is a generic configuration update + and does not strictly match the specific outcomes of 'Add IOC To Blocklist' + or 'Add IOC To Allowlist' as defined, as it does not explicitly manage block/allow + status for specific IOCs in a security control context, but rather updates the + list definition itself. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - Updates an existing network list in Infoblox Threat Defense with a new name, items, - or description. This action allows for partial updates; if a parameter is not - provided, the action retrieves the current value from the system and preserves - it. It also supports clearing the description field using a specific keyword. + Updates an existing network list within the Infoblox Threat Defense platform. + This action allows users to modify the name, items (such as IP addresses or CIDRs), + or description of a specific network list identified by its ID. - ### Parameters Description + ### Flow Description + 1. **Initialization**: The action extracts the necessary configuration parameters + (API root, API key, SSL verification) and action-specific inputs. - | Parameter | Type | Mandatory | Description | + 2. **Validation**: It validates the `Network List ID` to ensure it is a valid + integer. - | :--- | :--- | :--- | :--- | + 3. **Data Retrieval**: The action fetches the current details of the specified + network list from Infoblox to ensure existing data is preserved if optional parameters + are not provided. - | Network List ID | string | Yes | The unique identifier of the network list to - update. Must be a positive integer. | + 4. **Payload Construction**: It constructs the update payload by merging the provided + new values with the existing data fetched in the previous step. - | Name | string | No | The new name for the network list. If omitted, the current - name is kept. | + 5. **Execution**: It sends a `PUT` request to the Infoblox API to update the network + list configuration. - | Items | string | No | A comma-separated list of items (e.g., IP addresses or - CIDRs) to include in the network list. If omitted, current items are kept. | + 6. **Result Reporting**: The action returns the updated network list details as + a JSON result and a data table, and marks the execution as completed. - | Description | string | No | A new description for the network list. Use the - keyword `empty` to remove the existing description. If omitted, the current description - is kept. | + ### Parameters - ### Flow Description + | Parameter | Type | Mandatory | Description | + | :--- | :--- | :--- | :--- | + + | Network List ID | string | Yes | The unique identifier of the network list to + be updated. | + + | Name | string | No | The new name for the network list. | - 1. **Parameter Extraction**: The action retrieves the Network List ID and optional - update fields (Name, Items, Description) from the user input. + | Items | string | No | A comma-separated list of items (e.g., IP addresses) to + include in the network list. | + + | Description | string | No | A new description for the network list. Use the + keyword `empty` to remove the existing description. | - 2. **Current State Retrieval**: It calls the Infoblox API to fetch the current - configuration of the specified network list to ensure that omitted parameters - do not overwrite existing data with null values. - 3. **Data Merging**: The action merges the provided inputs with the existing configuration. - It specifically handles the `empty` keyword to clear the description field. + ### Additional Notes - 4. **External Update**: A `PUT` request is sent to the Infoblox Threat Defense - API to apply the changes to the network list. + - This action performs a `PUT` request, which overwrites the specified fields + of the network list. If optional parameters (Name, Items, Description) are not + provided, the action attempts to retain the existing values by fetching the current + state first. - 5. **Result Processing**: The updated network list details are parsed, added to - the action's JSON results, and displayed in a data table named 'Network List Details'. + - The `Items` parameter expects a comma-separated string, which is parsed into + a list before the API request is made. capabilities: can_create_case_comments: false can_create_insight: false @@ -1893,12 +2617,21 @@ Update Network List: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates the configuration (name, items, or description) of an existing network - list in the Infoblox Threat Defense platform via a PUT request. + Updates the configuration (name, items, description) of a network list in the + Infoblox Threat Defense platform. fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action fetches current network list data (GET) to perform a merge before + updating (PUT). It mutates external data in Infoblox by updating the network + list configuration. It does not mutate internal SOAR case data, update entities, + or create insights. categories: enrichment: false + reasoning: >- + The action mutates external data (updates a network list) and does not meet + the criteria for an enrichment action, which must be read-only regarding external + systems. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1914,80 +2647,121 @@ Update Network List: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action operates on a specific 'Network List ID' provided as a parameter. + It does not iterate over or process SOAR target entities. Update Security Policy: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action updates a security policy configuration in Infoblox. It does not + match any of the defined categories such as Enrich IOC, Update Alert, Update + Ticket, or Contain Host. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - Modifies an existing security policy in Infoblox Threat Defense. This action allows - for comprehensive updates to a policy's configuration, including its name, description, - associated network lists, rules, and security settings. It supports clearing specific - fields using the 'empty' keyword and allows for advanced configuration through - a JSON object for additional parameters. + ### General Description + Updates an existing security policy configuration within Infoblox Threat Defense. + This action allows administrators to modify various attributes of a security policy, + such as its name, description, associated network lists, forwarding policies, + roaming device groups, security rules, and other advanced parameters. It fetches + the current policy configuration first to ensure that only the specified fields + are updated while preserving existing settings for unspecified parameters. - ### Parameters Description + ### Parameters Description | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Security Policy ID | String | Yes | The unique identifier of the security policy - to update. Must be a positive integer. | + | Security Policy ID | string | Yes | The unique identifier of the security policy + to update. | - | Policy Name | String | No | The new name for the security policy. | + | Policy Name | string | No | The new name for the security policy. | - | Description | String | No | The updated description. Use the keyword `empty` - to remove the existing description. | + | Description | string | No | The new description for the security policy. Use + the keyword `empty` to remove the existing description. | - | Network Lists | String | No | Comma-separated IDs of network lists to associate - with the policy. Use `empty` to remove all associated lists. | + | Network Lists | string | No | Comma-separated IDs of network lists to associate + with the policy. Use `empty` to remove existing associations. | - | DFPS | String | No | Comma-separated Default Forwarding Policies (DFPs) to update. - Use `empty` to remove all DFPs. | + | DFPS | string | No | Comma-separated Default Forwarding Policies to update. + Use `empty` to remove existing DFPS. | - | Roaming Device Groups | String | No | Comma-separated IDs of Roaming Device - Groups to associate. Use `empty` to remove all groups. | + | Roaming Device Groups | string | No | Comma-separated IDs of roaming device + groups to associate with the policy. Use `empty` to remove existing associations. + | - | Rules | String | No | A JSON array of rule objects (action, type, data, etc.). - Use `empty` to remove all rules. | + | Rules | string | No | A JSON array string defining security rules (action, type, + data, policy_name, redirect_name). Use `empty` to remove all rules. | - | Safe Search | DDL | No | Enables or disables safe search filtering (True/False). + | Safe Search | ddl | No | Enables or disables safe search filtering (True/False). | - | Block DNS Rebinding | DDL | No | Enables or disables protection against DNS - rebinding attacks (True/False). | + | Block DNS Rebinding | ddl | No | Enables or disables blocking of DNS rebinding + attacks (True/False). | - | Tags | String | No | A JSON object containing tags to categorize the policy. - | + | Tags | string | No | A JSON object string containing tags to categorize the + policy. | - | Additional Parameters | String | No | A JSON object for advanced fields such - as `precedence`, `access_codes`, `doh_enabled`, etc. | + | Additional Parameters | string | No | A JSON object string containing additional + parameters (e.g., precedence, access_codes, doh_enabled). | ### Additional Notes - - The action first retrieves the existing policy configuration to ensure that - fields not specified in the parameters remain unchanged (partial update logic). + - This action performs a read-before-write operation: it retrieves the current + policy configuration to merge with the provided updates. - - The `Rules`, `Tags`, and `Additional Parameters` must be valid JSON strings. + - Parameters marked as optional will retain their existing values if not provided + in the action input. ### Flow Description - 1. **Validation**: Validates that the `Security Policy ID` is a valid positive + 1. **Initialization**: Extracts integration configuration (API root, key, SSL + verification) and action parameters. + + 2. **Validation**: Validates the `Security Policy ID` to ensure it is a valid integer. - 2. **Data Retrieval**: Fetches the current state of the security policy from Infoblox - to identify existing values. + 3. **Fetch**: Retrieves the existing security policy configuration from Infoblox + using the provided ID. - 3. **Payload Construction**: Merges the user-provided parameters with the existing - data. It specifically checks for the `empty` keyword to nullify or clear specific - attributes. + 4. **Payload Construction**: Merges the provided optional parameters with the + existing policy data to create the update payload. - 4. **API Interaction**: Sends a PUT request to the Infoblox API to update the - security policy with the newly constructed payload. + 5. **Update**: Sends a PUT request to the Infoblox API to update the security + policy. - 5. **Output**: Returns the full JSON response of the updated policy and populates - a data table with key policy details (ID, Name, Description, Default Action). + 6. **Output**: Adds the API response as JSON and a summary table of the updated + policy details to the action results. capabilities: can_create_case_comments: false can_create_insight: false @@ -1996,13 +2770,19 @@ Update Security Policy: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates the configuration of an existing security policy in Infoblox Threat - Defense via a PUT request, potentially changing rules, network associations, - and security settings. + Updates the configuration of an existing security policy in the Infoblox Threat + Defense system. fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action fetches existing policy data (fetches_data=true) and performs a PUT + request to update the policy configuration in the external Infoblox system (can_mutate_external_data=true). + It does not modify internal SOAR case data, entities, or alert data. categories: enrichment: false + reasoning: >- + The action is not an enrichment action because it mutates external data (updates + a security policy) and does not primarily fetch context for entities. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -2018,3 +2798,6 @@ Update Security Policy: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action operates on a specific Security Policy ID provided as a parameter + and does not iterate over or process target entities from the SOAR case. diff --git a/content/response_integrations/third_party/partner/infoblox_threat_defense_with_ddi/resources/ai/connectors_ai_description.yaml b/content/response_integrations/third_party/partner/infoblox_threat_defense_with_ddi/resources/ai/connectors_ai_description.yaml new file mode 100644 index 000000000..a58a09f8b --- /dev/null +++ b/content/response_integrations/third_party/partner/infoblox_threat_defense_with_ddi/resources/ai/connectors_ai_description.yaml @@ -0,0 +1,141 @@ +Infoblox - DNS Security Events Connector: + ai_description: >- + ### General Description + + This connector integrates with the Infoblox Threat Defense with DDI platform to + ingest DNS security events into Google SecOps SOAR. It enables security teams + to monitor DNS-related threats, such as malware or unauthorized domain queries, + by fetching events based on configurable filters like threat level, policy, or + network. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | PythonProcessTimeout | String | Yes | The timeout limit (in seconds) for the + python process. | + + | EventClassId | String | Yes | The field name used to determine the event name + (sub-type). | + + | DeviceProductField | String | Yes | The field name used to determine the device + product. | + + | API Key | Password | Yes | A unique identifier used to authenticate and authorize + access to the API. | + + | API Root | String | Yes | The base URL of the API, used as the entry point for + all API requests. | + + | Feed Name | String | No | Filter by comma-separated threat feed or custom list + name. | + + | Limit | String | No | Specify the maximum number of alerts to create. | + + | Max Hours Backwards | String | No | Number of hours before the first connector + iteration to retrieve alerts from for the first time. | + + | Network | String | No | Filter by comma-separated network name, on-premises + host, endpoint, or DFP name. | + + | Policy Action | String | No | Filter by comma-separated action performed (Log, + Block, Default, Redirect). | + + | Policy Name | String | No | Filter by comma-separated security policy names. + | + + | Queried name | String | No | Filter by comma-separated queried domain names. + | + + | Threat Class | String | No | Filter by comma-separated threat category (e.g., + Malware). | + + | Threat Family | String | No | Filter by comma-separated threat family (e.g., + Log4Shell). | + + | Threat Indicator | String | No | Filter by comma-separated threat indicators + (domains, IPs). | + + | Threat Level | String | No | Filter by threat severity level (LOW, MEDIUM, HIGH). + | + + | Verify SSL | Boolean | No | Verify SSL certificate. | + + + ### Flow Description + + 1. Connects to the Infoblox API using the provided API Key and Root URL. + + 2. Calculates the time range for fetching events based on the last successful + run or the configured `Max Hours Backwards`. + + 3. Queries the Infoblox DNS Security Events endpoint, applying optional filters + (e.g., Threat Level, Policy Name, Network). + + 4. Filters out already processed events using stored IDs to prevent duplicates. + + 5. Maps each retrieved DNS event to a SOAR `AlertInfo` object, including relevant + extensions and event data. + + 6. Ingests the mapped alerts into the SOAR platform and updates the last success + timestamp for the next iteration. +Infoblox - SOC Insights Connector: + ai_description: >- + ### General Description + + This connector retrieves SOC Insights from the Infoblox platform and creates alerts + in Google SecOps SOAR. It enables security teams to monitor and investigate threats + detected by Infoblox Threat Defense with DDI, facilitating automated response + workflows. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | PythonProcessTimeout | String | Yes | The timeout limit (in seconds) for the + python process. | + + | EventClassId | String | Yes | The field name used to determine the event name + (sub-type). | + + | DeviceProductField | String | Yes | The field name used to determine the device + product. | + + | API Root | String | Yes | The base URL of the Infoblox API. | + + | API Key | Password | Yes | The API key for authentication. | + + | Verify SSL | Boolean | Yes | Enable/disable SSL certificate verification. | + + | Status | String | No | Filter Insights by status (e.g., ACTIVE, CLOSED). | + + | Threat Type | String | No | Filter Insights by threat type. | + + | Priority | String | No | Filter Insights by priority (INFO, LOW, MEDIUM, HIGH, + CRITICAL). | + + + ### Flow Description + + 1. Connects to the Infoblox API using the provided credentials and base URL. + + 2. Validates input filters (Status, Priority) against allowed values. + + 3. Reads existing insight IDs from the local state to ensure deduplication. + + 4. Queries the Infoblox API for SOC Insights, applying optional filters. + + 5. Iterates through the retrieved insights, converting each into a standardized + AlertInfo object. + + 6. Checks for case overflow and skips alerts if necessary. + + 7. Returns the processed alerts to the SOAR platform for case creation. + + 8. Updates the local state with the newly processed insight IDs. diff --git a/content/response_integrations/third_party/partner/infoblox_threat_defense_with_ddi/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/partner/infoblox_threat_defense_with_ddi/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..5bb36efdf --- /dev/null +++ b/content/response_integrations/third_party/partner/infoblox_threat_defense_with_ddi/resources/ai/integration_ai_description.yaml @@ -0,0 +1,23 @@ +product_categories: + asset_inventory: true + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: true + reasoning: >- + The Infoblox Threat Defense with DDI integration provides comprehensive network + visibility and security control. It qualifies as a SIEM integration because its + connectors ingest DNS security events and SOC insights, which are used to monitor + and identify suspicious activity. It is a Network Security integration as it allows + for the management of network lists and security policies to control network traffic + and block malicious domains or IPs. It functions as a Threat Intelligence integration + by providing multiple actions to enrich indicators (IPs, domains, etc.) with reputation + and threat data via TIDE and Dossier. Finally, it serves as an Asset Inventory + integration by offering lookup actions (DHCP, Host, IP) to retrieve contextual + metadata for internal assets. + siem: true + threat_intelligence: true + vulnerability_management: false diff --git a/content/response_integrations/third_party/partner/ip_info/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/partner/ip_info/resources/ai/actions_ai_description.yaml index 3fb883b81..195a97e69 100644 --- a/content/response_integrations/third_party/partner/ip_info/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/partner/ip_info/resources/ai/actions_ai_description.yaml @@ -1,23 +1,83 @@ Get Domain Information: - ai_description: "### General Description\nEnriches Hostname entities by fetching\ - \ domain-specific information from the IPInfo service. This action retrieves data\ - \ such as associated IP addresses, IP ranges, ASN details, and a list of related\ - \ domains. The retrieved information is used to populate entity properties and\ - \ provide a structured data table for analysts within the Google SecOps platform.\n\ - \n### Parameters Description\nThere are no parameters for this action.\n\n###\ - \ Additional Notes\n* The action automatically extracts the base domain from the\ - \ hostname identifier before querying the IPInfo API.\n* Entities are marked as\ - \ enriched upon successful data retrieval.\n\n### Flow Description\n1. **Filter\ - \ Entities**: The action identifies all `HOSTNAME` entities within the current\ - \ context.\n2. **Domain Extraction**: For each hostname, it extracts the root\ - \ domain using a utility function.\n3. **API Query**: It calls the IPInfo API's\ - \ `/domains` endpoint to retrieve metadata for the extracted domain.\n4. **Data\ - \ Processing**: The resulting JSON data is flattened and prefixed with 'IPInfo'.\n\ - 5. **Internal Enrichment**: \n * Updates the entity's `additional_properties`\ - \ with the flattened data.\n * Sets the `is_enriched` flag to `True`.\n \ - \ * Attaches a CSV-formatted data table to the entity in the SecOps UI.\n6. **Finalization**:\ - \ Updates all successfully enriched entities in the system and returns a summary\ - \ message." + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves reputation and threat intelligence for a domain (IOC), + which aligns with the 'Enrich IOC' category. It does not perform asset-specific + enrichment (e.g., OS, owner), nor does it perform containment, ticketing, or + alert management. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: >- + ### General Description + + This action fetches domain information from the IPInfo service for provided Hostname + entities. It retrieves reputation and metadata for the domain, updates the entity's + profile with this information, and provides a detailed table in the action results. + + + ### Flow Description + + 1. **Initialization**: The action initializes the `IPInfoManager` using the provided + API Root, Token, and SSL verification settings. + + 2. **Filtering**: It filters the `target_entities` to process only those with + the `HOSTNAME` type. + + 3. **Data Retrieval**: For each valid hostname, it queries the IPInfo API to retrieve + domain information. + + 4. **Enrichment**: The retrieved data is flattened and added to the entity's `additional_properties` + with an `IPInfo` prefix. The entity is marked as enriched (`is_enriched = True`). + + 5. **Result Reporting**: An entity table containing the domain information is + added to the action results, and the updated entities are saved back to the SOAR + platform. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | API Root | String | Yes | The base URL for the IPInfo API. | + + | Token | String | Yes | The API token used for authentication with the IPInfo + service. | + + | Verify SSL | Boolean | No | Whether to verify SSL certificates for the API connection. + Defaults to false. | + + + ### Additional Notes + + This action is strictly for enrichment purposes and does not perform any external + mutations or containment actions. capabilities: can_create_case_comments: false can_create_insight: false @@ -28,10 +88,18 @@ Get Domain Information: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates entity additional properties with domain metadata, sets the enriched - flag, and adds a data table to the entity. + Updates the entity's 'additional_properties' and 'is_enriched' status within + the SOAR platform. + reasoning: >- + The action fetches domain information from an external API (IPInfo) and updates + the internal entity properties (`additional_properties` and `is_enriched`). + It does not modify external systems, alert status, or create case comments. categories: enrichment: true + reasoning: >- + The action fetches data from an external source (IPInfo) and updates internal + entities. It does not mutate external systems or perform unauthorized internal + mutations. Therefore, it qualifies as an enrichment action. entity_usage: entity_types: - HOSTNAME @@ -48,40 +116,85 @@ Get Domain Information: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code explicitly filters `siemplify.target_entities` to process only entities + where `entity.entity_type == EntityTypes.HOSTNAME`. Get IP Information: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves threat intelligence and metadata for an IP address, which + aligns with the 'Enrich IOC' category. It does not perform any other listed + actions such as ticket creation, containment, or alert modification. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - Enriches IP Address entities with detailed geolocation and network information - using the IPInfo service. This action retrieves data such as city, region, country, - ASN, and carrier details to provide context for security investigations. + This action retrieves detailed information for IP address entities using the IPInfo + service. It fetches contextual data such as geolocation, ISP, and other relevant + metadata to assist analysts in investigating potential threats. The action updates + the entity's profile within the SOAR platform with the retrieved information. ### Parameters - There are no action-specific parameters for this action. It relies on the global - integration configuration (API Root, Token, and Verify SSL). + | Parameter | Type | Mandatory | Description | + + | --- | --- | --- | --- | + + | API Root | String | Yes | The base URL for the IPInfo API. | + + | Token | String | Yes | The API token used for authentication with the IPInfo + service. | + + | Verify SSL | Boolean | No | Whether to verify SSL certificates when connecting + to the API. Defaults to false. | ### Flow Description - 1. **Initialization**: The action initializes the IPInfo manager using the provided - API Root and Token from the integration configuration. + 1. Initialize the IPInfo manager using the provided API Root, Token, and SSL verification + settings. + + 2. Filter the target entities to identify those of type 'ADDRESS'. - 2. **Entity Filtering**: It identifies all entities of type `ADDRESS` within the - current scope. + 3. For each identified IP address, query the IPInfo API to retrieve associated + information. - 3. **Data Retrieval**: For each identified IP address, the action sends a GET - request to the IPInfo API. + 4. If data is successfully retrieved, update the entity's 'additional_properties' + with the fetched data (prefixed with 'IPInfo') and mark the entity as enriched. - 4. **Data Processing**: The retrieved JSON response is flattened and prefixed - with 'IPInfo'. + 5. Add the retrieved information to the action results as a table and a JSON object. - 5. **Internal Updates**: The action updates the entity's additional properties, - marks the entity as enriched, and attaches a CSV-formatted data table to the entity. + 6. Update the entities in the SOAR platform with the new properties. - 6. **Finalization**: All successfully enriched entities are updated in Google - SecOps, and a summary message is returned. + 7. End the action with a summary message indicating the success or failure of + the operations. capabilities: can_create_case_comments: false can_create_insight: false @@ -92,10 +205,18 @@ Get IP Information: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates entity additional properties with enriched IP information and adds data - tables to the entities. + Updates entity additional properties and enrichment status within the SOAR platform. + reasoning: >- + The action fetches IP reputation and metadata from an external API (IPInfo) + and updates the entity's internal properties within the SOAR platform. It does + not modify any external systems, making it a read-only operation regarding external + state. categories: enrichment: true + reasoning: >- + The action fetches data from an external source and updates internal entity + attributes without modifying external systems. It meets all criteria for an + enrichment action. entity_usage: entity_types: - ADDRESS @@ -112,43 +233,72 @@ Get IP Information: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over `siemplify.target_entities` and filters specifically + for entities where `entity.entity_type == EntityTypes.ADDRESS`. Ping: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action is a connectivity test (Ping) used to verify API token validity. + It does not perform any functional operations such as enrichment, containment, + or ticket management, and therefore does not match any of the defined product + categories. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - Verifies the connectivity and API token validity for the IPInfo integration. This - action is used to ensure that the Google SecOps platform can successfully communicate - with the IPInfo service using the provided credentials. + This action verifies the connectivity and validity of the API token for the IPInfo + integration. It performs a test request to the configured API root to ensure the + integration is properly authenticated and reachable. ### Parameters Description - There are no action-specific parameters for this action. It relies on the integration's - global configuration (API Root, Token, and Verify SSL). - - - ### Additional Notes - - This action does not process any entities and is strictly for connectivity testing. - It is a standard 'Ping' action used to validate integration health. + There are no input parameters for this action. The action relies on the integration + configuration (API Root, Token, Verify SSL) defined in the integration settings. ### Flow Description - 1. **Configuration Retrieval**: The action retrieves the API Root, Token, and - SSL verification settings from the integration's global configuration. + 1. Initialize the `SiemplifyAction` object. - 2. **Manager Initialization**: Initializes the IPInfoManager with the retrieved - settings. + 2. Retrieve the integration configuration (API Root, Token, Verify SSL) from the + IPInfo provider settings. - 3. **Connectivity Test**: Executes a GET request to the IPInfo API using a hardcoded - test IP address (8.8.8.8) to verify the token validity and network path. + 3. Instantiate the `IPInfoManager` with the retrieved configuration. - 4. **Validation**: Validates the HTTP response status and content to ensure the - request was successful and the token is authorized. + 4. Execute the `ping()` method, which performs a GET request to the API root using + a test IP address ("8.8.8.8"). - 5. **Completion**: Returns a success message 'Connection Established.' if the - connection is verified. + 5. Validate the response to ensure the API token is valid and the service is reachable. + + 6. Terminate the action with a success message. capabilities: can_create_case_comments: false can_create_insight: false @@ -157,10 +307,18 @@ Ping: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null - fetches_data: true + fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a connectivity test (ping) to verify API token validity. + It does not fetch contextual data on alerts or entities, nor does it modify + any external or internal data. categories: enrichment: false + reasoning: >- + The action is named 'Ping'. According to the provided instructions, actions + named 'Ping' must not be categorized as enrichment actions, regardless of whether + they fetch data. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -176,3 +334,6 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with any entities. It performs a global connectivity + test using a hardcoded test IP address. diff --git a/content/response_integrations/third_party/partner/ip_info/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/partner/ip_info/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..7debe7f70 --- /dev/null +++ b/content/response_integrations/third_party/partner/ip_info/resources/ai/integration_ai_description.yaml @@ -0,0 +1,20 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: false + reasoning: >- + The integration provides enrichment for external indicators, specifically IP addresses + and domains, by retrieving geolocation, ISP, and metadata. This aligns directly + with the 'Threat Intelligence' category, which is defined as the first step of + enrichment for external indicators (IP, Hash, URL) to determine reputation and + context. The integration does not perform any SIEM log searching, EDR host-level + actions, network security blocking, ITSM ticket management, or internal asset + inventory management. Therefore, it is strictly classified under Threat Intelligence. + siem: false + threat_intelligence: true + vulnerability_management: false diff --git a/content/response_integrations/third_party/partner/jamf/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/partner/jamf/resources/ai/actions_ai_description.yaml index 6414daf9b..e02df69c8 100644 --- a/content/response_integrations/third_party/partner/jamf/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/partner/jamf/resources/ai/actions_ai_description.yaml @@ -1,63 +1,86 @@ Assign to Group: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action modifies group membership in Jamf Pro. It does not match any of the + provided categories (Enrichment, Ticket, Alert, Email, Containment, etc.). + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - This action adds computers to a specific computer group in Jamf Pro using various - identifiers such as computer IDs, names, or serial numbers. It is designed for - bulk operations, allowing users to provide comma-separated lists of identifiers - to update group memberships efficiently. + This action assigns one or more computers to a specific computer group within + Jamf Pro. It allows administrators to manage group memberships by providing computer + identifiers such as IDs, names, or serial numbers. This is useful for grouping + devices for policy application, scoping, or containment workflows. - ### Parameters Description - - | Parameter | Description | Type | Mandatory | + ### Flow Description - | :--- | :--- | :--- | :--- | + 1. **Configuration Extraction**: The action retrieves the Jamf Pro API credentials + and configuration from the integration settings. - | Group ID | The unique ID of the computer group in Jamf Pro that you want to - modify. | String | Yes | + 2. **Parameter Extraction**: It extracts the `Group ID` and the lists of computer + identifiers (`Computer IDs`, `Computer Names`, `Computer Serial Numbers`) from + the action parameters. - | Computer IDs | A comma-separated list of Jamf computer IDs to add (e.g., "123,456"). - | String | No | + 3. **Validation**: The action validates that at least one computer identifier + is provided. - | Computer Names | A comma-separated list of computer names to add. Note: Names - may not be unique in Jamf; the API acts on the first match. | String | No | + 4. **Parsing**: It parses the comma-separated strings into lists of identifiers. - | Computer Serial Numbers | A comma-separated list of computer serial numbers - to add (e.g., "ABC123,DEF456"). | String | No | + 5. **Execution**: It initializes the `JamfManager` and performs a PUT request + to the Jamf Pro API to add the specified computers to the target group. + 6. **Result Reporting**: The action returns the result of the operation, including + the number of computers processed and the group name, to the SOAR platform. - ### Additional Notes - * **Validation Requirement:** At least one of the following parameters must be - provided for the action to execute: `Computer IDs`, `Computer Names`, or `Computer - Serial Numbers`. + ### Parameters Description - * **Identification Reliability:** Using `Computer IDs` or `Computer Serial Numbers` - is recommended over `Computer Names` for more reliable identification, as names - are not strictly unique in Jamf Pro. + | Parameter | Type | Mandatory | Description | + | :--- | :--- | :--- | :--- | - ### Flow Description + | Group ID | string | Yes | The ID of the computer group to modify. | - 1. **Initialization:** The action extracts the Jamf Pro integration configuration - (API Root, Credentials, SSL settings) and the action-specific parameters. + | Computer IDs | string | No | Comma-separated list of computer IDs to add. | - 2. **Input Validation:** It verifies that at least one computer identifier (ID, - Name, or Serial Number) has been provided. If all are empty, the action fails. + | Computer Names | string | No | Comma-separated list of computer names to add. + | - 3. **Data Parsing:** Comma-separated strings are parsed into clean Python lists, - removing whitespace and empty entries. + | Computer Serial Numbers | string | No | Comma-separated list of computer serial + numbers to add. | - 4. **API Interaction:** The action initializes the `JamfManager`, authenticates - with Jamf Pro, and calls the `assign_to_group` method. - 5. **Mutation:** The manager constructs an XML payload containing the computer - additions and sends a `PUT` request to the Jamf Pro Classic API endpoint (`/JSSResource/computergroups/id/{id}`). + ### Additional Notes - 6. **Result Processing:** The action parses the XML response from Jamf, extracts - the group name and the count of processed computers, and returns a summary message - and JSON result to the Google SecOps platform. + At least one of the following parameters must be provided for the action to execute: + `Computer IDs`, `Computer Names`, or `Computer Serial Numbers`. capabilities: can_create_case_comments: false can_create_insight: false @@ -66,12 +89,18 @@ Assign to Group: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - This action modifies the membership of a computer group in Jamf Pro by adding - specified computers to it via a PUT request to the Jamf Pro Classic API. + Adds computers to a specified computer group in Jamf Pro. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a PUT request to the Jamf Pro API to modify group membership. + It does not fetch data for enrichment, nor does it modify internal SOAR data + (other than returning a result JSON). categories: enrichment: false + reasoning: >- + The action is a management/mutation action, not an enrichment action, as it + does not fetch data for context. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -87,72 +116,100 @@ Assign to Group: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not use `target_entities`. It relies on parameters provided + in the action configuration. Get Computer Inventory: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: true + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves computer inventory data, which provides contextual metadata + (OS, hardware, user info) for assets. This aligns with the 'Enrich Asset' category. + It does not perform searches for historical logs (Search Events) or modify alerts/tickets. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description Retrieves paginated computer inventory records from Jamf Pro. This action allows - for comprehensive searching and filtering of managed computers based on attributes - like name, serial number, UDID, or user email. It supports advanced sorting and - allows users to specify which data sections (e.g., Hardware, Security, Applications) - should be included in the response to optimize performance and data relevance. + users to query the Jamf Pro API for computer details, supporting pagination, sorting, + filtering, and specific section selection to optimize data retrieval. - ### Parameters + ### Flow Description - | Parameter | Type | Mandatory | Description | + 1. **Initialization**: Extracts integration configuration (API root, credentials) + and action parameters (Page, Page Size, Filter, Filter Value, Section, Sort). - | :--- | :--- | :--- | :--- | + 2. **Validation**: Validates input parameters, ensuring page numbers and sizes + are valid integers. - | Filter | DDL | Yes | The field to filter the inventory by. Options include `general.name`, - `hardware.serialNumber`, `udid`, `userAndLocation.username`, and `userAndLocation.email`. - | + 3. **Query Construction**: Builds the API query string based on the provided filter + field, filter value, and sorting criteria. It also determines the necessary API + sections to request based on the filter field if not explicitly provided. - | Filter Value | String | Yes | The specific value to search for within the selected - filter field. | + 4. **Data Retrieval**: Initializes the `JamfManager` and executes the `get_computer_inventory` + method to fetch data from the Jamf Pro API. - | Page | String | No | The page number to retrieve for paginated results. Defaults - to "0". | + 5. **Result Processing**: Processes the API response, calculates pagination information, + and adds the retrieved inventory data to the action result JSON for display in + the SOAR platform. - | Page Size | String | No | The number of records to return per page. Defaults - to "100". | - | Section | Multi-select | No | Specific data categories to include in the response - (e.g., `HARDWARE`, `SECURITY`, `APPLICATIONS`). Selecting `ALL` retrieves all - available data. | - - | Sort | Multi-select | No | Criteria for sorting the results, including field - and direction (e.g., `general.name:asc`). | + ### Parameters Description + | Parameter | Type | Mandatory | Description | - ### Flow Description + | :--- | :--- | :--- | :--- | - 1. **Initialization:** The action extracts Jamf Pro API credentials and user-provided - parameters from the environment and action configuration. + | Page | string | No | Page number to retrieve (default 0). | - 2. **Validation:** It validates that the `Page` and `Page Size` parameters are - valid integers and within acceptable ranges. + | Page Size | string | No | Number of records per page (default 100). | - 3. **Query Preparation:** The action constructs a Jamf-compliant filter string - (e.g., `field=="value"`) and formats the sort criteria and requested data sections. + | Filter | ddl | Yes | Filter criteria field (e.g., general.name, hardware.serialNumber). + | - 4. **Section Optimization:** If a specific filter field is used, the action automatically - ensures the corresponding data section is included in the API request to ensure - the filter can be processed correctly. + | Filter Value | string | Yes | The value to filter by for the selected Filter + field. | - 5. **API Execution:** It authenticates with the Jamf Pro API and performs a GET - request to the `/api/v1/computers-inventory` endpoint with the constructed query - parameters. + | Section | MULTI_CHOICE_PARAMETER | No | Sections to include in the response + (e.g., GENERAL, HARDWARE, SECURITY). Defaults to ALL. | - 6. **Output:** The retrieved inventory data, along with pagination and metadata, - is returned as a JSON result for further analysis or display. + | Sort | MULTI_CHOICE_PARAMETER | No | Sort criteria (e.g., general.name:asc). + | ### Additional Notes - This action does not operate on specific SecOps entities (like IP or Hostname) - but rather performs a global search against the Jamf Pro inventory. It is strictly - a read-only enrichment action. + - The action requires both `Filter` and `Filter Value` to be provided to apply + filtering. If only one is provided, the filter is skipped. + + - The action automatically adds required sections based on the filter field if + not explicitly requested. capabilities: can_create_case_comments: false can_create_insight: false @@ -163,8 +220,16 @@ Get Computer Inventory: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the Jamf Pro API to retrieve computer inventory + data. It does not mutate any external systems (no POST/PUT/DELETE). It does + not modify any internal SOAR data (entities, insights, or case comments), it + only returns the retrieved data as a result JSON. categories: enrichment: true + reasoning: >- + The action fetches data from an external system (Jamf Pro) and does not mutate + any external or internal systems. It meets the criteria for an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -180,16 +245,50 @@ Get Computer Inventory: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not operate on specific entities. It retrieves global inventory + data from Jamf Pro based on provided filter parameters, not based on specific + entities in the case. Get Device Group Membership: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves device group membership data from Jamf Pro. It does not + match any of the specific product categories (e.g., Enrich IOC, Enrich Asset, + Update Alert) as it is a general data retrieval action for a group, not a specific + indicator or asset. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - The **Get Device Group Membership** action retrieves the list of computers belonging - to a specific computer group in Jamf Pro. It provides detailed membership information, - including the total count of member devices and their basic details. This action - is compatible with both static and smart computer groups, allowing security teams - to identify all devices associated with a specific management group for further - investigation or orchestration. + Retrieves membership information for a specific device group from Jamf Pro. This + action fetches detailed membership data, including all member devices and their + basic information, for both static and smart computer groups. ### Parameters Description @@ -198,35 +297,30 @@ Get Device Group Membership: | :--- | :--- | :--- | :--- | - | Group ID | String | Yes | The unique identifier of the computer group in Jamf - Pro to retrieve membership for. | + | Group ID | string | Yes | The ID of the computer group to retrieve membership + for. | ### Flow Description - 1. **Initialization**: The action initializes the Jamf Pro API manager using the - integration's configuration (API Root, Client ID, and Secret). + 1. Extracts configuration parameters (API root, credentials) and the `Group ID` + action parameter. - 2. **Parameter Extraction**: The action retrieves the `Group ID` provided by the - user. + 2. Initializes the `JamfManager` to authenticate with the Jamf Pro API. - 3. **API Request**: It calls the Jamf Pro API endpoint `/JSSResource/computergroups/id/{id}` - to fetch the group's membership data. + 3. Queries the Jamf Pro API to retrieve the membership details for the specified + `Group ID`. - 4. **Data Processing**: The action extracts the list of computers from the response - and calculates the total member count. + 4. If data is found, it extracts the list of computers and the member count. - 5. **Result Delivery**: The membership data and count are added to the action's - JSON results, and a summary message is provided. + 5. Adds the retrieved membership data to the action result JSON for use in the + playbook. ### Additional Notes - - This action does not operate on entities; it requires the manual input of a - Group ID. - - - If the specified Group ID does not exist, the action will report that no membership - data was found. + This action is a read-only operation that retrieves data from Jamf Pro. It does + not modify any external systems or internal case data. capabilities: can_create_case_comments: false can_create_insight: false @@ -237,8 +331,16 @@ Get Device Group Membership: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to retrieve device group membership data from + Jamf Pro. It does not mutate external systems, update entities, create insights, + or modify case data. It only returns the retrieved data as a JSON result. categories: enrichment: true + reasoning: >- + The action fetches data from an external system (Jamf Pro) and does not mutate + any external or internal data. It meets the criteria for an enrichment action + as it is a read-only data retrieval task. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -254,56 +356,75 @@ Get Device Group Membership: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not operate on `siemplify.target_entities`. It retrieves information + based on a provided `Group ID` parameter, so it does not target any specific + entity types. Get Device Information: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: true + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves contextual metadata (hardware, OS, user/location) for a + specific device from Jamf Pro. This matches the 'Enrich Asset' category. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - The **Get Device Information** action retrieves comprehensive details for a specific - computer managed in Jamf Pro using its unique Computer ID. This action is designed - for deep enrichment, providing technical data points such as hardware specifications, - operating system details, disk encryption status, and user/location information. - It is particularly useful for security analysts needing to verify the state or - ownership of a macOS or Windows device during an investigation. + This action retrieves detailed computer information from Jamf Pro using a specified + Computer ID. It fetches comprehensive device data, including general details, + hardware specifications, operating system information, and user/location data, + providing valuable context for asset management and investigation. - ### Parameters Description + ### Parameters - | Parameter | Description | Type | Mandatory | + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | **Computer ID** | The unique numerical identifier of the computer in Jamf Pro - for which information should be retrieved. | String | Yes | - - - ### Additional Notes - - * This action does not automatically iterate over SecOps entities (like Hostnames - or IPs). It requires the specific Jamf Computer ID to be provided as an input - parameter. - - * The action includes a data-cleaning layer that handles unescaped quotes and - special characters in the Jamf API response to ensure the resulting JSON is valid - for display in the Google SecOps UI. + | Computer ID | string | Yes | The unique identifier of the computer in Jamf Pro + to retrieve information for. | ### Flow Description - 1. **Authentication**: The action connects to the Jamf Pro API using OAuth2 credentials - (Client ID and Secret) to obtain a temporary access token. - - 2. **Input Validation**: The mandatory `Computer ID` parameter is extracted and - validated. + 1. **Initialization**: The action extracts the required Jamf Pro API configuration + (API Root, Client ID, Client Secret, Verify SSL) and the mandatory `Computer ID` + parameter. - 3. **API Request**: The action performs a GET request to the Jamf Pro `/api/v1/computers-inventory-detail/{id}` - endpoint. + 2. **Manager Setup**: Initializes the `JamfManager` with the provided credentials + to handle API authentication and communication. - 4. **Data Sanitization**: The raw API response is processed through a cleaning - utility to escape control characters and fix common JSON structural issues found - in Jamf inventory data (e.g., within extension attributes or certificates). + 3. **Data Retrieval**: Calls the Jamf Pro API to fetch detailed inventory information + for the specified device ID. - 5. **Result Delivery**: The sanitized device information is returned as a JSON - object and made available for subsequent playbook steps or UI widgets. + 4. **Result Output**: If the device is found, the action returns the device information + as a JSON result. If not found, it logs the event and returns a failure status. capabilities: can_create_case_comments: false can_create_insight: false @@ -314,8 +435,16 @@ Get Device Information: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the Jamf Pro API to retrieve device details. + It does not modify any external systems or internal SOAR data (entities, insights, + or case comments). categories: enrichment: true + reasoning: >- + The action fetches device information from an external system (Jamf Pro) without + modifying any external or internal state. This fits the definition of an enrichment + action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -331,68 +460,98 @@ Get Device Information: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action takes 'Computer ID' as a direct input parameter rather than iterating + over `siemplify.target_entities`. Therefore, it does not run on entities. Get Mobile Device Inventory: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: true + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves mobile device inventory, which provides contextual metadata + about assets (mobile devices). This matches 'Enrich Asset' and 'Search Asset'. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: true + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description + Retrieves mobile device inventory from Jamf Pro with support for pagination, sorting, + and filtering. This action allows analysts to query Jamf Pro for specific mobile + device details based on criteria such as serial number, UDID, username, or email + address. It optimizes data retrieval by allowing the selection of specific data + sections (e.g., Hardware, Security, Applications). - Retrieves mobile device inventory data from Jamf Pro using the v2 API. This action - allows for granular searching of mobile devices based on specific identifiers - like serial numbers or usernames, with support for pagination, sorting, and the - ability to request specific data sections (e.g., Hardware, Security, Applications) - to optimize performance. + ### Flow Description - ### Parameters Description + 1. **Initialization**: The action initializes the Jamf Manager using the provided + API credentials (API Root, Client ID, Client Secret) and SSL verification settings. - | Parameter | Type | Mandatory | Description | + 2. **Parameter Processing**: It extracts and validates action parameters, including + pagination (Page, Page Size), sorting criteria, and filtering options (Filter + field and value). - | :--- | :--- | :--- | :--- | + 3. **Section Determination**: It automatically determines the required data sections + based on the selected filter field to ensure efficient API requests. - | Page | String | No | The page number to retrieve (default is 0). | + 4. **Data Retrieval**: It calls the Jamf Pro v2 API to fetch the mobile device + inventory based on the constructed query parameters. - | Page Size | String | No | The number of records to return per page (default - is 100, maximum is 2000). | + 5. **Result Output**: The retrieved inventory data is returned as a JSON result, + which is then added to the action's output for the analyst to review. - | Filter | DDL | Yes | The field used to filter the inventory. Supported fields: - `serialNumber`, `udid`, `username`, `emailAddress`. | - | Filter Value | String | Yes | The specific value to search for in the selected - filter field. | + ### Parameters - | Section | DDL | No | Specific data sections to include in the response (e.g., - `HARDWARE`, `SECURITY`, `APPLICATIONS`). Selecting `ALL` retrieves all available - data. | + | Parameter | Type | Mandatory | Description | - | Sort | Multi-choice | No | Criteria for sorting the results (e.g., `displayName:asc`). - Multiple fields can be selected. | + | :--- | :--- | :--- | :--- | + | Page | string | No | Page number to retrieve (default: 0). | - ### Additional Notes + | Page Size | string | No | Number of records per page (default: 100). | - - The action automatically includes the necessary data section required by the - chosen `Filter` field (e.g., if filtering by `udid`, the `HARDWARE` section is - automatically added if not already selected). + | Filter | ddl | Yes | The field to filter by (e.g., serialNumber, udid, username, + emailAddress). | - - Page and Page Size must be valid integers. + | Filter Value | string | Yes | The value to match against the selected filter + field. | + | Section | ddl | No | The data sections to include in the response (e.g., ALL, + GENERAL, HARDWARE). Defaults to ALL. | - ### Flow Description + | Sort | ddl | No | Sort criteria for the results (e.g., displayName:asc). | - 1. **Parameter Extraction**: Retrieves and validates pagination, filtering, and - sorting parameters from the action configuration. - 2. **Section Logic**: Determines which Jamf Pro data sections are required based - on the user's filter choice to ensure the query returns the expected data. - - 3. **API Authentication**: Obtains an OAuth2 bearer token from Jamf Pro using - the provided Client ID and Secret. + ### Additional Notes - 4. **Data Retrieval**: Executes a GET request to the `/api/v2/mobile-devices/detail` - endpoint with the constructed query parameters (page, page-size, sort, filter, - and sections). + - The action requires valid Jamf Pro API credentials configured in the integration + settings. - 5. **Result Processing**: Cleans the returned JSON data to ensure compatibility - with the SOAR platform and outputs the inventory details as a JSON result. + - The 'Filter' and 'Filter Value' parameters are mandatory for performing a targeted + search. If no filter is provided, the action may return a broad list of devices + depending on the API configuration. capabilities: can_create_case_comments: false can_create_insight: false @@ -403,8 +562,16 @@ Get Mobile Device Inventory: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the Jamf Pro API to retrieve mobile device + inventory. It does not modify any external or internal systems. It simply returns + the retrieved data as a JSON result. categories: enrichment: true + reasoning: >- + The action fetches data from an external system (Jamf Pro) to provide context + about mobile devices. It does not mutate external or internal data. It fits + the definition of an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -420,42 +587,84 @@ Get Mobile Device Inventory: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not operate on `siemplify.target_entities`. It uses input parameters + to query the Jamf API directly. List Computer Groups: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: true + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves computer groups, which provides contextual information + about the asset environment in Jamf Pro. This aligns with the 'Enrich Asset' + category, as it returns contextual metadata for resources. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description + Retrieves all computer groups (both static and smart) configured in Jamf Pro. + This action connects to the Jamf Pro API, fetches the complete list of computer + groups, and returns the data as a JSON object for further analysis or reporting. - Retrieves a comprehensive list of all computer groups configured within Jamf Pro, - including both static and smart groups. This action is used to discover the organizational - structure of managed devices, providing a list of group names and identifiers - that can be used in subsequent automation steps. + ### Flow Description - ### Parameters Description + 1. **Initialization**: The action initializes the `JamfManager` using the provided + API credentials (`Jamf Pro API Root`, `Jamf Pro Client API ID`, `Jamf Pro Client + API Secret`) and SSL verification settings. - This action does not require any input parameters. It utilizes the global integration - configuration for authentication and connectivity. + 2. **Data Retrieval**: It calls the Jamf Pro API endpoint `/api/v1/computer-groups` + to retrieve the list of all computer groups. + 3. **Result Processing**: The retrieved list is formatted into a JSON structure + and added to the action results. If no groups are found, an empty list is returned. - ### Flow Description - 1. **Authentication**: The action initializes the Jamf Manager and authenticates - using the provided Client API ID and Secret to obtain an OAuth2 access token. + ### Parameters - 2. **API Request**: It performs a GET request to the Jamf Pro API endpoint `/api/v1/computer-groups` - to fetch all defined computer groups. + | Parameter | Type | Mandatory | Description | - 3. **Data Processing**: The retrieved list is processed and encapsulated into - a JSON structure. + | :--- | :--- | :--- | :--- | + + | Jamf Pro API Root | String | Yes | The base URL for the Jamf Pro API (e.g., + https://yourserver.jamfcloud.com). | - 4. **Result Delivery**: The action returns the list of computer groups to the - Google SecOps platform via the result JSON, making it available for playbook logic. + | Jamf Pro Client API ID | String | Yes | The client ID used for API authentication. + | + + | Jamf Pro Client API Secret | String | Yes | The client secret used for API authentication. + | + + | Verify SSL | Boolean | Yes | Whether to verify SSL certificates when connecting + to the Jamf Pro API. Defaults to True. | ### Additional Notes - This is a global discovery action and does not operate on specific entities (such - as Hostnames or IPs). If no groups are found, the action will still complete successfully - but return an empty list. + This action is a read-only operation and does not modify any data within Jamf + Pro or the SOAR platform. capabilities: can_create_case_comments: false can_create_insight: false @@ -466,8 +675,16 @@ List Computer Groups: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to retrieve computer groups from Jamf Pro. + It does not modify any external or internal data. It simply returns the retrieved + data as a JSON result. categories: enrichment: true + reasoning: >- + The action fetches data from an external system (Jamf Pro) and does not mutate + any external or internal state. It qualifies as an enrichment action as it gathers + supplemental context about the environment. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -483,14 +700,47 @@ List Computer Groups: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not operate on any specific entities; it retrieves global configuration + data (computer groups) from Jamf Pro. Ping: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action is a connectivity test and does not perform any of the defined product + category operations such as enrichment, containment, ticketing, or alert modification. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - The **Ping** action is designed to verify the connectivity and authentication - configuration between Google SecOps and the Jamf Pro and Jamf Protect APIs. It - ensures that the provided credentials (Client ID and Secret) are valid and that - the network path to the API endpoints is open. + This action verifies connectivity to the Jamf Pro and Jamf Protect APIs. It is + used to ensure that the integration is correctly configured and that the provided + credentials have the necessary permissions to communicate with the Jamf services. ### Parameters Description @@ -499,51 +749,48 @@ Ping: | :--- | :--- | :--- | :--- | - | Jamf Pro API Root | String | Yes | The base URL of the Jamf Pro server (e.g., - `https://yourserver.jamfcloud.com`). | + | Jamf Pro API Root | String | Yes | The base URL for the Jamf Pro API. | - | Jamf Pro Client API ID | String | Yes | The API Client ID used for authentication - with Jamf Pro. | + | Jamf Pro Client API ID | String | Yes | The Client API ID for Jamf Pro authentication. + | - | Jamf Pro Client API Secret | String | Yes | The API Client Secret used for authentication - with Jamf Pro. | + | Jamf Pro Client API Secret | String | Yes | The Client API Secret for Jamf Pro + authentication. | - | Verify SSL | Boolean | No | If enabled (default), the action will verify the - SSL certificate of the Jamf servers. | + | Verify SSL | Boolean | No | Whether to verify SSL certificates for API requests. + Defaults to True. | - | Jamf Protect API Root | String | No | The base URL of the Jamf Protect server. - Required only if testing Jamf Protect connectivity. | + | Jamf Protect API Root | String | No | The base URL for the Jamf Protect API. + Required if testing Jamf Protect connectivity. | - | Jamf Protect Client API ID | String | No | The API Client ID for Jamf Protect. - Required only if testing Jamf Protect connectivity. | + | Jamf Protect Client API ID | String | No | The Client API ID for Jamf Protect + authentication. Required if testing Jamf Protect connectivity. | - | Jamf Protect Client API Secret | String | No | The API Client Secret for Jamf - Protect. Required only if testing Jamf Protect connectivity. | + | Jamf Protect Client API Secret | String | No | The Client API Secret for Jamf + Protect authentication. Required if testing Jamf Protect connectivity. | ### Additional Notes - - To test Jamf Protect connectivity, all three Protect-related parameters (`API - Root`, `Client ID`, and `Client Secret`) must be provided. If any are missing, - the action will only test Jamf Pro. - - - This action does not process any entities. + - If Jamf Protect parameters are provided, the action will attempt to verify connectivity + to both Jamf Pro and Jamf Protect. If only Jamf Pro parameters are provided, it + will only verify Jamf Pro connectivity. ### Flow Description - 1. **Parameter Extraction:** Retrieves Jamf Pro and Jamf Protect configuration - details from the integration settings. - - 2. **Jamf Pro Connectivity Test:** - - Initializes the `JamfManager`. - - Attempts to obtain an OAuth2 access token via a POST request. - - Calls the Jamf Pro version endpoint (GET) to confirm API responsiveness. - 3. **Jamf Protect Connectivity Test (Optional):** - - If Protect credentials are provided, initializes the `JamfProtectManager`. - - Attempts to obtain an access token for the Jamf Protect GraphQL API. - 4. **Result Reporting:** Returns a success message if the tests pass, or a failure - message with error details if any step fails. + 1. Extract the required configuration parameters (Jamf Pro API Root, Client ID, + Client Secret, and optional SSL verification setting). + + 2. Initialize the `JamfManager` with the provided credentials. + + 3. Execute the `test_connectivity` method to verify access to the Jamf Pro API. + + 4. If Jamf Protect parameters are provided, initialize the `JamfProtectManager` + and execute its `test_connectivity` method. + + 5. Log the success or failure of the connectivity tests and terminate the action + with the appropriate status. capabilities: can_create_case_comments: false can_create_insight: false @@ -554,8 +801,16 @@ Ping: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a connectivity test by making GET requests to the Jamf APIs + to verify authentication and server availability. It does not modify any external + or internal data, nor does it update entities or create insights. categories: enrichment: false + reasoning: >- + The action is named 'Ping'. According to the instructions, actions named 'Ping' + must not be categorized as enrichment actions, regardless of whether they fetch + data. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -571,57 +826,96 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with any entities; it is a global connectivity + test. Remote Lock Managed Device: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: true + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action sends a remote lock command to a managed computer, which isolates + the device and restricts user access. This directly aligns with the 'Contain + Host' category. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - Remotely lock a managed computer using Jamf Pro MDM commands. This action is designed - specifically for computers. It locks the device screen and can optionally display - a custom message and phone number. For mobile device lock functionality, use the - "Remote Lock Mobile Device" action instead. + This action remotely locks a managed computer using Jamf Pro MDM commands. It + is intended for security containment scenarios where a device needs to be immediately + secured. The action sends a `DEVICE_LOCK` command to the Jamf Pro API, which locks + the device screen. Optionally, a custom message and a contact phone number can + be displayed on the locked screen to provide instructions to the user. - ### Parameters Description + ### Flow Description - | Parameter | Type | Mandatory | Description | + 1. **Configuration Extraction**: The action retrieves the Jamf Pro API credentials + (API Root, Client ID, Client Secret) and SSL verification settings from the integration + configuration. - | :--- | :--- | :--- | :--- | + 2. **Parameter Extraction**: The action extracts the required `Computer ID` and + `PIN`, along with optional `Message` and `Phone Number` parameters. - | Computer ID | String | Yes | The ID of the computer to lock. | + 3. **Device Identification**: The action calls the Jamf Pro API to retrieve detailed + device information for the provided `Computer ID` to obtain the required `managementId`. - | PIN | String | Yes | A 6-digit PIN code required to unlock the device. Note: - While the configuration might suggest this is optional, the underlying logic requires - a valid 6-digit numeric PIN to execute the lock command. | + 4. **Command Execution**: The action sends a `DEVICE_LOCK` MDM command to the + Jamf Pro API, including the `managementId`, the required 6-digit PIN, and any + optional display information. - | Message | String | No | Optional custom message to display on the locked device - screen. | + 5. **Result Reporting**: The action logs the command initiation status and adds + the result details to the action output. - | Phone Number | String | No | Optional phone number to display on the locked - device screen for contact. | + ### Parameters Description - ### Flow Description + | Parameter | Type | Mandatory | Description | - 1. **Authentication**: The action authenticates with the Jamf Pro API using the - provided Client ID and Secret to obtain a bearer token. + | :--- | :--- | :--- | :--- | - 2. **Management ID Retrieval**: It retrieves the detailed inventory for the specified - Computer ID to obtain the `managementId` required for MDM commands. + | Computer ID | string | Yes | The unique identifier of the computer in Jamf Pro + to be locked. | - 3. **Command Initiation**: It sends a `DEVICE_LOCK` MDM command to the Jamf Pro - API targeting the specific `managementId`. The command payload includes the PIN - and any optional display information (message/phone number). + | PIN | string | Yes | A 6-digit PIN code required to unlock the device. | - 4. **Result Reporting**: The action captures the API response, adds the command - details to the JSON results, and provides a success or failure message to the - case wall. + | Message | string | No | An optional custom message to display on the locked + device screen. | + + | Phone Number | string | No | An optional phone number to display on the locked + device screen for contact. | ### Additional Notes - - This action is intended for macOS computers managed by Jamf Pro. + - This action is specifically designed for computers. For mobile devices, use + the "Remote Lock Mobile Device" action. - - The PIN must be exactly 6 digits long. + - The PIN parameter is mandatory and must be exactly 6 digits. capabilities: can_create_case_comments: false can_create_insight: false @@ -630,12 +924,22 @@ Remote Lock Managed Device: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Sends a 'DEVICE_LOCK' MDM command to the Jamf Pro API to remotely lock a managed - computer, changing the state of the physical device. + Sends a DEVICE_LOCK MDM command to the Jamf Pro API to remotely lock the specified + managed computer. fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action fetches device information (management ID) from the Jamf Pro API + to perform the lock command (fetches_data=true). It performs a POST request + to the Jamf Pro API to send a device lock command, which changes the state of + the external device (can_mutate_external_data=true). It does not modify internal + SOAR case data, entities, or alerts. categories: enrichment: false + reasoning: >- + The action is a containment action that modifies the state of an external device. + It does not meet the criteria for an enrichment action as it performs a state-changing + operation on an external system. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -651,47 +955,80 @@ Remote Lock Managed Device: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not operate on SOAR entities directly. It takes a 'Computer + ID' as a direct input parameter to identify the target device. Remote Lock Mobile Device: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: true + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action performs a remote lock on a mobile device, which is functionally + equivalent to containing a host (isolating it from use). + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- + ### General Description + Remotely locks a managed mobile device using Jamf Pro MDM commands. This action - is used to secure a device by locking its screen, preventing unauthorized access. - It allows for an optional custom message and a contact phone number to be displayed - on the locked screen. + is designed to secure a device by sending a lock command, optionally displaying + a custom message and contact phone number on the device screen. ### Parameters Description - | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Mobile Device ID | String | Yes | The unique identifier of the mobile device - in Jamf Pro that you wish to lock. | + | Mobile Device ID | string | Yes | The unique identifier of the mobile device + to be locked. | - | Message | String | No | An optional custom message to display on the device's - lock screen (e.g., 'This device has been locked by IT'). | + | Message | string | No | An optional custom message to display on the locked + device screen. | - | Phone Number | String | No | An optional phone number to display on the lock - screen so the user can contact the administrator. | + | Phone Number | string | No | An optional phone number to display on the locked + device screen for contact purposes. | ### Flow Description + 1. **Initialization**: The action extracts the Jamf Pro API configuration (API + root, client ID, client secret) and the action parameters (Mobile Device ID, Message, + Phone Number). - 1. **Authentication**: The action authenticates with the Jamf Pro API using the - provided Client ID and Secret to obtain a bearer token. - - 2. **Device Identification**: It retrieves the detailed inventory information - for the specified `Mobile Device ID` to obtain the necessary `managementId` required - for MDM commands. + 2. **Device Retrieval**: The action calls the Jamf Pro API to retrieve the details + of the specified mobile device to obtain its `managementId`. - 3. **Command Execution**: It sends a `DEVICE_LOCK` MDM command to the Jamf Pro - `/api/v2/mdm/commands` endpoint, targeting the specific device's management ID. + 3. **Command Execution**: The action sends a `DEVICE_LOCK` MDM command to the + Jamf Pro API, including the `managementId`, the optional message, and the optional + phone number. - 4. **Result Processing**: The action captures the API response, logs the command - details (including whether a message or phone number was used), and returns a - success or failure status to Google SecOps. + 4. **Result Handling**: The action logs the status of the command initiation and + adds the result to the SOAR action output. capabilities: can_create_case_comments: false can_create_insight: false @@ -700,12 +1037,20 @@ Remote Lock Mobile Device: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Sends a 'DEVICE_LOCK' MDM command to Jamf Pro to remotely lock a managed mobile - device, changing the physical state of the device to a locked screen. + Sends a DEVICE_LOCK MDM command to the Jamf Pro API to remotely lock the specified + mobile device. fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action fetches device details (management ID) from the Jamf Pro API to perform + the lock, so it fetches data. It sends a command to Jamf Pro to lock the device, + which is an external mutation. It does not modify internal SOAR data or entities. categories: enrichment: false + reasoning: >- + The action is a containment action (locking a device), not an enrichment action. + It does not retrieve context for analysis but rather performs a state-changing + operation on an external device. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -721,50 +1066,89 @@ Remote Lock Mobile Device: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action uses a parameter 'Mobile Device ID' provided by the user, rather + than iterating over 'siemplify.target_entities'. Therefore, it does not run + on entities. Update Extension Attribute: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action updates an extension attribute for a computer in Jamf Pro. This is + a metadata update on an asset. It does not match any of the provided categories + (e.g., it is not an alert update, ticket update, identity update, or containment + action). + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description + Updates a specific extension attribute for a computer in Jamf Pro. This action + allows administrators to modify custom metadata fields for managed devices, supporting + multiple values as a comma-separated list. - Updates a specific extension attribute for a computer managed in Jamf Pro. This - action allows security analysts to programmatically modify computer metadata, - such as department assignments, asset tags, or custom status fields, directly - from Google SecOps. + ### Flow - ### Parameters Description + 1. Extracts configuration (API root, credentials) and action parameters (Computer + ID, Extension Attribute Name, Values). - | Parameter Name | Type | Mandatory | Description | + 2. Initializes the `JamfManager` to handle API communication. - | :--- | :--- | :--- | :--- | + 3. Fetches the list of all available extension attributes from Jamf Pro to identify + the correct attribute ID by name. - | Computer ID | string | Yes | The unique identifier of the computer in Jamf Pro - that needs to be updated. | + 4. Updates the specified computer's extension attribute with the provided values + using a PATCH request. - | Extension Attribute Name | string | Yes | The display name of the extension - attribute to update. The action will automatically resolve this name to its internal - Jamf ID. | + 5. Returns the result of the update operation, including computer details if available. - | Values | string | Yes | A comma-separated list of values to assign to the extension - attribute. | + ### Parameters - ### Flow Description + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | - 1. **Initialization:** Extracts the Jamf Pro API configuration and action parameters - (Computer ID, Attribute Name, and Values). + | Computer ID | string | Yes | The ID of the computer to update the extension + attribute for. | - 2. **Value Parsing:** Converts the comma-separated 'Values' string into a list, - ensuring at least one value is provided. + | Extension Attribute Name | string | Yes | The name of the extension attribute + to update. | - 3. **Attribute Resolution:** Fetches the complete list of computer extension attributes - from the Jamf Pro API to find the `definitionId` associated with the provided - 'Extension Attribute Name'. + | Values | string | Yes | Comma-separated list of values to set for the extension + attribute (e.g., value1,value2,value3). | - 4. **Update Execution:** Sends a PATCH request to the Jamf Pro API for the specified - Computer ID, updating the targeted extension attribute with the new values. - 5. **Result Handling:** Retrieves the updated computer details (Name, Serial Number, - Platform) and provides a summary message and full JSON result of the operation. + ### Additional Notes + + - The action requires valid Jamf Pro API credentials configured in the integration + settings. + + - The 'Values' parameter accepts a comma-separated list of strings, which will + be set for the specified extension attribute. capabilities: can_create_case_comments: false can_create_insight: false @@ -773,12 +1157,20 @@ Update Extension Attribute: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates the value of a specific extension attribute for a computer in Jamf Pro - using a PATCH request to the computer inventory detail endpoint. + Updates the specified extension attribute for a computer in the Jamf Pro system. fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action makes a PATCH request to the Jamf Pro API to update an extension + attribute (can_mutate_external_data=true). It fetches the list of extension + attributes to find the correct ID (fetches_data=true). It does not modify internal + SOAR data or entities. categories: enrichment: false + reasoning: >- + The action performs a mutation on an external system (Jamf Pro) to update an + extension attribute. It does not fetch data for the purpose of enrichment, nor + does it modify internal SOAR data. Therefore, it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -794,38 +1186,66 @@ Update Extension Attribute: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over `siemplify.target_entities` or use entity-specific + identifiers from the SOAR entity model. It relies on a user-provided `Computer + ID` parameter to perform the update. Therefore, it does not run on entities. Update Protect Prevent List: - ai_description: "### General Description\nThe **Update Protect Prevent List** action\ - \ allows security administrators to modify an existing prevent list within Jamf\ - \ Protect. This action is primarily used for containment by adding new indicators\u2014\ - such as file hashes, Team IDs, or Signing IDs\u2014to a blocklist to prevent malicious\ - \ activity on managed macOS devices.\n\n### Parameters Description\n| Parameter\ - \ | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| **Prevent\ - \ List Name** | String | Yes | The exact name of the existing prevent list in\ - \ Jamf Protect that you wish to update. |\n| **Prevent List Description** | String\ - \ | No | An optional field to update the description of the prevent list. If left\ - \ blank, the existing description is preserved. |\n| **Prevent Type** | DDL |\ - \ Yes | The type of indicators the list contains. Options include `File Hash`,\ - \ `Signing Information - Team ID`, `Signing Information - Code Directory Hash`,\ - \ and `Signing Information - Signing ID`. **Note:** This must match the type of\ - \ the existing list. |\n| **Prevent List Data** | String | Yes | A comma-separated\ - \ list of the new indicators (e.g., SHA-256 hashes) to be added to the prevent\ - \ list. |\n| **Prevent List Tags** | String | No | A comma-separated list of tags\ - \ to be added to the prevent list. |\n\n### Flow Description\n1. **Authentication**:\ - \ Connects to the Jamf Protect API using the provided credentials.\n2. **List\ - \ Retrieval**: Fetches all available prevent lists from the Jamf Protect environment.\n\ - 3. **Target Identification**: Searches for a list matching the provided **Prevent\ - \ List Name**.\n4. **Validation**: Verifies that the target list exists and that\ - \ the provided **Prevent Type** matches the list's current configuration (as Jamf\ - \ Protect does not allow changing the type of an existing list).\n5. **Data Merging**:\ - \ Combines the new indicators and tags with the existing ones, ensuring all entries\ - \ are unique and properly formatted.\n6. **Indicator Validation**: Performs regex-based\ - \ validation on the new indicators (e.g., ensuring file hashes are valid SHA-1\ - \ or SHA-256 strings).\n7. **Update Execution**: Sends a GraphQL mutation to Jamf\ - \ Protect to apply the updates to the prevent list.\n\n### Additional Notes\n\ - - This action does not run on entities; it relies entirely on the provided input\ - \ parameters.\n- The action will fail if the specified list name is not found\ - \ or if the indicator formats are invalid for the selected type." + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: true + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action updates a prevent list in Jamf Protect, which is functionally equivalent + to adding indicators to a blocklist. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: "Updates an existing prevent list in Jamf Protect by adding new\ + \ indicators (hashes, domains, IPs) and tags. This action allows security teams\ + \ to maintain and expand their blocklists directly from the SOAR platform.\n\n\ + ### Flow Description\n1. **Initialization**: Extracts configuration parameters\ + \ (API credentials) and action parameters.\n2. **Parsing**: Processes the provided\ + \ comma-separated strings for indicators (`Prevent List Data`) and tags (`Prevent\ + \ List Tags`) into lists.\n3. **Retrieval**: Connects to Jamf Protect to retrieve\ + \ the existing prevent lists and identifies the target list by name.\n4. **Validation**:\ + \ Verifies that the `Prevent Type` matches the existing list and validates the\ + \ format of the new indicators based on the selected type.\n5. **Merge**: Merges\ + \ the new indicators and tags with the existing ones, ensuring no duplicates.\n\ + 6. **Update**: Executes a GraphQL mutation to update the prevent list in Jamf\ + \ Protect.\n7. **Result**: Returns the updated prevent list details and sets the\ + \ execution status.\n\n### Parameters\n| Parameter | Type | Mandatory | Description\ + \ |\n| :--- | :--- | :--- | :--- |\n| Prevent List Name | string | Yes | The name\ + \ of the prevent list to update. |\n| Prevent List Description | string | No |\ + \ An optional description for the prevent list. |\n| Prevent Type | ddl | Yes\ + \ | The type of indicators being added (e.g., File Hash, Signing Information).\ + \ |\n| Prevent List Data | string | Yes | A comma-separated list of indicators\ + \ to add to the prevent list. |\n| Prevent List Tags | string | No | A comma-separated\ + \ list of tags to associate with the prevent list. |\n\n### Additional Notes\n\ + - The action requires that the `Prevent Type` matches the existing list type;\ + \ it cannot be changed. \n- At least one indicator value must be provided in `Prevent\ + \ List Data`." capabilities: can_create_case_comments: false can_create_insight: false @@ -834,12 +1254,20 @@ Update Protect Prevent List: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates an existing prevent list in Jamf Protect by adding new indicators (hashes, - IDs) and tags via a GraphQL mutation. + Updates an existing prevent list in Jamf Protect by adding new indicators and + tags. fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action fetches existing prevent lists from Jamf Protect to identify the + target list (fetches_data=true). It then performs a GraphQL mutation to update + the list in Jamf Protect (can_mutate_external_data=true). It does not modify + internal SOAR entities or case data. categories: enrichment: false + reasoning: >- + The action is not an enrichment action because it mutates external data (updates + a prevent list in Jamf Protect). entity_usage: entity_types: [] filters_by_additional_properties: false @@ -855,67 +1283,97 @@ Update Protect Prevent List: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not operate on entities; it uses parameters provided in the + action configuration. Wipe Managed Device: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: true + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action performs a remote wipe of a managed device, which is a form of network/device + isolation and containment. This aligns with the 'Contain Host' category. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description + Remotely erases or wipes a managed computer using the Jamf Pro ERASE_DEVICE MDM + command. This action is intended for containment scenarios where a device must + be cleared of data. It retrieves the device's management ID from Jamf Pro before + issuing the wipe command. - Remotely erases a managed computer using the Jamf Pro `ERASE_DEVICE` MDM command. - This action is designed for security containment, allowing administrators to wipe - a compromised or lost computer to prevent data exfiltration. It is specifically - intended for computers; for mobile devices, use the 'Wipe Mobile Device' action. + ### Parameters - ### Parameters Description | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Computer ID | String | Yes | The unique identifier of the computer to erase - in Jamf Pro. | + | Computer ID | string | Yes | The unique identifier of the computer to erase. + | - | PIN | String | Yes | Optional 6-digit PIN for the erase command. Note: While - marked mandatory in the configuration, it can be left as an empty string if not - required by the target device. | + | PIN | string | Yes | A 6-digit PIN required for the erase command. | - | Obliteration Behavior | DDL | Yes | Defines how the device should be obliterated - during the erase process. Options: Default, DoNotObliterate, ObliterateWithWarning, - Always. | + | Obliteration Behavior | ddl | Yes | Defines how the device is obliterated (Default, + DoNotObliterate, ObliterateWithWarning, Always). | - | Return to Service | Boolean | Yes | Whether to enable 'Return to Service' after - the erase, allowing the device to automatically re-enroll. | + | Return to Service | boolean | Yes | Whether to enable the 'Return to Service' + workflow after the erase. | - | MDM Profile Data | String | No | Base64-encoded MDM profile data for Return - to Service. Required if 'Return to Service' is enabled. | + | MDM Profile Data | string | No | Base64-encoded MDM profile data, required if + 'Return to Service' is enabled. | - | WiFi Profile Data | String | No | Base64-encoded WiFi profile data for Return - to Service. Required if 'Return to Service' is enabled. | + | WiFi Profile Data | string | No | Base64-encoded WiFi profile data, required + if 'Return to Service' is enabled. | ### Additional Notes - - If **Return to Service** is enabled, at least one of **MDM Profile Data** or - **WiFi Profile Data** must be provided, or the action will fail with a validation - error. - - The **PIN**, if provided, must be exactly a 6-digit number. + * If 'Return to Service' is enabled, at least one of 'MDM Profile Data' or 'WiFi + Profile Data' must be provided. ### Flow Description - 1. **Authentication**: Obtains an OAuth access token from the Jamf Pro API. - 2. **Management ID Retrieval**: Fetches the detailed inventory for the specified - `Computer ID` to retrieve its `managementId`. + 1. **Configuration Initialization**: Extracts Jamf Pro API credentials and configuration + settings. + + 2. **Parameter Extraction**: Retrieves the action parameters (Computer ID, PIN, + etc.). - 3. **Validation**: Validates the PIN format and ensures Return to Service requirements - are met. + 3. **Device Information Retrieval**: Calls the Jamf Pro API to fetch the device's + `managementId` using the provided `Computer ID`. - 4. **Command Execution**: Sends a POST request to the Jamf Pro MDM commands endpoint - with the `ERASE_DEVICE` command type and specified parameters. + 4. **Command Execution**: Sends an `ERASE_DEVICE` MDM command to the Jamf Pro + API, including the specified obliteration behavior and return-to-service settings. - 5. **Result Reporting**: Returns the initiation status of the MDM command and - detailed execution metadata. + 5. **Result Reporting**: Logs the outcome of the command initiation and adds the + result to the action output. capabilities: can_create_case_comments: false can_create_insight: false @@ -924,12 +1382,22 @@ Wipe Managed Device: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Initiates an ERASE_DEVICE MDM command in Jamf Pro, which remotely wipes all - data from the target managed computer. + Initiates an ERASE_DEVICE MDM command on the target computer via the Jamf Pro + API. fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action fetches device information (management ID) from Jamf Pro to perform + the operation (fetches_data=true). It then sends a POST request to Jamf Pro + to initiate a device wipe, which is a state-changing operation on the external + system (can_mutate_external_data=true). It does not modify internal SOAR case + data or entities. categories: enrichment: false + reasoning: >- + The action is a containment action designed to wipe a device. It does not meet + the criteria for an enrichment action as it performs a destructive mutation + on an external system. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -945,72 +1413,96 @@ Wipe Managed Device: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over or process `siemplify.target_entities`. It + accepts a `Computer ID` as a direct input parameter. Wipe Mobile Device: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: true + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action performs a remote wipe of a mobile device, which is a containment + operation. This aligns with the 'Contain Host' category, as it isolates/neutralizes + the device. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - Remotely erases or wipes a managed mobile device using the Jamf Pro ERASE_DEVICE - MDM command. This action is primarily used for containment when a device is lost, - stolen, or compromised. It supports advanced configurations such as preserving - eSIM data plans, disabling proximity setup on reboot, and enabling 'Return to - Service' by providing MDM and WiFi profiles. - - - ### Parameters Description - + Remotely erases or wipes a managed mobile device using the Jamf Pro MDM ERASE_DEVICE + command. This action is designed for containment scenarios where a device needs + to be cleared of data. - | Parameter | Type | Mandatory | Description | - | :--- | :--- | :--- | :--- | + ### Flow Description - | Mobile Device ID | string | Yes | The unique identifier of the mobile device - in Jamf Pro to be erased. | + 1. The action initializes the JamfManager using the provided API credentials and + configuration. - | Preserve Data Plan | boolean | No | If set to true, preserves the data plan - on devices with eSIM functionality (iOS 11+). Default is false. | + 2. It extracts the required action parameters, including the Mobile Device ID + and optional settings like data plan preservation, proximity setup, and return-to-service + configurations. - | Disallow Proximity Setup | boolean | No | If set to true, disables Proximity - Setup on the next reboot and skips the pane in Setup Assistant (iOS 11+). Default - is false. | + 3. It sends an ERASE_DEVICE MDM command to the Jamf Pro API for the specified + device. - | Return to Service | boolean | Yes | Whether to enable the 'Return to Service' - feature, allowing the device to automatically re-enroll after the wipe. Default - is true. | + 4. The action returns the result of the command execution, including status and + command details, to the SOAR platform. - | MDM Profile Data | string | No | Base64-encoded MDM profile data required if - 'Return to Service' is enabled. | - | WiFi Profile Data | string | No | Base64-encoded WiFi profile data required - if 'Return to Service' is enabled to allow the device to connect to the network. - | + ### Parameters - | Bootstrap Token | string | No | Base64-encoded bootstrap token for the device, - used if 'Return to Service' is enabled. | + | Parameter | Type | Mandatory | Description | + | :--- | :--- | :--- | :--- | - ### Additional Notes + | Mobile Device ID | string | Yes | The unique identifier of the mobile device + to be erased. | - - This action does not run on entities; it requires a specific 'Mobile Device - ID' provided as a parameter. + | Preserve Data Plan | boolean | No | Whether to preserve the data plan on a mobile + device with eSIM functionality. | - - If 'Return to Service' is enabled, it is highly recommended to provide at least - one profile (MDM or WiFi) to ensure the device can successfully re-enroll. + | Disallow Proximity Setup | boolean | No | Whether to disable Proximity Setup + on the next reboot. | + | Return to Service | boolean | Yes | Whether to enable return to service after + erase. | - ### Flow Description + | MDM Profile Data | string | No | Base64-encoded MDM profile data for return + to service. | - 1. **Authentication**: The action authenticates with the Jamf Pro API using OAuth2 - client credentials. + | WiFi Profile Data | string | No | Base64-encoded WiFi profile data for return + to service. | - 2. **Device Lookup**: It retrieves the specific management ID for the mobile device - using the provided 'Mobile Device ID'. + | Bootstrap Token | string | No | Base64-encoded bootstrap token for the device. + | - 3. **Command Construction**: It builds an ERASE_DEVICE MDM command payload, incorporating - optional flags for data plans and setup behavior. - 4. **Execution**: The action sends a POST request to the Jamf Pro MDM commands - endpoint to initiate the wipe. + ### Additional Notes - 5. **Result Reporting**: It returns a JSON object containing the API response - from Jamf and the details of the command initiated. + - The 'Return to Service' parameter is mandatory. If enabled, ensure that the + necessary profile data (MDM or WiFi) is provided if required by the device configuration. capabilities: can_create_case_comments: false can_create_insight: false @@ -1019,12 +1511,19 @@ Wipe Mobile Device: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Initiates an ERASE_DEVICE MDM command in Jamf Pro, which remotely wipes all - data and settings from the target mobile device. - fetches_data: true + Sends an ERASE_DEVICE MDM command to the Jamf Pro API, which triggers a remote + wipe of the specified mobile device. + fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a destructive operation (wiping a device) via an external + API (Jamf Pro). It does not fetch data for enrichment, nor does it modify internal + SOAR entities or case data. It is a pure containment/remediation action. categories: enrichment: false + reasoning: >- + The action does not fetch data for enrichment and performs a destructive external + mutation (wiping a device). Therefore, it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1040,3 +1539,6 @@ Wipe Mobile Device: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action operates on a specific 'Mobile Device ID' provided as an input parameter. + It does not iterate over or process 'siemplify.target_entities'. diff --git a/content/response_integrations/third_party/partner/jamf/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/partner/jamf/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..9eeca3e53 --- /dev/null +++ b/content/response_integrations/third_party/partner/jamf/resources/ai/integration_ai_description.yaml @@ -0,0 +1,24 @@ +product_categories: + asset_inventory: true + cloud_security: false + collaboration: false + edr: true + email_security: false + iam_and_identity_management: false + itsm: false + network_security: true + reasoning: >- + The Jamf integration provides comprehensive device management and endpoint security + capabilities. It qualifies for 'Asset Inventory' because it includes multiple + actions (e.g., 'Get Computer Inventory', 'Get Mobile Device Inventory', 'Get Device + Information') to retrieve detailed asset metadata. It qualifies for 'EDR' because + it provides endpoint security features, including containment actions like 'Remote + Lock' and 'Wipe' for both computers and mobile devices, which aligns with EDR + containment capabilities. It qualifies for 'Network Security' because the 'Update + Protect Prevent List' action allows for the blocking of malicious indicators (hashes, + domains, IPs), which aligns with the category's goal of blocking malicious traffic/indicators. + It does not fit 'SIEM' (no log searching), 'IAM' (no user account management), + or other categories like 'ITSM' or 'Vulnerability Management'. + siem: false + threat_intelligence: false + vulnerability_management: false diff --git a/content/response_integrations/third_party/partner/netappransomwareresilience/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/partner/netappransomwareresilience/resources/ai/actions_ai_description.yaml index 96a1130a5..d7a112652 100644 --- a/content/response_integrations/third_party/partner/netappransomwareresilience/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/partner/netappransomwareresilience/resources/ai/actions_ai_description.yaml @@ -1,54 +1,48 @@ Check Job Status: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: true + reasoning: >- + The action performs a GET request to retrieve the status of a job from the NetApp + Ransomware Resilience service. This aligns with the 'Get Alert Information' + category as it fetches status information from the 3rd party product. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description - - The **Check Job Status** action is designed to retrieve the current status of - an asynchronous task previously initiated within the NetApp Ransomware Resilience - Service (RRS). This action is essential for workflows that involve long-running - operations, such as volume snapshots or taking volumes offline, allowing the SOAR - platform to poll for completion before proceeding to subsequent steps. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | **Source** | String | Yes | The identifier for the source system (e.g., "rps-agent"). + Checks the status of an asynchronous job in the NetApp Ransomware Resilience service. + This action queries the RRS API to retrieve the current status of a specific job, + providing visibility into the progress of operations initiated within the service.\n\n### + Flow\n1. Initialize the `ApiManager` to handle authentication and API communication.\n2. + Extract the `Source`, `Agent ID`, and `Job ID` from the action parameters.\n3. + Perform a `GET` request to the RRS API to fetch the job status.\n4. Return the + job status JSON as the action result.\n\n### Parameters\n| Parameter | Type | + Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| Source | string | + Yes | Source string (e.g., rps-agent). |\n| Agent ID | string | Yes | Console + Agent ID. |\n| Job ID | string | Yes | Job ID for which status to be fetched. | - - | **Agent ID** | String | Yes | The unique identifier for the Console Agent associated - with the job. | - - | **Job ID** | String | Yes | The specific identifier of the job whose status - is being queried. | - - - ### Flow Description - - 1. **Parameter Extraction:** The action retrieves the `Source`, `Agent ID`, and - `Job ID` from the user-provided inputs. - - 2. **Authentication:** It utilizes the `ApiManager` to ensure a valid OAuth2 token - is available for communication with the NetApp BlueXP API. - - 3. **API Request:** A GET request is dispatched to the RRS job status endpoint, - passing the provided identifiers as query parameters. - - 4. **Result Processing:** The API response, containing the job's current state - and details, is captured and attached to the action's JSON result. - - 5. **Completion:** The action concludes by reporting whether the status retrieval - was successful. - - - ### Additional Notes - - * This action does not operate on SOAR entities; it relies entirely on the provided - input parameters. - - * It is a read-only operation and does not modify any data in the NetApp environment. capabilities: can_create_case_comments: false can_create_insight: false @@ -59,8 +53,16 @@ Check Job Status: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to fetch job status information from the NetApp + Ransomware Resilience API. It does not mutate any external or internal data, + nor does it update entities, create insights, or modify alert data. categories: - enrichment: true + enrichment: false + reasoning: >- + The action fetches job status information from an external service. It does + not enrich entities or alerts, nor does it modify any internal or external state. + Therefore, it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -76,48 +78,52 @@ Check Job Status: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over `siemplify.target_entities` or use any entity-specific + identifiers. It extracts parameters directly from the action configuration. + Therefore, it does not run on any entity types. Enrich IP Address: - ai_description: >- - ### General Description - - Enriches a specific IP address with threat intelligence data from the NetApp Ransomware - Resilience Service (RRS). This action allows users to retrieve contextual information - about an IP to assist in security investigations and ransomware impact analysis. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | IP Address | String | Yes | The specific IP address that needs to be enriched - with threat intelligence data. | - - - ### Additional Notes - - This action does not automatically iterate over entities in the Google SecOps - case. It requires the IP address to be provided explicitly as a parameter, which - can be mapped from an entity or a previous action's output. - - - ### Flow Description - - 1. **Initialization**: The action initializes the API manager and handles OAuth2 - authentication with the NetApp service using stored credentials. - - 2. **Parameter Extraction**: The target IP address is extracted from the action's - input parameters. - - 3. **External API Call**: The action sends a POST request to the NetApp RRS enrichment - endpoint (`enrich/ip-address`) containing the IP address. - - 4. **Data Processing**: The retrieved threat intelligence data is received from - the external service. - - 5. **Output**: The enrichment data is attached as a JSON result to the action, - and the action completes with a success message. + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves threat intelligence data for a provided IP address from + the NetApp Ransomware Resilience Service. This matches the 'Enrich IOC' category. + It does not perform any state-changing operations on external systems or internal + entities. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: "General description: Enriches an IP address with threat intelligence\ + \ data using the NetApp Ransomware Resilience Service (RRS). \n\n### Parameters\ + \ description\n| Parameter | Type | Mandatory | Description |\n| --- | --- | ---\ + \ | --- |\n| IP Address | string | Yes | The IP address to be enriched. |\n\n\ + ### Flow description\n1. Initialize `ApiManager` with credentials.\n2. Extract\ + \ `IP Address` from action parameters.\n3. Call the RRS API `enrich/ip-address`\ + \ endpoint to retrieve threat intelligence.\n4. Add the retrieved JSON data to\ + \ the action result.\n5. End the action with a success or failure status." capabilities: can_create_case_comments: false can_create_insight: false @@ -128,8 +134,15 @@ Enrich IP Address: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action fetches data from an external API (`enrich_ip`). It does not mutate + external data (it's a GET/POST-for-read operation). It does not mutate internal + data (no `update_entities`, `add_insight`, etc.). categories: enrichment: true + reasoning: >- + The action fetches data from an external service (RRS) and does not mutate any + external or internal systems. It meets the criteria for an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -145,49 +158,80 @@ Enrich IP Address: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code extracts the IP address directly from the action parameters (`siemplify.extract_action_param("IP + Address")`) rather than iterating over `siemplify.target_entities`. Therefore, + it does not process any specific entity types from the SOAR entity model. Enrich Storage: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: true + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves contextual metadata (volume information) for a storage + resource, which aligns with the 'Enrich Asset' category. It does not perform + IOC enrichment, alert updates, or containment actions. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description - - Retrieves detailed volume and storage information for a specific agent and system - from the NetApp Ransomware Resilience Service (RRS). This action is used to gather - context about the storage environment during an investigation, providing metadata - that can help identify the scope of potential ransomware impact. + This action retrieves storage volume information from the NetApp Ransomware Resilience + Service (RRS). It is designed to provide contextual data about storage systems + to assist in security investigations. - ### Parameters Description + ### Flow Description - | Parameter | Type | Mandatory | Description | + 1. **Initialization**: The action initializes the `ApiManager` using the configured + integration credentials (Client ID, Client Secret, Account ID). - | :--- | :--- | :--- | :--- | + 2. **Parameter Extraction**: It extracts the mandatory `Agent ID` and `System + ID` from the action parameters. - | Agent ID | String | Yes | The unique identifier for the Console Agent associated - with the storage system. | + 3. **Data Retrieval**: The action performs a GET request to the RRS API endpoint + (`enrich/storage`) using the provided IDs to fetch storage enrichment data. - | System ID | String | Yes | The unique identifier for the Storage System to be - enriched. | + 4. **Output**: The retrieved storage information is added to the action's result + JSON, and the action completes with a success status. - ### Flow Description + ### Parameters - 1. **Parameter Extraction**: The action extracts the mandatory `Agent ID` and - `System ID` from the input parameters. + | Parameter | Type | Mandatory | Description | - 2. **Authentication**: The `ApiManager` initializes and handles OAuth2 authentication - with the NetApp BlueXP service to obtain a valid bearer token. + | :--- | :--- | :--- | :--- | - 3. **Data Retrieval**: The action performs a GET request to the RRS enrichment - endpoint (`enrich/storage`) using the provided IDs as query parameters. + | Agent ID | string | Yes | The Console Agent ID associated with the storage system. + | - 4. **Result Processing**: The retrieved storage metadata is parsed and attached - to the action's output as a JSON result for use in subsequent playbook logic. + | System ID | string | Yes | The Storage System ID to be enriched. | ### Additional Notes - This action does not operate on SecOps entities (like IP or Hostname). It requires - specific identifiers provided directly as action parameters. If the API call fails, - the action will return a failed status and an empty result list. + This action does not operate on specific SOAR entities (e.g., IP, Hash). It is + a utility action that fetches data based on provided input parameters. capabilities: can_create_case_comments: false can_create_insight: false @@ -198,8 +242,17 @@ Enrich Storage: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to an external API (RRS) to retrieve storage + information. It does not modify any external systems (no POST/PUT/DELETE for + state changes) and does not modify internal SOAR data (entities, insights, or + comments). categories: - enrichment: true + enrichment: false + reasoning: >- + While the action fetches data, it does not operate on entities (e.g., IP, Hostname) + as required by the definition of an Enrichment Action in this context. It is + a standalone data retrieval action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -215,53 +268,65 @@ Enrich Storage: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code does not reference `siemplify.target_entities` or perform any operations + on SOAR entities. It relies entirely on action parameters provided by the user. Ping: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action is a connectivity test ("Ping") and does not perform any of the defined + product category operations (e.g., enrichment, containment, ticket management). + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - Tests the connectivity between Google SecOps and the NetApp Ransomware Resilience - Service. This action ensures that the integration is correctly configured and - that the service is reachable using the provided credentials. - - - ### Parameters Description - - There are no action-specific parameters for this action. It utilizes the following - global integration configuration parameters: - - * **Client ID**: The OAuth client ID used for authentication. - - * **Client Secret**: The OAuth client secret used for authentication. + Tests connectivity to the NetApp Ransomware Resilience Service (RRS). This action + validates the authentication token against the RRS API to verify that the integration + is properly configured and the server is reachable. - * **Account ID**: The NetApp account identifier. - * **Verify SSL**: A boolean flag to enable or disable SSL certificate validation - for API requests. - - - ### Additional Notes - - This action is primarily used for troubleshooting and verifying the initial setup - of the NetApp Ransomware Resilience integration. It does not process any entities. + ### Flow Description + 1. Initialize the `SiemplifyAction` and `ApiManager`. - ### Flow Description + 2. The `ApiManager` checks the validity of the current OAuth token. - 1. **Initialization**: The action initializes the API manager and retrieves the - integration's global configuration parameters. + 3. If the token is expired or missing, the `ApiManager` attempts to refresh the + token via the OAuth endpoint. - 2. **Authentication Check**: It checks if a valid OAuth token already exists in - the encrypted credential storage. + 4. The action logs the connection status and returns a success or failure message + to the SOAR platform. - 3. **Token Generation**: If no valid token is found or if the existing token is - expired, it sends a POST request to the NetApp Auth0 endpoint to generate a new - access token. - 4. **Validation**: It verifies the token's validity to ensure the service is reachable - and the credentials are correct. + ### Parameters Description - 5. **Completion**: Returns a success status if authentication succeeds, or a failure - status with a descriptive error message if any step fails. + There are no parameters for this action. capabilities: can_create_case_comments: false can_create_insight: false @@ -270,10 +335,17 @@ Ping: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null - fetches_data: true + fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a connectivity test. It does not fetch contextual data about + alerts or entities, nor does it mutate external or internal systems. It only + validates authentication credentials. categories: enrichment: false + reasoning: >- + The action is named "Ping" and performs a connectivity test. Per the instructions, + "Actions named Ping must not be categorized as enrichment actions." entity_usage: entity_types: [] filters_by_additional_properties: false @@ -289,14 +361,47 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with any entities. Take Snapshot: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action triggers a snapshot creation on an external storage system. This + does not fit into the provided categories (Enrichment, Containment, Ticketing, + etc.). + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - Triggers the creation of a volume snapshot using the NetApp Ransomware Resilience - Service (RRS). This action is designed to create a point-in-time recovery point - for a specific storage volume, serving as a critical defensive measure in ransomware - mitigation and data protection workflows. + Triggers a volume snapshot creation via the NetApp Ransomware Resilience Service. + This action initiates a snapshot request on the storage system using the provided + volume, agent, and system identifiers. ### Parameters Description @@ -305,32 +410,25 @@ Take Snapshot: | :--- | :--- | :--- | :--- | - | Volume ID | String | Yes | The unique identifier of the volume for which the - snapshot will be created. | + | Volume ID | string | Yes | The ID of the volume to snapshot. | - | Agent ID | String | Yes | The console agent ID associated with the NetApp storage - environment. | + | Agent ID | string | Yes | The console agent ID. | - | System ID | String | Yes | The identifier of the storage system where the target - volume resides. | + | System ID | string | Yes | The storage system ID. | ### Flow Description - 1. **Initialization**: The action initializes the `ApiManager`, which handles - OAuth2 authentication and token management for the NetApp RRS API. - - 2. **Parameter Extraction**: It retrieves the `Volume ID`, `Agent ID`, and `System - ID` from the action input parameters. + 1. Initialize the `SiemplifyAction` and extract the required parameters: `Volume + ID`, `Agent ID`, and `System ID`. - 3. **API Execution**: The action sends a POST request to the `storage/take-snapshot` - endpoint of the Ransomware Resilience Service. + 2. Initialize the `ApiManager` to handle authentication and API communication + with the NetApp Ransomware Resilience Service. - 4. **Result Processing**: It captures the API response, which typically includes - job or snapshot details, and attaches it as a JSON result to the action. + 3. Execute the `take_snapshot` API call (POST request) using the provided parameters. - 5. **Completion**: The action reports a successful status if the snapshot creation - was triggered or a failure status if an API or connection error occurred. + 4. Return the result of the snapshot creation as a JSON object and terminate the + action with the appropriate status. capabilities: can_create_case_comments: false can_create_insight: false @@ -339,12 +437,18 @@ Take Snapshot: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates a new volume snapshot in the NetApp storage system via the Ransomware - Resilience Service API, which is a state-changing operation on the storage infrastructure. + Triggers a volume snapshot creation on the NetApp Ransomware Resilience Service. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a POST request to an external API to trigger a snapshot + creation. It does not fetch contextual data for enrichment, nor does it modify + internal SOAR data or entities. categories: enrichment: false + reasoning: >- + The action is a mutation action (creating a snapshot) and does not perform enrichment + or data retrieval. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -360,55 +464,86 @@ Take Snapshot: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action uses parameters provided in the action configuration (Volume ID, + Agent ID, System ID) and does not operate on target_entities. Volume Offline: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: true + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action takes a volume offline, which is a containment/remediation action. + It does not match enrichment, ticket creation, or alert updates. It is most + similar to 'Contain Host' as it isolates a resource (volume) from the network/system. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - The **Volume Offline** action is designed to programmatically take a specific - storage volume offline within the NetApp Ransomware Resilience Service (RRS). - This is a remediation action typically used to isolate potentially compromised - storage volumes to prevent the spread of ransomware or further data exfiltration. + This action takes a storage volume offline using the NetApp Ransomware Resilience + Service (RRS). It is designed to be used as a containment or remediation step + to prevent further data access or potential ransomware spread on a specific storage + volume. - ### Parameters Description + ### Flow Description - | Parameter | Type | Mandatory | Description | + 1. **Parameter Extraction**: The action extracts the `Volume ID`, `Agent ID`, + and `System ID` from the provided action parameters. - | :--- | :--- | :--- | :--- | + 2. **Authentication**: The `ApiManager` initializes and ensures a valid OAuth + token is available, refreshing it if necessary using the configured credentials. - | **Volume ID** | String | Yes | The unique identifier of the storage volume to - be taken offline. | + 3. **API Execution**: The action sends a POST request to the NetApp RRS API endpoint + (`storage/take-volume-offline`) with the provided identifiers. - | **Agent ID** | String | Yes | The Console Agent ID associated with the NetApp - environment. | + 4. **Result Reporting**: The API response is captured and added to the action's + result JSON, and the action terminates with a success or failure status. - | **System ID** | String | Yes | The identifier of the storage system where the - volume is located. | + ### Parameters Description - ### Flow Description + | Parameter | Type | Mandatory | Description | - 1. **Authentication**: The action initializes the `ApiManager`, which manages - OAuth2 token generation and encrypted storage for communication with the NetApp - BlueXP API. + | :--- | :--- | :--- | :--- | - 2. **Input Retrieval**: The action extracts the `Volume ID`, `Agent ID`, and `System - ID` from the action parameters. + | Volume ID | string | Yes | The unique identifier of the storage volume to take + offline. | - 3. **External Request**: It performs a POST request to the NetApp RRS endpoint - (`storage/take-volume-offline`) using the extracted identifiers. + | Agent ID | string | Yes | The identifier of the console agent managing the storage + system. | - 4. **Outcome Handling**: If the request is successful, the action returns a success - message and the raw JSON response. If the API returns an error or a connection - issue occurs, it catches the exception, logs the error, and marks the action as - failed. + | System ID | string | Yes | The identifier of the storage system. | ### Additional Notes - This action does not automatically process entities from the Google SecOps case. - It relies entirely on the provided parameter inputs, which must be mapped from - alert data or previous playbook steps. + This action performs a state-changing operation on an external system. Ensure + that the provided credentials have the necessary permissions to modify storage + volume states. capabilities: can_create_case_comments: false can_create_insight: false @@ -417,12 +552,20 @@ Volume Offline: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - This action changes the operational state of a storage volume in the NetApp - environment by taking it offline. + Sends a POST request to the NetApp Ransomware Resilience Service to take a specific + storage volume offline. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a POST request to an external API to change the state of + a storage volume (take it offline). It does not fetch contextual data for enrichment, + nor does it modify internal SOAR entities or case data. categories: enrichment: false + reasoning: >- + The action is a command/control action (taking a volume offline). It does not + fetch data for enrichment, nor does it perform any of the allowed internal mutations + (insights, comments, entity updates). Therefore, it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -438,3 +581,6 @@ Volume Offline: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code does not reference `siemplify.target_entities`. It relies entirely + on parameters provided in the action configuration. diff --git a/content/response_integrations/third_party/partner/netappransomwareresilience/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/partner/netappransomwareresilience/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..c8334cc29 --- /dev/null +++ b/content/response_integrations/third_party/partner/netappransomwareresilience/resources/ai/integration_ai_description.yaml @@ -0,0 +1,22 @@ +product_categories: + asset_inventory: true + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: false + reasoning: >- + The integration provides threat intelligence enrichment for IP addresses via the + 'Enrich IP Address' action, which aligns with the Threat Intelligence category. + Additionally, the 'Enrich Storage' action retrieves contextual metadata about + storage volumes, fitting the Asset Inventory category. While the integration includes + remediation actions like 'Volume Offline' and 'Take Snapshot', these are storage-specific + containment and protection actions and do not align with the definitions for EDR + (host-level), Network Security (gateway-level), or other categories. The integration + does not perform SIEM log analysis, email security, IAM management, ITSM ticketing, + vulnerability management, or collaboration tasks. + siem: false + threat_intelligence: true + vulnerability_management: false diff --git a/content/response_integrations/third_party/partner/netenrich_connect/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/partner/netenrich_connect/resources/ai/actions_ai_description.yaml index de8f0752f..7bc4a485a 100644 --- a/content/response_integrations/third_party/partner/netenrich_connect/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/partner/netenrich_connect/resources/ai/actions_ai_description.yaml @@ -1,56 +1,80 @@ Ping: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action is a connectivity check (Ping) and does not perform any of the defined + product-specific operations like enriching IOCs, updating tickets, or containing + hosts. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - This action is designed to verify the connectivity between Google SecOps and the - Netenrich Resolution Intelligence Cloud. It serves as a diagnostic tool to ensure - that the integration is correctly configured and that the external API endpoint - is reachable using the provided credentials. + Verifies connectivity to the Resolution Intelligence Cloud API by sending a POST + request to the configured webhook URL. This action is used to ensure the integration + is properly configured and the API endpoint is reachable. ### Parameters Description - | Parameter Name | Type | Mandatory | Description | + | Parameter | Type | Mandatory | Description | - | :--- | :--- | :--- | :--- | + | --- | --- | --- | --- | - | RI Inbound Webhook URL | String | Yes | (Configuration Parameter) The base URL - for the Netenrich inbound webhook. It must include a `{token}` placeholder which - is dynamically replaced during execution. | + | RI Inbound Webhook URL | String | Yes | The webhook URL for the Resolution Intelligence + Cloud API. | - | Token | String | Yes | (Configuration Parameter) The authentication token required - to authorize the request to the Netenrich service. | + | Token | String | Yes | The authentication token to be injected into the webhook + URL. | - | Verify SSL | Boolean | No | (Configuration Parameter) Determines whether the - action should verify the SSL certificate of the target server. Defaults to `True`. - | + | Verify SSL | Boolean | No | Whether to verify SSL certificates during the request. + Defaults to True. | ### Additional Notes - * This action does not take any input parameters directly; it relies entirely - on the integration's configuration settings. - - * A successful connection is identified if the external service returns an HTTP - status code of 200 or 400. + The action requires the `RI Inbound Webhook URL` and `Token` parameters to be + configured for the request to be constructed and sent successfully. ### Flow Description - 1. **Configuration Retrieval:** The action fetches the `RI Inbound Webhook URL`, - `Token`, and `Verify SSL` settings from the integration configuration. + 1. Extract configuration parameters: `RI Inbound Webhook URL`, `Token`, and `Verify + SSL`. - 2. **URL Construction:** It replaces the `{token}` placeholder in the webhook - URL with the actual authentication token. + 2. Construct the target URL by replacing the `{token}` placeholder in the webhook + URL with the provided token. - 3. **Connectivity Test:** It performs an HTTP POST request with an empty JSON - body to the constructed URL. + 3. Execute a POST request to the constructed URL. - 4. **Response Validation:** The action evaluates the HTTP response status code. - If the code is 200 or 400, the connection is considered successful. + 4. Evaluate the HTTP response status code. - 5. **Result Reporting:** It outputs a success message if reachable, or a failure - message with the specific error or status code if the connection fails. + 5. If the status code is 200 or 400, the action concludes as successful. Otherwise, + it reports a failure. capabilities: can_create_case_comments: false can_create_insight: false @@ -61,8 +85,14 @@ Ping: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a connectivity check (ping) via a POST request. It does + not fetch data, mutate external systems, or modify internal SOAR data. categories: enrichment: false + reasoning: >- + The action is named 'Ping'. According to the instructions, 'Actions named Ping + must not be categorized as enrichment actions.' It also does not fetch data. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -78,3 +108,5 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with any entities. diff --git a/content/response_integrations/third_party/partner/netenrich_connect/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/partner/netenrich_connect/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..38606e599 --- /dev/null +++ b/content/response_integrations/third_party/partner/netenrich_connect/resources/ai/integration_ai_description.yaml @@ -0,0 +1,21 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: true + network_security: false + reasoning: >- + The netenrich_connect integration is primarily designed to synchronize case data, + comments, attachments, and status updates between the Netenrich Resolution Intelligence + Cloud and Google SecOps (SOAR). Its core functionality revolves around maintaining + consistency in case management and ticket lifecycle across platforms. This aligns + directly with the ITSM category, which focuses on documenting investigations and + managing tasks. The integration does not perform SIEM log analysis, EDR host containment, + threat intelligence enrichment, or other specialized security domain functions + like cloud security or identity management. Therefore, it is classified as ITSM. + siem: false + threat_intelligence: false + vulnerability_management: false diff --git a/content/response_integrations/third_party/partner/netenrich_connect/resources/ai/jobs_ai_description.yaml b/content/response_integrations/third_party/partner/netenrich_connect/resources/ai/jobs_ai_description.yaml new file mode 100644 index 000000000..8f4c11e40 --- /dev/null +++ b/content/response_integrations/third_party/partner/netenrich_connect/resources/ai/jobs_ai_description.yaml @@ -0,0 +1,91 @@ +Sync ActOn Updates To Case: + ai_description: >- + ### General Description + + This job synchronizes case information from Resolution Intelligence Cloud (RIC) + to Google SecOps (SOAR). It acts as a bridge to ensure that case details, such + as descriptions, titles, priorities, assignees, and statuses, remain consistent + across both platforms. Additionally, it handles the synchronization of comments, + attachments, and entities, while updating custom entity properties with relevant + scoring evidence and alert data. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | CREATE | JSON String | No | Payload containing data for creating a new case. + | + + | UPDATE | JSON String | No | Payload containing data for updating an existing + case. | + + | COMMENT | JSON String | No | Payload containing data for adding a comment to + a case. | + + + ### Flow Description + + 1. Parses the incoming payload to determine the action type (CREATE, UPDATE, or + COMMENT). + + 2. Retrieves or creates the corresponding case in Google SecOps based on the provided + ticket ID. + + 3. If the action is a COMMENT, it adds the comment and any attachments to the + case and exits. + + 4. For CREATE or UPDATE actions, it synchronizes case metadata including description, + title, priority, assignee, stage, and status. + + 5. Updates custom entity properties with scoring evidence, alert data, and service + information. + + 6. Synchronizes new entities into the case. + + 7. If a new case is created, it posts a confirmation message back to the Resolution + Intelligence Cloud inbound webhook. +Sync Case Updates To ActOn: + ai_description: >- + ### General Description + + This job synchronizes case updates from Google SecOps SOAR to the Netenrich Resolution + Intelligence Cloud (ActOn). It periodically monitors case wall activities, processes + relevant comments and attachments, and pushes these updates to the external platform + via a webhook to ensure data consistency between the two systems. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | RI Inbound Webhook URL | String | Yes | The URL endpoint for the Resolution + Intelligence Cloud inbound webhook. | + + | Token | String | Yes | The authentication token required for the webhook. | + + | Environment | String | Yes | The specific environment name to filter cases for + synchronization. | + + + ### Flow Description + + 1. Retrieves the `last_sync_time` from the job context. + + 2. Queries Google SecOps for cases updated since the last sync interval. + + 3. Filters cases based on the configured environment. + + 4. For each case, fetches wall activities and filters for relevant updates (e.g., + manual comments, assignee changes). + + 5. Transforms case data and activities into the required payload format, including + attachments and tags. + + 6. Sends the payload to the Resolution Intelligence Cloud via the configured webhook. + + 7. Updates the `last_sync_time` in the job context for the next run. diff --git a/content/response_integrations/third_party/partner/orca_security/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/partner/orca_security/resources/ai/actions_ai_description.yaml index c851bd4b7..f635b7f19 100644 --- a/content/response_integrations/third_party/partner/orca_security/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/partner/orca_security/resources/ai/actions_ai_description.yaml @@ -1,49 +1,70 @@ Add Comment To Alert: + action_product_categories: + add_alert_comment: true + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action adds a comment to an alert in the external Orca Security system. + This directly aligns with the 'Add Alert Comment' category. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description - - This action allows users to add a comment to a specific alert within the Orca - Security platform. It is primarily used for documentation and collaboration purposes, - ensuring that analysts can record findings or notes directly on the source alert - in Orca Security from within Google SecOps. + Adds a comment to a specific alert in the Orca Security platform. This action + allows analysts to append notes or automated log entries directly to an alert + within the external system. - ### Parameters Description + ### Parameters | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Alert ID | String | True | The unique identifier of the alert in Orca Security - to which the comment will be added. | + | Alert ID | string | Yes | The unique identifier of the alert to which the comment + should be added. | - | Comment | String | True | The actual text content of the comment to be posted - to the alert. | - - - ### Additional Notes - - - This action requires either an **API Key** or an **API Token** to be configured - in the integration settings for authentication. - - - The action performs an external state change by modifying the alert metadata - in Orca Security. + | Comment | string | Yes | The text content of the comment to be added. | ### Flow Description - 1. **Authentication**: The action initializes the `OrcaSecurityManager` using - the provided API Root and credentials (API Key or Token). + 1. **Configuration Extraction**: The action retrieves the necessary API credentials + (API Root, API Key/Token) and SSL verification settings from the integration configuration. + + 2. **Parameter Extraction**: The action extracts the `Alert ID` and `Comment` + provided by the user. - 2. **Parameter Extraction**: It retrieves the `Alert ID` and the `Comment` text - from the action's input parameters. + 3. **Manager Initialization**: An `OrcaSecurityManager` instance is initialized + with the provided credentials. - 3. **API Interaction**: The manager executes a `PUT` request to the Orca Security - endpoint `/api/alerts/{alert_id}/comment` with the comment payload. + 4. **API Interaction**: The action calls the `add_alert_comment` method, which + sends a `PUT` request to the Orca Security API to append the specified comment + to the target alert. - 4. **Result Processing**: The action parses the response into an `AlertComment` - object and attaches the raw JSON result to the action output for use in subsequent - playbook steps. + 5. **Result Handling**: The action returns the result of the operation, including + the created comment object, and logs the status of the execution. capabilities: can_create_case_comments: false can_create_insight: false @@ -52,12 +73,18 @@ Add Comment To Alert: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - The action adds a new comment to an existing alert in the Orca Security platform - via a PUT request to the API. + Adds a comment to an alert in the Orca Security platform. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a PUT request to an external API (Orca Security) to add + a comment to an alert. It does not fetch data, nor does it modify internal SOAR + data or entities. categories: enrichment: false + reasoning: >- + The action mutates external data (adds a comment) and does not fetch data, so + it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -73,81 +100,97 @@ Add Comment To Alert: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not operate on entities. It takes an `Alert ID` as a direct + input parameter and does not reference `siemplify.target_entities`. Get Asset Details: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: true + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves contextual metadata (asset details, vulnerabilities) for + assets, which directly matches the 'Enrich Asset' category. It does not perform + IOC enrichment, alert updates, or other containment actions. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - The **Get Asset Details** action retrieves comprehensive information for specific - assets within Orca Security using their unique Asset IDs. It provides metadata - such as asset name, type, account, category, and current security state. Additionally, - the action can be configured to fetch associated vulnerabilities (CVEs) for each - asset, filtered by a minimum severity threshold. The retrieved data is presented - as a raw JSON result, a structured data table, and optionally as individual Case - Insights for each asset. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | + Retrieves detailed information about assets from Orca Security. This action fetches + asset metadata and, optionally, related vulnerability information based on specified + severity thresholds. It provides visibility into asset risk and configuration, + optionally generating case insights for the enriched assets. - | :--- | :--- | :--- | :--- | - | **Asset IDs** | String | Yes | A comma-separated list of unique Orca Security - asset identifiers to be queried. | + ### Flow Description - | **Return Vulnerabilities Information** | Boolean | No | If enabled (True), the - action will also retrieve vulnerability data linked to the specified assets. Default - is True. | + 1. **Initialization**: Extracts configuration parameters (API credentials, URL) + and action parameters (Asset IDs, vulnerability settings). - | **Lowest Severity For Vulnerabilities** | DDL | Yes | The minimum severity level - required for a vulnerability to be included in the results. Options include: Critical, - High, Medium, Low, Unknown. Default is 'Hazardous'. | + 2. **Asset Retrieval**: Iterates through the provided list of Asset IDs and queries + the Orca Security API for detailed asset information. - | **Max Vulnerabilities To Fetch** | String | No | The maximum number of vulnerabilities - to return per asset. Must be a positive integer between 1 and 100. Default is - 50. | + 3. **Vulnerability Enrichment**: If enabled, fetches vulnerability details for + each asset, filtered by the specified minimum severity and result limit. - | **Create Insight** | Boolean | No | If enabled (True), the action will generate - a Case Insight in Google SecOps for every successfully enriched asset, including - a direct link to the asset in the Orca UI. Default is True. | + 4. **Insight Generation**: If enabled, creates a case insight for each successfully + enriched asset, containing key asset details and a link to the asset in the Orca + Security UI. + 5. **Output**: Adds the collected asset and vulnerability data to the action results + as a JSON object and a data table. - ### Additional Notes - - This action does not process entities from the current case scope; it relies - entirely on the provided **Asset IDs** parameter. - - - The **Max Vulnerabilities To Fetch** parameter is capped at 100 to ensure performance - and API stability. + ### Parameters Description - - Authentication requires either an **API Key** or an **API Token** to be configured - in the integration settings. + | Parameter | Type | Mandatory | Description | + | :--- | :--- | :--- | :--- | - ### Flow Description + | Asset IDs | String | Yes | A comma-separated list of asset IDs to retrieve details + for. | - 1. **Parameter Validation**: The action extracts and validates input parameters, - ensuring the vulnerability limit is within the allowed range (1-100). + | Return Vulnerabilities Information | Boolean | No | If enabled, the action will + fetch and include vulnerabilities related to the asset. | - 2. **Manager Initialization**: Initializes the `OrcaSecurityManager` using the - provided API credentials and connection settings. + | Lowest Severity For Vulnerabilities | String | Yes | The minimum severity level + (e.g., Critical, High, Medium, Low, Unknown) for vulnerabilities to be included. + | - 3. **Asset Retrieval**: Iterates through the list of provided Asset IDs and performs - a query to the Orca Security API to fetch asset metadata. + | Max Vulnerabilities To Fetch | String | No | The maximum number of vulnerabilities + to return per asset (Default: 50, Max: 100). | - 4. **Vulnerability Enrichment (Optional)**: If enabled, it performs a secondary - query for each asset to retrieve vulnerabilities that meet the specified severity - criteria. + | Create Insight | Boolean | No | If enabled, creates a case insight for every + successfully enriched asset. | - 5. **Data Formatting**: Aggregates the asset and vulnerability data into JSON - and CSV formats for output. - 6. **Insight Generation (Optional)**: If enabled, creates a Case Insight for each - asset, providing a summary of its security posture and a link to the Orca Security - console. + ### Additional Notes - 7. **Final Output**: Adds the aggregated JSON results and a summary data table - to the action's output and completes the execution. + - The action does not operate on entities directly from the case; it relies on + the 'Asset IDs' parameter provided by the user. capabilities: can_create_case_comments: false can_create_insight: true @@ -158,10 +201,17 @@ Get Asset Details: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - The action creates case insights and adds a data table to the Google SecOps - case to display retrieved asset information. + Creates case insights for enriched assets. + reasoning: >- + The action fetches asset and vulnerability data from the Orca Security API (fetches_data=true). + It does not modify any external systems (can_mutate_external_data=false). It + creates case insights within Google SecOps (can_mutate_internal_data=true, can_create_insight=true). categories: - enrichment: false + enrichment: true + reasoning: >- + The action fetches data from an external source (Orca Security) to provide context + (enrichment). It does not mutate external systems. It performs allowed internal + mutations (creating insights). Therefore, it qualifies as an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -177,55 +227,80 @@ Get Asset Details: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action takes 'Asset IDs' as a string parameter provided by the user. It + does not iterate over or filter the 'target_entities' list provided by the SOAR + platform. Get Compliance Info: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves compliance framework information from Orca Security. It + does not match the expected outcomes for IOC enrichment, asset enrichment, alert + management, or any other specific category provided. It is a general information + retrieval action. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description - - The **Get Compliance Info** action retrieves detailed compliance framework information - from Orca Security. It allows security analysts to monitor the compliance posture - of their cloud environment by fetching data such as average scores, test results - (pass/fail counts), and the active status of specific or all selected frameworks. + Retrieves compliance framework information from Orca Security. This action allows + users to query specific compliance frameworks or retrieve a list of all available + frameworks, optionally creating a case insight to display the findings within + the SOAR platform. - ### Parameters Description + ### Parameters | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | **Framework Names** | String | No | A comma-separated list of framework names - (e.g., 'CIS AWS Foundations', 'SOC2') to retrieve. If left empty, the action returns - information for all selected frameworks in the Orca Security account. | + | Framework Names | string | No | Comma-separated list of framework names to retrieve. + If empty, returns information about all selected frameworks. | - | **Create Insight** | Boolean | Yes | If enabled (default: true), the action - creates a Case Insight in Google SecOps containing a formatted summary of the - compliance data. | + | Create Insight | boolean | Yes | If enabled, creates a case insight containing + the compliance information. | - | **Max Frameworks To Return** | Integer | No | Specifies the maximum number of - frameworks to include in the results. Default is 50. | + | Max Frameworks To Return | string | No | The maximum number of frameworks to + return. Defaults to 50. | ### Flow Description - 1. **Initialization:** The action extracts API credentials from the integration - configuration and user-provided parameters (Framework Names, Insight toggle, and - Limit). + 1. **Initialization**: Extracts configuration parameters (API Root, Key, Token, + SSL) and action parameters. - 2. **API Query:** The action connects to the Orca Security API and sends a POST - request to the `/api/serving-layer/compliance/frameworks/overview` endpoint. If - specific framework names were provided, it iterates through them to fetch targeted - data. + 2. **Data Retrieval**: Initializes the `OrcaSecurityManager` and calls the Orca + Security API to fetch compliance framework details based on the provided filters. - 3. **Data Parsing:** The raw JSON response is parsed into framework objects, extracting - key metrics like `avg_score_percent`, `test_results_fail`, and `test_results_pass`. + 3. **Insight Generation**: If `Create Insight` is enabled, generates a case insight + containing the retrieved compliance data. - 4. **Insight Creation:** If the 'Create Insight' parameter is true, the action - generates an HTML-formatted insight with color-coded scores and attaches it to - the case. - - 5. **Result Output:** The action populates a data table named 'Compliance Details' - and adds the raw framework data to the action's JSON results for use in subsequent - playbook steps. + 4. **Output**: Adds the compliance details to a data table and returns the results + in JSON format. capabilities: can_create_case_comments: false can_create_insight: true @@ -236,10 +311,18 @@ Get Compliance Info: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - The action creates a case insight containing compliance information and adds - a data table to the case results. + Creates a case insight containing compliance information. + reasoning: >- + The action fetches compliance data from the Orca Security API (fetches_data=true). + It does not perform any operations that change the state of the external system + (can_mutate_external_data=false). It creates a case insight within the SOAR + platform (can_create_insight=true), which constitutes an internal mutation. categories: - enrichment: false + enrichment: true + reasoning: >- + The action fetches data from an external source (Orca Security) and does not + mutate external systems. It creates a case insight, which is an allowed internal + mutation for enrichment actions. Therefore, it qualifies as an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -255,64 +338,96 @@ Get Compliance Info: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over or process any entities from the SOAR platform. + It operates globally based on the provided parameters. Get Vulnerability Details: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: true + enrich_ioc: true + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves vulnerability details (CVEs) and associated asset information + from Orca Security. This aligns with 'Enrich IOC' (as CVEs are indicators of + vulnerability) and 'Enrich Asset' (as it returns asset metadata). + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - The **Get Vulnerability Details** action retrieves comprehensive information about - specific vulnerabilities (CVEs) from Orca Security. It allows security analysts - to enrich a case with details such as vulnerability summaries, severity levels, - affected assets, and remediation availability. + Retrieves detailed vulnerability information from Orca Security for a specified + list of CVE IDs. This action allows analysts to gather context on vulnerabilities, + including affected assets and severity, and optionally generates case insights + for further investigation. - ### Parameters Description + ### Flow Description - | Parameter | Type | Mandatory | Description | + 1. **Parameter Extraction**: The action extracts the provided CVE IDs, output + format preferences, and configuration settings. - | :--- | :--- | :--- | :--- | + 2. **Initialization**: Initializes the Orca Security Manager to establish a connection + with the Orca Security API. - | **CVE IDs** | String | Yes | A comma-separated list of CVE identifiers (e.g., - CVE-2021-44228) to be queried. | + 3. **Data Retrieval**: Iterates through the provided CVE IDs and queries the Orca + Security API to fetch vulnerability details, including affected assets and severity + scores. - | **Fields To Return** | String | No | A comma-separated list of specific fields - to include in the output. If left empty, all available fields are returned. | + 4. **Insight Generation**: If the 'Create Insight' parameter is enabled, the action + generates a case insight for each enriched vulnerability, summarizing the severity + and affected assets. - | **Output** | DDL | No | Determines the output format. Options are `JSON` (default) - or `CSV`. If `CSV` is selected, a file is created and the path is returned. | + 5. **Result Formatting**: Formats the retrieved data into the requested output + format (JSON or CSV) and adds it to the action results, including a data table + for easy viewing. - | **Create Insight** | Boolean | No | If enabled (default), the action creates - a detailed case insight for each successfully retrieved CVE. | - | **Max Assets To Return** | String | No | The maximum number of assets associated - with the CVE to retrieve. Default is 50, maximum is 10,000. | + ### Parameters Description + | Parameter | Type | Mandatory | Description | - ### Flow Description + | :--- | :--- | :--- | :--- | - 1. **Initialization**: The action parses the input CVE IDs and validates the `Max - Assets To Return` parameter. + | CVE IDs | string | Yes | A comma-separated list of CVEs to enrich. | - 2. **API Interaction**: For each CVE ID provided, the action queries the Orca - Security API using a paginated search to retrieve vulnerability and asset data. + | Fields To Return | string | No | A comma-separated list of specific fields to + return in the output. | - 3. **Data Processing**: The retrieved data is filtered based on the `Fields To - Return` parameter and formatted for output. + | Output | ddl | No | The format of the output: 'JSON' or 'CSV'. | - 4. **Insight Generation**: If `Create Insight` is true, the action generates a - formatted HTML insight for the case, highlighting severity, description, and affected - assets. + | Create Insight | boolean | No | If enabled, creates a case insight for every + enriched vulnerability. | - 5. **Final Output**: The results are attached to the case as a JSON object or - a CSV file, and a "Vulnerability Details" data table is added to the case wall. + | Max Assets To Return | string | No | The maximum number of assets related to + the CVE to return (Default: 50, Max: 10000). | ### Additional Notes - - This action does not operate on existing entities in the case; it relies entirely - on the CVE IDs provided in the input parameter. - - - The `Fields To Return` parameter supports flattened JSON keys (e.g., `object_id` - for `{"object": {"id": 123}}`). + - The action does not operate on specific entities from the case; it relies entirely + on the 'CVE IDs' input parameter. capabilities: can_create_case_comments: false can_create_insight: true @@ -323,9 +438,17 @@ Get Vulnerability Details: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Creates case insights and adds a 'Vulnerability Details' data table to the case. + Creates case insights for enriched vulnerabilities. + reasoning: >- + The action fetches vulnerability data from an external API (Orca Security). + It does not mutate external systems. It creates internal case insights based + on the retrieved data, which constitutes an internal mutation. categories: - enrichment: false + enrichment: true + reasoning: >- + The action fetches data from an external source (Orca Security) and creates + insights within the SOAR platform. It does not mutate external systems or perform + unauthorized internal mutations. It qualifies as an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -341,17 +464,49 @@ Get Vulnerability Details: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not operate on `siemplify.target_entities`. It takes CVE IDs + as a direct input parameter. Ping: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action is a connectivity test ('Ping') and does not perform any of the defined + product category operations such as enrichment, ticketing, containment, or alert + management. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description + Tests connectivity to the Orca Security API to ensure the integration is configured + correctly. This action validates the provided credentials and API root by performing + a test request to the Orca Security server. - The **Ping** action is used to verify the connectivity between Google SecOps and - the Orca Security instance. It ensures that the provided configuration parameters, - such as the API Root and authentication credentials (API Key or API Token), are - correct and that the service is reachable. - - ### Parameters Description + ### Parameters | Parameter | Type | Mandatory | Description | @@ -359,39 +514,30 @@ Ping: | API Root | String | Yes | The base URL of the Orca Security API. | - | API Key | String | No | The API key for authentication. Required if API Token - is not provided. | - - | API Token | String | No | The API token for authentication. This is the preferred - authentication method. | + | API Key | String | No | The API key for authentication (used if token is not + provided). | - | Verify SSL | Boolean | No | If enabled, the action will verify the SSL certificate - of the API. | - - - ### Additional Notes - - - Either the **API Key** or the **API Token** must be provided for the action - to authenticate successfully. + | API Token | String | No | The API token for authentication (preferred method). + | - - This action does not process any entities and is strictly used for configuration - validation. + | Verify SSL | Boolean | No | Whether to validate the SSL certificate of the API + root. | ### Flow Description - 1. **Parameter Extraction:** The action retrieves the API Root, API Key, API Token, - and SSL verification settings from the integration configuration. + 1. The action extracts the configuration parameters (API Root, API Key, API Token, + Verify SSL) from the integration settings. - 2. **Manager Initialization:** An instance of the `OrcaSecurityManager` is created - using the extracted credentials. + 2. It initializes the `OrcaSecurityManager` with the provided credentials and + SSL verification setting. - 3. **Connectivity Test:** The action calls the `test_connectivity` method, which - sends a POST request to the Orca Security vulnerability details endpoint with - a result limit of 1 to verify the API's responsiveness. + 3. The action calls the `test_connectivity` method, which performs a test API + request to the Orca Security server. - 4. **Result Reporting:** Based on the success or failure of the API call, the - action returns a completion or failure status along with a descriptive message. + 4. If the request is successful, the action returns a success message. If the + request fails, it catches the exception and returns a failure message with the + error details. capabilities: can_create_case_comments: false can_create_insight: false @@ -400,10 +546,17 @@ Ping: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null - fetches_data: false + fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a connectivity test by making an API call to the Orca Security + server. It does not modify external or internal data, nor does it update entities, + create insights, or modify alert data. categories: enrichment: false + reasoning: >- + The action is named 'Ping', which is explicitly excluded from being categorized + as an enrichment action per the provided instructions. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -419,15 +572,46 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with or process any entities. Scan Assets: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action triggers a scan in Orca Security. This does not match any of the + provided categories (e.g., Enrich IOC, Contain Host, etc.). + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - The **Scan Assets** action initiates and monitors security scans for specific - assets within the Orca Security platform. This action is designed to run asynchronously, - meaning it triggers the scans and then periodically polls the Orca Security API - to check for completion. It is useful for ensuring that assets are scanned for - vulnerabilities or compliance issues as part of an automated response workflow. + This action triggers a security scan for specified assets in Orca Security. It + is designed to run asynchronously, allowing the action to initiate scans and poll + for their completion status over multiple runs. ### Parameters Description @@ -436,40 +620,31 @@ Scan Assets: | :--- | :--- | :--- | :--- | - | Asset IDs | String | Yes | A comma-separated list of unique Orca Security asset - identifiers that you want to scan. | - + | Asset IDs | string | Yes | A comma-separated list of asset IDs for which you + want to initiate a scan. | - ### Flow Description - 1. **Initialization**: The action extracts the comma-separated list of Asset IDs - from the input parameters and initializes the Orca Security manager. + ### Additional Notes - 2. **Scan Initiation (First Run)**: For each provided Asset ID, the action sends - a POST request to the Orca Security API to start a new scan. If a scan is already - in progress for an asset, the action captures the existing scan's ID. + This action is asynchronous. Please adjust the script timeout value in the Siemplify + IDE as needed to accommodate the time required for the scans to complete. - 3. **Asynchronous Polling**: The action enters an 'In Progress' state, storing - the scan identifiers. In subsequent execution cycles, it polls the status of each - pending scan. - 4. **Timeout Monitoring**: During polling, the script checks if it is approaching - the global SOAR timeout or the Python process timeout to ensure a graceful exit - and state preservation. + ### Flow Description - 5. **Data Retrieval and Completion**: Once all scans reach a 'done' status, the - action retrieves the raw scan data, attaches it to the action's JSON results, - and provides a summary of successful and failed scans. + 1. The action extracts the `Asset IDs` from the input parameters. + 2. It initializes the `OrcaSecurityManager` to interact with the Orca Security + API. - ### Additional Notes + 3. If it is the first run, the action calls `start_scan` for each provided asset + ID and tracks them as pending. - - This action is **asynchronous**. Users should ensure the script timeout value - in the Google SecOps IDE is adjusted to accommodate the time required for Orca - Security to complete asset scans. + 4. If it is a subsequent run (asynchronous), the action checks the status of the + pending scans. - - The action handles cases where a scan is already running by tracking the existing - process instead of failing. + 5. Once a scan is completed, the action adds the result JSON to the action output + and reports the status of all scanned assets. capabilities: can_create_case_comments: false can_create_insight: false @@ -478,12 +653,20 @@ Scan Assets: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Initiates new security scan processes for the specified assets within the Orca - Security environment via POST requests. + Triggers a security scan in Orca Security, which changes the state of the external + system. fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action triggers a scan in an external system (Orca Security) via a POST + request, which constitutes a mutation of external data. It also fetches the + status of these scans via GET requests. It does not modify internal Google SecOps + data, update entities, create insights, or modify alert data. categories: enrichment: false + reasoning: >- + The action triggers a scan in an external system (Orca Security), which is a + mutation of external state. Therefore, it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -499,73 +682,65 @@ Scan Assets: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not operate on entities. It takes `Asset IDs` as a direct input + parameter and does not reference `siemplify.target_entities`. Update Alert: - ai_description: >- - Updates the state of a specific alert in Orca Security. This action allows users - to modify an alert's status, initiate a verification process, or manage its snooze - state (snooze/unsnooze). It interacts with the Orca Security API via PUT requests - to apply changes and then retrieves the updated alert details to provide a final - status report. - - - ### Parameters Description - - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | **Alert ID** | String | Yes | The unique identifier of the alert in Orca Security - that needs to be updated. | - - | **Verify Alert** | Boolean | No | If set to `True`, the action will initiate - the verification process for the specified alert. | - - | **Snooze State** | DDL | No | Determines the snooze status. Options include - `Select One`, `Snooze`, or `Unsnooze`. | - - | **Snooze Days** | String | No | The number of days to snooze the alert. This - is required if **Snooze State** is set to `Snooze`. Defaults to 1 if not provided. - | - - | **Status** | DDL | No | The new status to assign to the alert. Options include - `Open`, `In Progress`, `Close`, or `Dismiss`. | - - - ### Additional Notes - - * **Validation Requirement:** At least one of the following parameters must be - configured for the action to execute: `Status`, `Verify Alert`, or `Snooze State`. - - * **Unsnooze Logic:** If `Snooze State` is set to `Unsnooze` and no specific `Status` - is provided, the action automatically sets the alert status to `Open`. - - * **Duplicate Handling:** If the alert already possesses the requested status, - the action will complete successfully while noting that no change was necessary. - - - ### Flow Description - - 1. **Initialization:** Extracts configuration (API Root, Key/Token) and action - parameters. - - 2. **Validation:** Ensures that at least one update operation (Status, Verify, - or Snooze) is requested and validates `Snooze Days` if applicable. - - 3. **Verification:** If `Verify Alert` is enabled, sends a request to the Orca - Security verification endpoint. - - 4. **Snooze Management:** If `Snooze State` is `Snooze`, sends a request to the - snooze endpoint with the specified duration. - - 5. **Status Update:** Updates the alert status if a new status is provided or - if the alert is being unsnoozed. - - 6. **Data Retrieval:** Fetches the latest alert data from Orca Security to confirm - the current state. - - 7. **Output:** Returns the updated alert details as a JSON result and provides - a summary message of the operations performed. + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: true + reasoning: >- + The action updates the status, snooze state, or verification status of an alert + in Orca Security, which matches the 'Update Alert' category. It also fetches + the updated alert data, matching 'Get Alert Information'. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: true + update_email: false + update_identity: false + update_ticket: false + ai_description: "Updates an alert in Orca Security. This action allows users to\ + \ modify the status, snooze state, or verification status of a specific alert\ + \ within the Orca Security platform.\n\n### Flow Description\n1. **Initialization**:\ + \ Extracts configuration parameters (API credentials, SSL verification) and action\ + \ parameters (Alert ID, Verify Alert, Snooze State, Snooze Days, Status).\n2.\ + \ **Validation**: Ensures that at least one update operation (Verify, Snooze,\ + \ or Status change) is requested. If 'Snooze' is selected, it validates that 'Snooze\ + \ Days' is provided.\n3. **Execution**: \n - If 'Verify Alert' is enabled,\ + \ it calls the Orca Security API to verify the alert.\n - If 'Snooze State'\ + \ is set to 'Snooze', it calls the API to snooze the alert for the specified number\ + \ of days.\n - If 'Status' is provided, it updates the alert status in Orca\ + \ Security.\n4. **Data Retrieval**: Fetches the updated alert data from Orca Security.\n\ + 5. **Output**: Returns the updated alert data as a JSON result.\n\n### Parameters\n\ + | Parameter | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n\ + | Alert ID | String | Yes | The unique identifier of the alert to be updated.\ + \ |\n| Verify Alert | Boolean | No | If enabled, initiates the verification process\ + \ for the alert. |\n| Snooze State | DDL | No | Specifies the snooze state for\ + \ the alert (Snooze/Unsnooze). |\n| Snooze Days | String | No | Number of days\ + \ to snooze the alert. Mandatory if 'Snooze State' is set to 'Snooze'. Defaults\ + \ to 1 day. |\n| Status | DDL | No | Specifies the new status to set for the alert\ + \ (Open, In Progress, Close, Dismiss). |\n\n### Additional Notes\nAt least one\ + \ of the following parameters must be configured for the action to run: 'Status',\ + \ 'Verify Alert', or 'Snooze State'." capabilities: can_create_case_comments: false can_create_insight: false @@ -574,12 +749,20 @@ Update Alert: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - This action modifies the state of alerts within the Orca Security platform by - updating their status, verification status, or snooze settings via API PUT requests. + Updates the alert status, snooze state, or verification status in the Orca Security + platform. fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs PUT requests to update the status, snooze state, or verification + status of an alert in Orca Security (external mutation). It also fetches the + updated alert data (fetches data). It does not modify internal SOAR entities, + insights, or case comments. categories: enrichment: false + reasoning: >- + The action mutates external data (updates alert status/snooze), so it is not + an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -595,3 +778,6 @@ Update Alert: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action uses an 'Alert ID' parameter provided by the user to identify the + alert, rather than iterating over 'siemplify.target_entities'. diff --git a/content/response_integrations/third_party/partner/orca_security/resources/ai/connectors_ai_description.yaml b/content/response_integrations/third_party/partner/orca_security/resources/ai/connectors_ai_description.yaml new file mode 100644 index 000000000..b34256475 --- /dev/null +++ b/content/response_integrations/third_party/partner/orca_security/resources/ai/connectors_ai_description.yaml @@ -0,0 +1,90 @@ +Orca Security - Alerts Connector: + ai_description: >- + ### General Description + + This connector integrates with Orca Security to ingest security alerts into Google + SecOps. It enables automated monitoring of security findings by fetching alerts + from the Orca Security platform, allowing users to apply granular filters such + as severity, category, alert type, and Orca score to ensure only relevant data + is ingested. The connector supports authentication via API Key or Token and provides + options for proxy configuration and environment mapping. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | API Root | String | Yes | The base URL of the Orca Security instance. | + + | API Key | Password | No | API Key for authentication. Used if API Token is not + provided. | + + | API Token | Password | No | API Token for authentication. Preferred over API + Key. | + + | DeviceProductField | String | Yes | The source field name used to retrieve the + Product Field name. | + + | EventClassId | String | Yes | The source field name used to retrieve the Event + Field name. | + + | Category Filter | String | No | Comma-separated list of category names to filter + ingested alerts. | + + | Alert Type Filter | String | No | Specific alert types to ingest (e.g., aws_s3_bucket_accessible_to_unmonitored_account). + | + + | Lowest Severity To Fetch | String | No | Minimum severity level to fetch (Compromised, + Imminent compromise, Hazardous, Informational). | + + | Lowest Orca Score To Fetch | String | No | Minimum Orca score (1-10) to filter + alerts. | + + | Max Hours Backwards | Integer | No | Time range in hours to fetch alerts from + during the initial run or after expiration. | + + | Max Alerts To Fetch | Integer | No | Maximum number of alerts to process per + connector iteration. | + + | Use dynamic list as a blacklist | Boolean | Yes | If enabled, uses dynamic lists + as a blacklist for alert titles. | + + | Verify SSL | Boolean | Yes | Whether to verify the SSL certificate of the Orca + Security server. | + + | PythonProcessTimeout | Integer | Yes | Timeout limit in seconds for the connector + script execution. | + + | Environment Field Name | String | No | Field name where the environment name + is stored. | + + | Environment Regex Pattern | String | No | Regex pattern to manipulate the environment + field value. | + + | Proxy Server Address | String | No | Address of the proxy server. | + + | Proxy Username | String | No | Username for proxy authentication. | + + | Proxy Password | Password | No | Password for proxy authentication. | + + + ### Flow Description + + 1. **Authentication**: Connects to the Orca Security API using the provided API + Key or Token and verifies the connection. + + 2. **Querying**: Fetches alerts from the Orca Security API, applying filters for + severity, score, category, and alert type as configured. + + 3. **Deduplication**: Filters out alerts that have already been processed by checking + against a local state file of alert IDs. + + 4. **Mapping**: Maps the retrieved alert data into the standard Google SecOps + case format, applying environment and product field mappings. + + 5. **Ingestion**: Creates cases in Google SecOps for the filtered, new alerts. + + 6. **State Management**: Updates the last success timestamp and saves the list + of processed alert IDs to ensure subsequent runs only fetch new data. diff --git a/content/response_integrations/third_party/partner/orca_security/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/partner/orca_security/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..aaa40cb7e --- /dev/null +++ b/content/response_integrations/third_party/partner/orca_security/resources/ai/integration_ai_description.yaml @@ -0,0 +1,23 @@ +product_categories: + asset_inventory: true + cloud_security: true + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: false + reasoning: >- + The Orca Security integration is a cloud-native security platform. It qualifies + as Cloud Security because it provides visibility into cloud configurations, workloads, + and findings across cloud environments (GCP/AWS/Azure). It qualifies as Vulnerability + Management as it retrieves vulnerability details (CVEs) and compliance framework + information. It qualifies as Asset Inventory because it fetches detailed asset + metadata and configuration states. Finally, it qualifies as SIEM because the provided + connector ingests security alerts from the Orca platform into Google SecOps, enabling + centralized monitoring and alert management. It does not perform EDR (process-level + activity), Network Security (blocking at gateway), Email Security, IAM management, + ITSM, or Collaboration functions. + siem: true + threat_intelligence: false + vulnerability_management: true diff --git a/content/response_integrations/third_party/partner/recorded_future_intelligence/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/partner/recorded_future_intelligence/resources/ai/actions_ai_description.yaml index 6afc8d1b4..87736cb06 100644 --- a/content/response_integrations/third_party/partner/recorded_future_intelligence/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/partner/recorded_future_intelligence/resources/ai/actions_ai_description.yaml @@ -1,46 +1,77 @@ Add Analyst Note: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action creates an analyst note in an external system (Recorded Future). + It does not match any of the provided categories, such as enriching IOCs, updating + alerts, or performing containment actions. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - Adds an analyst note to the Recorded Future platform. This action allows users - to document findings or context within Recorded Future, automatically associating - the note with the entities currently present in the Google SecOps case scope by - appending their identifiers to the note text. + This action creates an analyst note within the Recorded Future platform. It aggregates + the identifiers of all entities currently present in the case and appends them + to the provided note text, ensuring that the analyst note is contextually linked + to the relevant entities. This facilitates better documentation and threat intelligence + sharing within the Recorded Future ecosystem. - ### Parameters Description + ### Parameters | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Note Title | String | Yes | Specifies the title for the analyst note. | + | Note Title | string | Yes | The title for the analyst note. | - | Note Text | String | Yes | Specifies the body text for the note. The action - will automatically append a list of all entities collected from the current case - to this text. | + | Note Text | string | Yes | The main content/body of the analyst note. | - | Topic | DDL | No | Specifies the relevant note topic from a predefined list - (e.g., Actor Profile, Malware/Tool Profile, YARA Rule). If not specified, it defaults - to 'None'. | + | Topic | ddl | No | The specific topic or category for the note (e.g., Actor + Profile, Malware/Tool Profile). | ### Flow Description - 1. **Parameter Extraction:** The action retrieves the API configuration (URL, - Key, SSL verification) and the user-provided note details (Title, Text, Topic). + 1. **Parameter Extraction**: The action retrieves the `Note Title`, `Note Text`, + and `Topic` from the action parameters. - 2. **Entity Collection:** It iterates through all entities in the current target - scope and aggregates their identifiers into a single string. + 2. **Entity Collection**: It iterates through all `target_entities` provided in + the case and collects their identifiers. - 3. **Text Preparation:** The aggregated entity list is appended to the user-provided - `Note Text` to ensure the note contains context about the specific case. + 3. **Text Preparation**: The collected entity identifiers are appended to the + `Note Text` to provide context. - 4. **External API Call:** The action uses the `RecordedFutureManager` to publish - the note to the Recorded Future platform via the `AnalystNoteMgr`. + 4. **API Interaction**: The action initializes the `RecordedFutureManager` and + calls the `get_analyst_notes` method to create the note in the Recorded Future + platform. - 5. **Result Handling:** Upon successful creation, the action returns the unique - `document_id` of the new note and completes the execution. + 5. **Result**: The action returns the `note_id` of the created note and completes + the execution. capabilities: can_create_case_comments: false can_create_insight: false @@ -49,48 +80,26 @@ Add Analyst Note: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates a new Analyst Note in the Recorded Future platform. + Creates a new analyst note in the Recorded Future platform. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a POST request to the Recorded Future API to create an analyst + note (mutating external data). It does not fetch data for enrichment, nor does + it modify any internal Google SecOps case data, entities, or alert statuses. categories: enrichment: false + reasoning: >- + The action is designed to create data in an external system (Recorded Future) + rather than retrieving or enriching data. It does not meet the criteria for + an enrichment action. entity_usage: entity_types: - ADDRESS - - ALERT - - APPLICATION - - CHILDHASH - - CHILDPROCESS - - CLUSTER - - CONTAINER - - CREDITCARD - CVE - - CVEID - - DATABASE - - DEPLOYMENT - - DESTINATIONDOMAIN - - DOMAIN - - EMAILSUBJECT - - EVENT + - DestinationURL - FILEHASH - - FILENAME - - GENERICENTITY - HOSTNAME - - IPSET - - MacAddress - - PARENTHASH - - PARENTPROCESS - - PHONENUMBER - - POD - - PROCESS - - SERVICE - - SOURCEDOMAIN - - THREATACTOR - - THREATCAMPAIGN - - THREATSIGNATURE - - DestinationURL - - USB - - USERUNIQNAME filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -104,62 +113,83 @@ Add Analyst Note: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action processes all entities provided in `siemplify.target_entities` to + extract their identifiers for the note content. It does not apply any filtering + logic based on entity properties. Detonate File: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action submits a file to a sandbox for detonation and returns the analysis + report. This directly matches the 'Submit File' category. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: true + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - Submits a file to the Recorded Future Sandbox for automated detonation and behavioral - analysis. This action is designed to handle files stored either in a Google Cloud - Platform (GCP) Bucket or on the local file system. It is an asynchronous action - that uploads the file, monitors the analysis progress, and retrieves a comprehensive - report once completed. + Submits a file to the Recorded Future Sandbox for detonation and analysis. This + action allows analysts to upload files from either a Google Cloud Storage (GCP) + bucket or the local file system to the Recorded Future Sandbox, enabling automated + malware analysis and threat intelligence gathering. - ### Parameters Description + ### Parameters | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | File Path | String | Yes | The full path or identifier of the file to be detonated. - | + | File Path | string | Yes | The path to the file to be analyzed. | - | File Source | DDL | Yes | Specifies where the file is located. Options are `GCP - Bucket` or `Local File System`. | + | File Source | ddl | Yes | The source of the file. Options: 'GCP Bucket', 'Local + File System'. | - | Profile | String | No | The specific Sandbox profile to use for the analysis. - | + | Profile | string | No | The Sandbox profile to use for analysis. | - | Password | String | No | The password required to extract the file if it is - an encrypted archive. | + | Password | string | No | Password for the archive sample, if applicable. | ### Flow Description - 1. **Initialization**: The action extracts the file path and source configuration - from the input parameters. - - 2. **File Retrieval**: Depending on the `File Source`, it either reads the file - from the local disk or fetches it from a GCP Bucket using the SecOps SDK. - - 3. **Submission**: The file is uploaded to the Recorded Future Sandbox API for - detonation. + 1. **Initialization**: Extracts configuration parameters (API URL, API Key) and + action inputs. - 4. **Monitoring**: As an asynchronous action, it enters an 'In Progress' state, - periodically polling the sandbox to check if the analysis is finished. + 2. **File Retrieval**: Retrieves the file from the specified source (GCP Bucket + or Local File System). - 5. **Reporting**: Once the analysis is complete, it retrieves the overview report, - including scores, signatures, and IOCs. + 3. **Submission**: Submits the file to the Recorded Future Sandbox for detonation. - 6. **Internal Update**: It generates a detailed Case Insight in Google SecOps - containing the detonation results and analysis summary. + 4. **Asynchronous Polling**: Since the action is asynchronous, it polls the sandbox + for the analysis status. - - ### Additional Notes - - This action requires a valid Recorded Future Sandbox API key and URL configured - in the integration settings. It is an asynchronous action and will remain in progress - until the sandbox analysis is finished or a timeout occurs. + 5. **Result Processing**: Once the analysis is complete, it retrieves the sandbox + report, generates case insights containing the analysis details, and returns the + final result. capabilities: can_create_case_comments: false can_create_insight: true @@ -168,15 +198,25 @@ Detonate File: can_mutate_internal_data: true can_update_entities: false external_data_mutation_explanation: >- - Submits a file to the Recorded Future Sandbox for detonation and analysis, which - creates a new analysis task in the external system. + Submits a file to the Recorded Future Sandbox, which creates a new analysis + job in the external system. fetches_data: true internal_data_mutation_explanation: >- - Creates case insights containing the detonation report and analysis details. + Creates case insights containing the sandbox analysis results. + reasoning: >- + The action submits a file to an external sandbox (mutating external state by + creating a new analysis job) and fetches the resulting analysis report (fetches + data). It also creates case insights within the SOAR platform (mutating internal + data). categories: enrichment: false + reasoning: >- + While the action retrieves analysis data, it is primarily a 'Submit File' action + that creates a new analysis job in an external system (Recorded Future Sandbox). + Therefore, it does not meet the 'Read-Only' criteria for an Enrichment action. entity_usage: - entity_types: [] + entity_types: + - FILEHASH filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -190,48 +230,79 @@ Detonate File: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action is configured in the simulation data to operate on FILEHASH entities. Detonate URL: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action submits a URL to a sandbox for detonation and retrieves the report. + This aligns with the 'Submit File' category, which covers sandbox submission + of samples, including URLs. It does not perform standard enrichment, alert updates, + or containment. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: true + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description + Submits a URL to the Recorded Future Sandbox for detonation and analysis. This + action automates the process of sending suspicious URLs to an external sandbox + environment to observe behavior and generate a threat report. - Submits URL entities to the Recorded Future Sandbox (Triage) for automated detonation - and behavioral analysis. This action is designed to handle URLs asynchronously, - meaning it initiates the detonation process and then polls the sandbox until the - analysis is complete. Once finished, it retrieves a comprehensive report including - risk scores, signatures, and observed network flows. + ### Flow Description - ### Parameters Description + 1. **Extraction**: The action extracts URL entities from the current case. - | Parameter | Type | Mandatory | Description | + 2. **Submission**: Each URL is submitted to the Recorded Future Sandbox API for + analysis. - | :--- | :--- | :--- | :--- | + 3. **Monitoring**: The action monitors the status of the submission asynchronously. - | Profile | String | No | Specifies the Sandbox profile to use for the detonation - (e.g., a specific OS or browser environment). If left empty, the default sandbox - profile is used. | + 4. **Retrieval**: Once the analysis is complete, the action retrieves the detailed + detonation report. + 5. **Insight Generation**: The action generates a case insight containing the + detonation results, including risk scores, tags, and signature details. - ### Flow Description - 1. **Entity Extraction**: The action identifies all URL entities within the current - context. + ### Parameters + + | Parameter | Type | Mandatory | Description | - 2. **Submission**: It submits each identified URL to the Recorded Future Sandbox - API. If a specific 'Profile' is provided, it is applied to the submission. + | :--- | :--- | :--- | :--- | - 3. **Polling (Async)**: Because detonation takes time, the action enters an 'In - Progress' state, periodically polling the sandbox to check the status of the analysis. + | Profile | string | No | Specifies the Sandbox profile to use for the detonation. + | - 4. **Report Retrieval**: Once the sandbox reports the analysis as 'reported' (finished), - the action fetches the full overview report. - 5. **Result Generation**: The action parses the report to extract risk scores, - signatures, and IOCs. + ### Additional Notes - 6. **Internal Updates**: It creates detailed Case Insights containing the detonation - results in HTML format and adds the raw data to the action's JSON results and - data tables. + This action is asynchronous and will wait for the analysis to complete or until + the action times out. Ensure the action timeout is configured appropriately in + the SOAR platform to accommodate the sandbox analysis duration. capabilities: can_create_case_comments: false can_create_insight: true @@ -240,14 +311,21 @@ Detonate URL: can_mutate_internal_data: true can_update_entities: false external_data_mutation_explanation: >- - Submits URLs to the Recorded Future Sandbox, which creates new analysis samples - and triggers active detonation processes in the external environment. + Submits a URL to the Recorded Future Sandbox for detonation, which creates a + new analysis job in the external system. fetches_data: true internal_data_mutation_explanation: >- - Creates case insights containing the detonation analysis reports and adds data - tables to the case wall. + Creates case insights within the SOAR platform containing the detonation results. + reasoning: >- + The action submits a URL to an external sandbox (mutating external state by + creating an analysis job) and subsequently fetches the analysis report (fetches + data). It also creates case insights within the SOAR platform (internal mutation). categories: enrichment: false + reasoning: >- + The action is not an enrichment action because it mutates external state by + submitting a URL for detonation (creating an analysis job), which violates the + 'External State Preservation' rule for enrichment actions. entity_usage: entity_types: - DestinationURL @@ -264,90 +342,92 @@ Detonate URL: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over `siemplify.target_entities` and filters for entities + of type `URL` (mapped to `DestinationURL`). Enrich CVE: - ai_description: >- - ### General Description - - This action queries Recorded Future to retrieve comprehensive threat intelligence - for CVE (Common Vulnerabilities and Exposures) entities. It provides detailed - risk scores, triggered risk rules, and intelligence cards. The action helps security - analysts understand the severity of a vulnerability by comparing Recorded Future's - risk score against a customizable threshold, automatically marking high-risk entities - as suspicious and providing context through case insights. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Risk Score Threshold | String | Yes | The minimum malicious risk score (0-99) - required to mark a CVE as suspicious. Corresponds to Recorded Future's risk levels - (e.g., Medium: 25-64, High: 65-79). | - - | Include Links | Boolean | No | If enabled, the action retrieves information - about related entities and links from Recorded Future. | - - | Enable Collective Insights | Boolean | No | If enabled, the action contributes - detection data back to Recorded Future's Collective Insights platform. | - - - ### Additional Notes - - - **Collective Insights**: This feature is only active if enabled in both the - integration configuration and the action parameters, and only for alerts where - the reporting vendor is not 'Recorded Future'. - - - **Risk Levels**: The threshold corresponds to Recorded Future's risk levels: - None (0), Low (5-24), Medium (25-64), High (65-79), Critical (80-89), and Very - Critical (90-99). - - - **External Mutation**: This action is not categorized as a pure enrichment action - because it can submit data to an external system (Collective Insights). - - - ### Flow Description - - 1. **Parameter Initialization**: Extracts API credentials and action-specific - parameters like the risk threshold and link inclusion settings. - - 2. **Entity Scoping**: Filters the target entities to process only those of type - 'CVE'. - - 3. **Intelligence Query**: Calls the Recorded Future API to fetch vulnerability - intelligence, including risk scores, evidence, and optional links. - - 4. **Collective Insights Submission**: If enabled, the action sends detection - telemetry to Recorded Future's Collective Insights service, provided the alert - did not originate from Recorded Future. - - 5. **Result Processing**: Populates data tables with the vulnerability report - and triggered risk rules. It also adds a direct link to the Recorded Future intelligence - card. - - 6. **Risk Evaluation**: Compares the CVE's risk score against the user-defined - 'Risk Score Threshold'. - - 7. **Internal Enrichment**: If the score exceeds the threshold, the entity is - marked as suspicious, and a detailed case insight is created. - - 8. **Entity Update**: Updates the entity's additional properties with the retrieved - intelligence and marks it as enriched. + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves reputation and threat intelligence for a CVE, which aligns + with the 'Enrich IOC' category. It does not perform any containment, ticketing, + or alert management actions. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: "### General Description\nThis action enriches CVE (Common Vulnerabilities\ + \ and Exposures) entities by querying the Recorded Future Intelligence platform.\ + \ It retrieves comprehensive threat intelligence, including risk scores, evidence\ + \ details, and optional links. The action evaluates the CVE's risk against a user-defined\ + \ threshold to determine if it should be marked as suspicious, subsequently updating\ + \ the entity's profile and generating a case insight if the threshold is exceeded.\n\ + \n### Parameters Description\n| Parameter | Type | Mandatory | Description |\n\ + | :--- | :--- | :--- | :--- |\n| Risk Score Threshold | string | Yes | The minimum\ + \ malicious risk score (0-99) for a CVE to be marked as suspicious. |\n| Include\ + \ Links | boolean | No | If enabled, the action retrieves additional links related\ + \ to the CVE. |\n| Enable Collective Insights | boolean | No | If enabled, contributes\ + \ detection data back to Recorded Future. |\n\n### Additional Notes\n- The action\ + \ requires a valid Recorded Future API configuration.\n- Collective Insights submission\ + \ is conditional based on both the action parameter and global configuration settings.\n\ + \n### Flow Description\n1. **Initialization**: Extracts configuration parameters\ + \ (API URL, API Key) and action-specific parameters (Threshold, Include Links,\ + \ Collective Insights).\n2. **Processing**: Iterates through the provided CVE\ + \ entities.\n3. **Enrichment**: Queries the Recorded Future API for each CVE to\ + \ retrieve risk data and intelligence.\n4. **Evaluation**: Compares the retrieved\ + \ risk score against the configured threshold.\n5. **Internal Update**: \n \ + \ - Updates the entity's `additional_properties` with enrichment data.\n -\ + \ Sets the entity's `is_enriched` status to true.\n - If the score exceeds\ + \ the threshold, marks the entity as `is_suspicious` and creates a case insight.\n\ + 6. **Finalization**: Updates the entities in the SecOps platform and returns the\ + \ results." capabilities: can_create_case_comments: false can_create_insight: true can_modify_alert_data: false - can_mutate_external_data: true - can_mutate_internal_data: false + can_mutate_external_data: false + can_mutate_internal_data: true can_update_entities: true - external_data_mutation_explanation: >- - Submits detection telemetry and incident metadata to Recorded Future's Collective - Insights platform when the 'Enable Collective Insights' parameter is enabled. + external_data_mutation_explanation: null fetches_data: true - internal_data_mutation_explanation: null + internal_data_mutation_explanation: >- + Updates entity attributes (is_enriched, is_suspicious, additional_properties) + and creates case insights. + reasoning: >- + The action fetches threat intelligence data from the Recorded Future API (fetches_data=true). + It does not perform any actions that change the state of external systems (can_mutate_external_data=false). + It performs internal mutations by updating entity attributes (is_enriched, is_suspicious, + additional_properties) and creating case insights (can_mutate_internal_data=true). + It does not modify alert data or create case comments. categories: - enrichment: false + enrichment: true + reasoning: >- + The action is designed to fetch threat intelligence for CVE entities. It does + not mutate external systems. It performs allowed internal mutations (updating + entities and creating insights). Therefore, it meets the criteria for an enrichment + action. entity_usage: entity_types: - CVE @@ -364,74 +444,114 @@ Enrich CVE: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over `siemplify.target_entities` and explicitly filters for + entities where `entity.entity_type` is `EntityTypes.CVE`. Enrich Hash: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves reputation and threat intelligence for a file hash (IOC) + from Recorded Future. This directly matches the 'Enrich IOC' category. It does + not perform any other actions like ticket creation, containment, or alert modification. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - Enriches File Hash entities using Recorded Future's threat intelligence. This - action retrieves risk scores, evidence details, and optional entity links. It - evaluates the hash against a user-defined risk threshold to mark entities as suspicious - and generates detailed insights and data tables within the case. + This action enriches File Hash entities by querying the Recorded Future intelligence + platform. It retrieves threat intelligence, including risk scores, triggered risk + rules, and associated links. Based on the configured risk threshold, the action + updates the entity's suspicious status and generates a case insight if the hash + is deemed risky. - ### Parameters Description + ### Parameters | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Risk Score Threshold | String | Yes | Represents the minimum malicious risk - score (0-89) for a Hash to be marked malicious. | + | Risk Score Threshold | string | Yes | The minimum malicious risk score (0-89) + for a Hash to be marked as suspicious. Default is 25. | - | Include Links | Boolean | No | If enabled, the action retrieves information - about related entity links. | + | Include Links | boolean | No | If enabled, the action retrieves additional links + related to the hash. Default is false. | - | Enable Collective Insights | Boolean | No | If enabled, contributes detection - data back to Recorded Future's Collective Insights service. | - - - ### Additional Notes - - Collective Insights are only submitted if the alert's reporting vendor is not - 'Recorded Future'. + | Enable Collective Insights | boolean | No | If enabled, contributes detection + data back to Recorded Future. Default is true. | ### Flow Description - 1. **Parameter Extraction**: Retrieves API configuration and action parameters - (Threshold, Links, Collective Insights). + 1. **Initialization**: Extracts API configuration (URL, Key, SSL verification) + and action parameters (Threshold, Include Links, Collective Insights). + + 2. **Entity Processing**: Iterates through the `target_entities` provided in the + case, filtering specifically for `FILEHASH` entities. - 2. **Entity Filtering**: Iterates through target entities and filters for File - Hash types. + 3. **Intelligence Retrieval**: Queries the Recorded Future API for each valid + hash to obtain risk scores, evidence details, and optional links. - 3. **Intelligence Retrieval**: Queries Recorded Future for reputation data, including - risk scores, evidence, and optional links. + 4. **Data Enrichment**: Updates the entity's `additional_properties` with the + retrieved intelligence data and sets the `is_enriched` flag. - 4. **External Contribution**: If enabled and applicable, submits detection information - back to Recorded Future via Collective Insights. + 5. **Risk Assessment**: Compares the retrieved risk score against the `Risk Score + Threshold`. If the score exceeds the threshold, the entity is marked as `is_suspicious`. - 5. **Internal Enrichment**: Updates entity attributes (is_suspicious, additional_properties) - based on the risk score and threshold. + 6. **Insight Generation**: If the hash is marked as suspicious, a case insight + is created containing the risk details and evidence. - 6. **Reporting**: Generates case insights, data tables for risk rules and links, - and adds a direct link to the Recorded Future portal. + 7. **Result Reporting**: Adds data tables (Overview, Risk Rules, Links) to the + action results and updates the entities in the SOAR platform. capabilities: can_create_case_comments: false can_create_insight: true can_modify_alert_data: false - can_mutate_external_data: true + can_mutate_external_data: false can_mutate_internal_data: true can_update_entities: true - external_data_mutation_explanation: >- - Submits detection information to Recorded Future's Collective Insights service - if the 'Enable Collective Insights' parameter is set to true and the alert source - is not Recorded Future. + external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates entity fields (is_suspicious, additional_properties, is_enriched) and - creates case insights with detailed threat intelligence. + Updates entity attributes (is_suspicious, is_enriched, additional_properties) + and creates case insights. + reasoning: >- + The action fetches threat intelligence from the Recorded Future API (fetches_data=true). + It does not perform any actions that change the state of external systems (can_mutate_external_data=false). + It performs internal mutations by updating entity attributes and creating case + insights (can_mutate_internal_data=true, can_update_entities=true, can_create_insight=true). + It does not modify alert data or create case comments. categories: - enrichment: false + enrichment: true + reasoning: >- + The action is an enrichment action because it fetches data from an external + source (Recorded Future), does not mutate external systems, and only performs + allowed internal mutations (updating entities and creating insights). entity_usage: entity_types: - FILEHASH @@ -448,84 +568,123 @@ Enrich Hash: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over `siemplify.target_entities` and filters them using `if + entity.entity_type in entity_types`, where `entity_types` is defined as `[EntityTypes.FILEHASH]`. + No other filters are applied. Enrich Host: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action fetches threat intelligence for Host and Domain entities, which matches + the 'Enrich IOC' category. It does not perform any containment, ticketing, or + other actions. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - The **Enrich Host** action queries Recorded Future to retrieve comprehensive threat - intelligence for **Hostname** and **Domain** entities. It provides security analysts - with critical context, including risk scores, triggered risk rules, and intelligence - cards, to help evaluate the threat level of specific hosts within a case. + This action queries Recorded Future to retrieve threat intelligence for Host and + Domain entities. It enriches the entities with risk scores, risk strings, and + other relevant intelligence data. If the retrieved risk score exceeds the configured + threshold, the action marks the entity as suspicious and generates a case insight + with the detailed risk evidence. - ### Parameters Description + ### Parameters | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | **Risk Score Threshold** | String | Yes | The minimum risk score (0-99) required - to mark a host as suspicious. Scores are categorized as: Very Malicious (90-99), - Malicious (65-89), Suspicious (25-64), Unusual (5-24), and No Malicious Content - (0). | + | Risk Score Threshold | string | Yes | Represents the minimum malicious risk + score (0-99) for a Host to be marked as suspicious. | - | **Include Links** | Boolean | No | If enabled, the action retrieves additional - information about related entity links from Recorded Future. | + | Include Links | boolean | No | If enabled, the action retrieves information + about related links. | - | **Enable Collective Insights** | Boolean | No | If enabled, the action contributes - detection data back to Recorded Future's Collective Insights system, provided - the alert did not originate from Recorded Future itself. | + | Enable Collective Insights | boolean | No | If enabled, contributes detection + data back to Recorded Future. | - ### Flow Description + ### Additional Notes - 1. **Initialization**: Extracts API configuration (URL, Key, SSL settings) and - action parameters (Threshold, Links, Collective Insights). + - The action filters target entities to process only those of type `HOSTNAME` + or `DOMAIN`. - 2. **Entity Filtering**: Identifies all `HOSTNAME` and `DOMAIN` entities within - the current Google SecOps context. + - Collective Insights submission is conditional based on global settings, action + parameters, and the reporting vendor of the current alert. - 3. **Intelligence Retrieval**: For each identified entity, the action calls the - Recorded Future API to fetch enrichment data, including risk scores and evidence. - 4. **External Contribution**: If `Enable Collective Insights` is true and the - alert source is external, detection data is submitted to Recorded Future. + ### Flow Description - 5. **Data Augmentation**: Adds detailed data tables to the action results, including - a general report, triggered risk rules, and optionally, related links. + 1. Extracts configuration parameters (API URL, API Key, SSL verification, Collective + Insights global setting) and action parameters. - 6. **Risk Assessment**: Compares the retrieved risk score against the user-defined - `Risk Score Threshold`. If the score exceeds the threshold, the entity is marked - as suspicious. + 2. Determines if Collective Insights should be enabled based on the action settings + and alert context. - 7. **Internal Updates**: Updates the entity's properties in Google SecOps with - the new intelligence and creates a case insight containing the risk analysis and - portal links. + 3. Initializes the Recorded Future manager. + 4. Iterates through the target entities, filtering for `HOSTNAME` and `DOMAIN` + types. - ### Additional Notes + 5. For each valid entity, fetches threat intelligence from Recorded Future. + + 6. Adds data tables to the action results containing the report, triggered risk + rules, and links (if enabled). + + 7. If the risk score exceeds the threshold, marks the entity as suspicious and + creates a case insight. - - This action performs an external mutation by contributing to 'Collective Insights' - if the parameter is enabled. + 8. Updates the entity with enrichment data and marks it as enriched. - - The action supports both `HOSTNAME` and `DOMAIN` entity types, even though the - simulation data may only list one. + 9. Adds the final JSON result and ends the action. capabilities: can_create_case_comments: false can_create_insight: true can_modify_alert_data: false - can_mutate_external_data: true + can_mutate_external_data: false can_mutate_internal_data: true can_update_entities: true - external_data_mutation_explanation: >- - If the 'Enable Collective Insights' parameter is enabled, the action submits - detection information back to Recorded Future's Collective Insights platform. + external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates entity attributes such as 'is_suspicious', 'is_enriched', and 'additional_properties'. - It also creates case insights to display threat intelligence summary. + Updates entity properties and creates case insights based on threat intelligence. + reasoning: >- + The action fetches threat intelligence from Recorded Future for Host and Domain + entities. It updates the entities with enrichment data and creates insights + if the risk score exceeds the threshold. It does not mutate external systems. categories: - enrichment: false + enrichment: true + reasoning: >- + The action fetches data (enrichment), does not mutate external systems, and + only performs allowed internal mutations (updating entities and creating insights). + It is an enrichment action. entity_usage: entity_types: - HOSTNAME @@ -543,99 +702,101 @@ Enrich Host: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over `siemplify.target_entities` and filters for `HOSTNAME` + and `DOMAIN` types using `entity.entity_type in entity_types`. Enrich IOC: - ai_description: >- - ### General Description - - The **Enrich IOC** action retrieves comprehensive threat intelligence from Recorded - Future for various Indicators of Compromise (IOCs), including IP addresses, domains, - hostnames, file hashes, URLs, and CVEs. It provides risk scores, evidence for - maliciousness, and links to Recorded Future intelligence cards. This action is - designed to automate the initial triage of entities within a case by providing - context and automatically flagging suspicious entities based on a configurable - risk threshold. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | **Risk Score Threshold** | Integer | Yes | The minimum Recorded Future risk - score (0-100) required to mark an entity as suspicious. Default is 25. | - - | **Include Links** | Boolean | No | If enabled, the action retrieves related - entity links (e.g., IPs related to a domain) and populates them into a data table. - | - - | **Enable Collective Insights** | Boolean | No | If enabled, the action contributes - detection data back to Recorded Future's Collective Insights platform to improve - global threat intelligence. This is skipped for alerts originally generated by - Recorded Future. | - - - ### Additional Notes - - - This action updates the `is_suspicious` and `is_enriched` flags on entities - within Google SecOps. - - - It populates the entity's `additional_properties` with Recorded Future specific - data (prefixed with `RF_`). - - - Collective Insights submission is subject to both the action-level parameter - and a global integration configuration. - - - ### Flow Description - - 1. **Parameter Extraction:** Retrieves API credentials and action parameters (Threshold, - Links, Collective Insights). - - 2. **Entity Filtering:** Iterates through the case's target entities and filters - for supported types (ADDRESS, HOSTNAME, DOMAIN, FILEHASH, CVE, DestinationURL). - - 3. **Intelligence Retrieval:** For each supported entity, it queries the Recorded - Future API to fetch the risk report and intelligence metadata. - - 4. **External Contribution:** If 'Enable Collective Insights' is active, it submits - the detection context to Recorded Future. - - 5. **Data Visualization:** Adds multiple data tables to the case, including an - overview report, triggered risk rules, and related links (if requested). - - 6. **Risk Assessment:** Compares the retrieved risk score against the **Risk Score - Threshold**. If the score is higher, the entity is marked as suspicious. - - 7. **Insight Generation:** Creates a detailed Case Insight containing the risk - score, portal links, and evidence details for risky entities. - - 8. **Entity Update:** Updates the entities in the Google SecOps case with the - new enrichment data and suspicious status. + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves reputation, risk scores, and threat intelligence for indicators + (IOCs) from Recorded Future. This directly matches the 'Enrich IOC' category. + It does not perform containment, ticketing, or alert management actions. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: "### General Description\nThe **Enrich IOC** action queries the\ + \ Recorded Future intelligence platform to retrieve threat intelligence for various\ + \ indicators of compromise (IOCs). It evaluates the risk score of each entity\ + \ against a user-defined threshold to determine if the entity should be marked\ + \ as suspicious. The action enriches the entity profile with threat intelligence\ + \ data, updates the entity's status, and generates case insights for high-risk\ + \ findings.\n\n### Parameters\n| Parameter | Type | Mandatory | Description |\n\ + | :--- | :--- | :--- | :--- |\n| **Risk Score Threshold** | string | Yes | The\ + \ minimum malicious risk score required for an entity to be marked as suspicious.\ + \ |\n| **Include Links** | boolean | No | If enabled, the action retrieves and\ + \ includes links to the Recorded Future portal. |\n| **Enable Collective Insights**\ + \ | boolean | No | If enabled, the action contributes detection data back to Recorded\ + \ Future. |\n\n### Flow Description\n1. **Initialization**: The action initializes\ + \ the Recorded Future manager using the provided API credentials and configuration.\n\ + 2. **Entity Processing**: It iterates through the target entities, filtering for\ + \ supported types (HOSTNAME, CVE, FILEHASH, ADDRESS, URL, DOMAIN).\n3. **Enrichment**:\ + \ For each supported entity, it queries the Recorded Future API to fetch threat\ + \ intelligence, including risk scores, evidence details, and location data (for\ + \ IPs).\n4. **Risk Evaluation**: It compares the retrieved risk score against\ + \ the configured **Risk Score Threshold**. If the score exceeds the threshold,\ + \ the entity is marked as suspicious.\n5. **Internal Updates**: \n - Updates\ + \ the entity's `additional_properties` with enrichment data.\n - Sets the entity's\ + \ `is_enriched` and `is_suspicious` flags.\n - Creates a case insight if the\ + \ entity is deemed risky.\n - Adds data tables and links to the action results\ + \ for analyst review.\n6. **Finalization**: Updates the entities in the case and\ + \ returns the final execution status." capabilities: can_create_case_comments: false can_create_insight: true can_modify_alert_data: false - can_mutate_external_data: true + can_mutate_external_data: false can_mutate_internal_data: true can_update_entities: true - external_data_mutation_explanation: >- - If 'Enable Collective Insights' is enabled, the action performs a POST request - to Recorded Future's Collective Insights API to contribute detection data. + external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates entity fields (is_suspicious, is_enriched), adds enrichment data to - entity additional_properties, and creates case insights. + Updates entity attributes (is_suspicious, is_enriched, additional_properties) + and creates case insights. + reasoning: >- + The action fetches threat intelligence data from the Recorded Future API (fetches_data=true). + It does not perform any actions that change the state of external systems (can_mutate_external_data=false). + It performs internal mutations by updating entity attributes (is_suspicious, + is_enriched, additional_properties) and creating case insights (can_mutate_internal_data=true, + can_update_entities=true, can_create_insight=true). It does not modify alert + data or create case comments. categories: - enrichment: false + enrichment: true + reasoning: >- + The action is designed to fetch threat intelligence and enrich entities without + modifying external systems. It performs allowed internal mutations (updating + entities and creating insights). Therefore, it qualifies as an enrichment action. entity_usage: entity_types: - ADDRESS - CVE + - DOMAIN - FILEHASH - HOSTNAME - DestinationURL - - DOMAIN filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -649,83 +810,90 @@ Enrich IOC: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action iterates over `siemplify.target_entities` and filters them based + on a predefined list of supported types: HOSTNAME, CVE, FILEHASH, ADDRESS, URL, + and DOMAIN. It does not filter by other attributes like creation time, modification + time, or specific entity properties. Enrich IOCs Bulk: - ai_description: >- - ### General Description - - Enriches multiple IOCs (Indicators of Compromise) in bulk using Recorded Future's - SOAR API. This action retrieves threat intelligence for a variety of entity types, - including IP Addresses, Domains, Hostnames, File Hashes, URLs, and CVEs, in a - single request. It is designed for high-efficiency enrichment of all supported - entities present in the current context. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Enable Collective Insights | boolean | No | If enabled, the action will contribute - detection information back to Recorded Future's Collective Insights platform. - This submission only occurs if the alert did not originate from Recorded Future - itself. Default is true. | - - - ### Additional Notes - - - This action uses the Recorded Future SOAR API, which is optimized for bulk lookups. - - - The action retrieves raw intelligence data and attaches it as a JSON result - to the action output. - - - Unlike individual enrichment actions, this bulk action does not automatically - update entity fields or create case insights; it focuses on data retrieval. - - - ### Flow Description - - 1. **Parameter Extraction**: Retrieves the API configuration (URL, Key, SSL verification) - and the 'Enable Collective Insights' action parameter. - - 2. **Entity Identification**: Scans the current context for all supported entities - (ADDRESS, DOMAIN, HOSTNAME, FILEHASH, DestinationURL, CVE). - - 3. **Bulk Request Preparation**: Groups the identified entities by their Recorded - Future type (e.g., mapping 'ADDRESS' to 'ip') to construct a bulk query. - - 4. **Intelligence Retrieval**: Executes a bulk lookup via the Recorded Future - SOAR API to fetch intelligence for all entities simultaneously. - - 5. **Collective Insights Submission**: If enabled and applicable (based on the - alert vendor), submits detection metadata for the entities to Recorded Future's - global intelligence platform. - - 6. **Output Generation**: Aggregates the retrieved intelligence into a structured - JSON result and completes the action. + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action fetches threat intelligence (reputation, risk scores) for various + IOCs from Recorded Future. This aligns with the 'Enrich IOC' category. It does + not perform any other actions like updating alerts, tickets, or blocking IOCs. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: "Enriches multiple IOCs in bulk using Recorded Future intelligence.\ + \ This action queries the Recorded Future API to retrieve threat intelligence\ + \ for various entity types, including IP addresses, hostnames, file hashes, URLs,\ + \ domains, and CVEs. \n\n### Flow Description\n1. Extracts configuration parameters\ + \ (API URL, API Key, SSL verification, and global Collective Insights setting)\ + \ and the action-specific parameter 'Enable Collective Insights'.\n2. Determines\ + \ if Collective Insights submission is enabled based on the global setting, action\ + \ parameter, and the alert's reporting vendor.\n3. Initializes the Recorded Future\ + \ manager.\n4. Iterates through the target entities in the case, filtering for\ + \ supported types (HOSTNAME, CVE, FILEHASH, ADDRESS, URL, DOMAIN).\n5. Performs\ + \ a bulk enrichment request to Recorded Future for the identified entities.\n\ + 6. Returns the enrichment results as a JSON result object for the action.\n\n\ + ### Parameters\n| Parameter | Type | Mandatory | Description |\n| :--- | :---\ + \ | :--- | :--- |\n| Enable Collective Insights | boolean | No | If enabled, contribute\ + \ detections back to Recorded Future. Defaults to true. |\n\n### Additional Notes\n\ + This action performs bulk enrichment and does not update the entities directly\ + \ in the case. It returns the results in the action's JSON output." capabilities: can_create_case_comments: false can_create_insight: false can_modify_alert_data: false - can_mutate_external_data: true + can_mutate_external_data: false can_mutate_internal_data: false can_update_entities: false - external_data_mutation_explanation: >- - If 'Enable Collective Insights' is true, the action submits detection information - (IOC value, type, and incident metadata) to Recorded Future's Collective Insights - API to contribute to global threat intelligence. + external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a bulk query to the Recorded Future API to fetch threat + intelligence for various IOC types. It does not mutate external systems or modify + internal case data (entities, insights, or comments). It only returns the fetched + data as a JSON result. categories: - enrichment: false + enrichment: true + reasoning: >- + The action is designed to fetch threat intelligence data for IOCs. It does not + mutate external systems, nor does it modify internal case data (entities, insights, + or comments). It meets all criteria for an enrichment action. entity_usage: entity_types: - - ADDRESS + - HOSTNAME - CVE - FILEHASH - - HOSTNAME - - DOMAIN + - ADDRESS - DestinationURL + - DOMAIN filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -739,73 +907,92 @@ Enrich IOCs Bulk: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action iterates over `siemplify.target_entities` and filters them based + on whether their `entity_type` is present in the `SUPPORTED_ENTITIES` list (HOSTNAME, + CVE, FILEHASH, ADDRESS, URL, DOMAIN). Enrich IP: - ai_description: >- - Enriches IP Address entities using Recorded Future threat intelligence. This action - retrieves comprehensive reputation data, including risk scores, triggered risk - rules, location details (ASN, country, city), and related entity links. It evaluates - the risk score against a configurable threshold to automatically mark entities - as suspicious within Google SecOps. Additionally, it can contribute detection - data back to Recorded Future via the Collective Insights feature. - - - ### Parameters - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Risk Score Threshold | String | Yes | The minimum malicious risk score (0-99) - required to mark an IP as suspicious. Band levels: Very Malicious (90-99), Malicious - (65-89), Suspicious (25-64), Unusual (5-24). Default is 25. | - - | Include Links | Boolean | No | If enabled, the action retrieves and displays - information about related entity links in a dedicated data table. | - - | Enable Collective Insights | Boolean | No | If enabled, the action contributes - detection data back to Recorded Future's Collective Insights platform. | - - - ### Flow Description - - 1. **Initialization**: Retrieves API credentials and configuration settings (URL, - API Key, SSL verification). - - 2. **Parameter Extraction**: Parses the risk threshold, link inclusion preference, - and Collective Insights toggle. - - 3. **Entity Filtering**: Identifies all IP Address entities within the current - alert or case context. - - 4. **Data Retrieval**: Queries Recorded Future for the IP's risk score, evidence - details, and geographical information. - - 5. **External Contribution**: If 'Enable Collective Insights' is active and the - alert is not from Recorded Future itself, it submits the detection to the Recorded - Future platform. - - 6. **Risk Evaluation**: Compares the retrieved risk score against the 'Risk Score - Threshold'. If exceeded, the entity is marked as suspicious. - - 7. **Internal Updates**: Updates the entity's additional properties with enrichment - data, creates a detailed case insight, and populates data tables with the findings. + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves threat intelligence for IP addresses, which directly matches + the 'Enrich IOC' category. It does not perform any other actions like blocking, + ticketing, or alert management. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: "### General Description\nEnriches IP Address entities using the\ + \ Recorded Future intelligence platform. This action retrieves comprehensive threat\ + \ intelligence, including risk scores, location data, and associated risk rules,\ + \ to provide context for IP entities within a case. It evaluates the risk score\ + \ against a user-defined threshold to determine if an entity should be marked\ + \ as suspicious.\n\n### Flow Description\n1. **Initialization**: The action extracts\ + \ configuration parameters (API URL, API Key, SSL verification) and action parameters\ + \ (Risk Score Threshold, Include Links, Enable Collective Insights).\n2. **Entity\ + \ Processing**: It iterates through the `target_entities` provided in the case,\ + \ filtering specifically for entities of type `ADDRESS`.\n3. **Data Retrieval**:\ + \ For each valid IP entity, it queries the Recorded Future API to fetch threat\ + \ intelligence data.\n4. **Enrichment**: \n - Updates the entity's `additional_properties`\ + \ with the retrieved intelligence (e.g., risk score, location, organization).\n\ + \ - Sets the entity's `is_enriched` status to true.\n - If the risk score\ + \ exceeds the configured `Risk Score Threshold`, it marks the entity as `is_suspicious`.\n\ + 5. **Insight Generation**: If the entity is marked suspicious, it creates a case\ + \ insight containing detailed risk evidence and location data.\n6. **Result Reporting**:\ + \ Updates the entities in the SOAR platform and adds data tables and links to\ + \ the action results.\n\n### Parameters Description\n| Parameter | Type | Mandatory\ + \ | Description |\n| :--- | :--- | :--- | :--- |\n| Risk Score Threshold | string\ + \ | Yes | The minimum malicious risk score (0-99) for an IP to be marked as suspicious.\ + \ |\n| Include Links | boolean | No | If enabled, the action retrieves additional\ + \ links related to the IP. |\n| Enable Collective Insights | boolean | No | If\ + \ enabled, contributes detection data back to Recorded Future. |\n\n### Additional\ + \ Notes\nThis action is strictly for enrichment and does not modify any external\ + \ systems. It only updates internal entity attributes and creates case insights\ + \ within Google SecOps." capabilities: can_create_case_comments: false can_create_insight: true can_modify_alert_data: false - can_mutate_external_data: true + can_mutate_external_data: false can_mutate_internal_data: true can_update_entities: true - external_data_mutation_explanation: >- - If 'Enable Collective Insights' is enabled, the action submits detection information - back to Recorded Future's Collective Insights service, which modifies data in - the external Recorded Future platform. + external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - The action updates entity attributes with enrichment data, modifies the 'is_suspicious' - flag of entities based on the risk score, and creates case insights. + Updates entity properties and creates case insights within Google SecOps. + reasoning: >- + The action fetches threat intelligence from the Recorded Future API for IP entities. + It does not mutate external systems. It performs internal mutations by updating + entity properties (e.g., risk score, suspicious status) and creating case insights + within Google SecOps. categories: - enrichment: false + enrichment: true + reasoning: >- + The action fetches data (enrichment) and only performs allowed internal mutations + (updating entities, creating insights). It does not mutate external systems, + thus meeting the criteria for an enrichment action. entity_usage: entity_types: - ADDRESS @@ -822,80 +1009,110 @@ Enrich IP: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over `siemplify.target_entities` and filters them by `entity.entity_type` + to process only `ADDRESS` entities. Enrich URL: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves threat intelligence for a URL, which is an IOC. This matches + the 'Enrich IOC' category. It does not perform any other actions like blocking, + ticketing, or alert management. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - Enriches URL entities using Recorded Future Intelligence. This action retrieves - comprehensive threat intelligence for URLs, including risk scores, evidence details, - and intelligence cards. It helps security analysts determine the reputation of - a URL and provides context for investigation. + Enriches URL entities using Recorded Future Intelligence. This action queries + the Recorded Future API to retrieve threat intelligence, risk scores, and associated + metadata for a given URL. It evaluates the risk based on a user-defined threshold, + updates the entity's suspicious status, and generates a case insight with the + analysis results. - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Risk Score Threshold | string | Yes | Represents the minimum malicious risk - score (0-99) for a URL to be marked as suspicious in Google SecOps. Default is - 25. | + ### Flow Description - | Include Links | boolean | No | If enabled, the action retrieves additional information - about related links associated with the URL. | + 1. **Initialization**: Extracts configuration parameters (API URL, API Key, SSL + verification) and action parameters (Risk Score Threshold, Include Links, Enable + Collective Insights). - | Enable Collective Insights | boolean | No | If enabled, the action contributes - detection telemetry back to Recorded Future's Collective Insights API. | + 2. **Entity Processing**: Iterates over the target entities, filtering for URL + entities. + 3. **Enrichment**: Queries the Recorded Future API for intelligence on each URL. - ### Additional Notes + 4. **Evaluation**: Compares the retrieved risk score against the configured threshold. + If the score exceeds the threshold, the entity is marked as suspicious. - - The action will mark an entity as suspicious and create a case insight if the - retrieved risk score exceeds the configured 'Risk Score Threshold'. + 5. **Internal Update**: Updates the entity's properties with enrichment data, + creates a case insight with the findings, and adds data tables to the action results. - - Collective Insights submissions are automatically disabled if the alert vendor - is 'Recorded Future' to avoid redundant reporting. + ### Parameters Description - ### Flow Description + | Parameter | Type | Mandatory | Description | - 1. **Parameter Initialization**: Extracts API configuration (URL, Key, SSL) and - action parameters (Threshold, Include Links, Collective Insights). + | :--- | :--- | :--- | :--- | - 2. **Entity Filtering**: Identifies URL entities within the current alert scope. + | Risk Score Threshold | string | Yes | Represents the minimum malicious risk + score (0-99) for a URL to be marked malicious. | - 3. **Intelligence Retrieval**: For each URL, queries the Recorded Future API to - fetch enrichment data, risk scores, and evidence. + | Include Links | boolean | No | If enabled, the action retrieves information + about links associated with the URL. | - 4. **Telemetry Submission**: If 'Enable Collective Insights' is active, submits - detection context to Recorded Future. + | Enable Collective Insights | boolean | No | If enabled, contributes detections + back to Recorded Future. | - 5. **Internal Enrichment**: Updates the entity's additional properties with Recorded - Future data and sets the 'is_enriched' flag. - 6. **Risk Assessment**: Compares the risk score against the threshold. If exceeded, - marks the entity as suspicious and generates a detailed case insight. + ### Additional Notes - 7. **Data Visualization**: Adds data tables to the case wall containing the overview - report, triggered risk rules, and related links. + This action is strictly for enrichment and does not modify any external systems. capabilities: can_create_case_comments: false can_create_insight: true can_modify_alert_data: false - can_mutate_external_data: true + can_mutate_external_data: false can_mutate_internal_data: true can_update_entities: true - external_data_mutation_explanation: >- - Submits detection telemetry (IOC value, type, and incident context) to Recorded - Future's Collective Insights API if the 'Enable Collective Insights' parameter - is enabled. + external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates entity attributes (is_suspicious, additional_properties) and creates - case insights with detailed threat intelligence. + Updates entity properties and creates case insights. + reasoning: >- + The action fetches threat intelligence from Recorded Future for URL entities. + It updates the entity's suspicious status and adds enrichment data to the entity. + It creates case insights with the findings. It does not mutate external systems. categories: - enrichment: false + enrichment: true + reasoning: >- + The action fetches data (enrichment), does not mutate external systems, and + only performs allowed internal mutations (updating entities and creating insights). + It is an enrichment action. entity_usage: entity_types: - DestinationURL @@ -912,50 +1129,82 @@ Enrich URL: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over `siemplify.target_entities` and filters for `EntityTypes.URL` + (mapped to `DestinationURL`). Get Alert Details: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: true + reasoning: >- + The action fetches detailed information about a specific alert from the Recorded + Future platform. This directly aligns with the 'Get Alert Information' category. + It does not perform any other operations like enrichment of IOCs/Assets, ticket + creation, or containment. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - Retrieves comprehensive details for a specific Recorded Future alert using its - unique identifier. This action allows analysts to fetch deep context regarding - a threat, including associated documents, related entities, and evidence details, - facilitating a more thorough investigation within the Google SecOps case. + The 'Get Alert Details' action retrieves comprehensive information about a specific + alert from the Recorded Future platform. By providing a unique Alert ID, the action + queries the Recorded Future API to fetch details such as documents, related entities, + and evidence. The retrieved information is then returned as a JSON result within + the case, and a direct link to the Recorded Future web report is added to the + action output for easy access by analysts. ### Parameters Description - | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Alert ID | string | Yes | The unique identifier of the Recorded Future alert - for which details are being requested. | + | Alert ID | string | Yes | The unique identifier of the alert in Recorded Future + for which details are to be fetched. | ### Flow Description - 1. **Authentication**: The action initializes the Recorded Future manager using - the provided API URL and API Key. - - 2. **Parameter Extraction**: It retrieves the mandatory `Alert ID` from the action - parameters. + 1. **Parameter Extraction**: The action extracts the 'Alert ID' provided by the + user. - 3. **Data Retrieval**: The action queries the Recorded Future API to fetch detailed - information about the specified alert, including hits, rules, and analyst notes. + 2. **Initialization**: The 'RecordedFutureManager' is initialized using the configured + API URL and API Key. - 4. **Result Processing**: The retrieved alert data is converted to JSON and added - to the action's execution results for use in subsequent playbook steps. + 3. **Data Retrieval**: The action calls the 'get_information_about_alert' method + using the provided Alert ID to fetch the alert data. - 5. **Portal Linking**: A direct web link to the alert in the Recorded Future portal - is provided for the analyst to access the original report. + 4. **Result Output**: The retrieved alert data is added to the action's result + as a JSON object. + 5. **Link Addition**: A link to the Recorded Future web report for the alert is + added to the action output. - ### Additional Notes - - This action does not operate on case entities; it requires a specific Alert ID - as input. It is primarily used for manual or automated deep-dive lookups of known - Recorded Future alerts. + 6. **Completion**: The action completes and returns the status and output message. capabilities: can_create_case_comments: false can_create_insight: false @@ -966,8 +1215,17 @@ Get Alert Details: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the Recorded Future API to retrieve alert + details based on an ID. It does not perform any POST/PUT/DELETE operations on + external systems, nor does it modify any internal SOAR data such as entities, + insights, or case comments. categories: - enrichment: false + enrichment: true + reasoning: >- + The action fetches supplemental context about an alert from an external source + (Recorded Future). It does not mutate external or internal data, satisfying + the criteria for an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -983,56 +1241,58 @@ Get Alert Details: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over or process 'target_entities'. It operates solely + based on the 'Alert ID' parameter provided by the user. Get Playbook Alert Details: - ai_description: >- - ### General Description - - This action retrieves comprehensive details for a specific Recorded Future Playbook - Alert and attaches the results to the current case. It is designed to provide - deep context beyond the initial alert summary, such as updated DNS records, specific - vulnerability stages, or detailed identity exposure information. The action returns - the full raw data of the alert and provides a direct link to the Recorded Future - portal for the full web report. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Playbook Alert ID | String | Yes | The unique identifier of the playbook alert - for which you want to fetch details. | - - | Category | String | Yes | The specific category of the Playbook Alert. Supported - values include: `domain_abuse`, `cyber_vulnerability`, `code_repo_leakage`, `third_party_risk`, - `identity_novel_exposures`, and `geopolitics_facility`. | - - - ### Additional Notes - - - This action does not run on entities; it requires a specific Alert ID and Category - as input parameters. - - - The action is read-only and does not change the status or assignee of the alert - in Recorded Future. - - - ### Flow Description - - 1. **Parameter Extraction:** The action extracts the API credentials (URL, Key, - SSL verification) and the specific Playbook Alert ID and Category from the user - input. - - 2. **API Interaction:** It utilizes the `RecordedFutureManager` to call the Recorded - Future API's fetch method for the specified alert. - - 3. **Data Processing:** The retrieved alert data is transformed into a structured - `PlaybookAlert` object. - - 4. **Result Attachment:** The action adds the full JSON representation of the - alert details to the execution results and generates a direct link to the Recorded - Future portal report for easy access by analysts. + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: true + reasoning: >- + The action fetches detailed information about a specific alert from the Recorded + Future platform. This directly matches the 'Get Alert Information' category. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: "### General Description\nThis action fetches detailed information\ + \ about a specific Recorded Future Playbook Alert. It retrieves comprehensive\ + \ data, including DNS records, vulnerability stages, and other relevant intelligence,\ + \ and returns this information to the Google SecOps case as a JSON result and\ + \ a direct link to the Recorded Future web report.\n\n### Parameters\n| Parameter\ + \ | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| Playbook\ + \ Alert ID | string | Yes | The unique identifier of the playbook alert to fetch.\ + \ |\n| Category | string | Yes | The category of the playbook alert (e.g., domain_abuse,\ + \ cyber_vulnerability, code_repo_leakage, third_party_risk, identity_novel_exposures,\ + \ geopolitics_facility). |\n\n### Flow Description\n1. **Initialization**: The\ + \ action initializes the `RecordedFutureManager` using the configured API URL\ + \ and API Key.\n2. **Data Retrieval**: It calls the Recorded Future API to fetch\ + \ details for the provided `Playbook Alert ID` and `Category`.\n3. **Result Processing**:\ + \ \n - The retrieved alert details are added to the action results as a JSON\ + \ object.\n - A link to the Recorded Future web report is added to the action\ + \ results.\n4. **Completion**: The action completes and returns a success message\ + \ or an error message if the alert is not found or if authentication fails." capabilities: can_create_case_comments: false can_create_insight: false @@ -1043,8 +1303,17 @@ Get Playbook Alert Details: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the Recorded Future API to retrieve alert + details. It does not modify any external systems (no POST/PUT/DELETE). It does + not modify internal SOAR data (no entity updates, insights, or case comments). + It simply returns the fetched data as a result JSON and a link. categories: enrichment: true + reasoning: >- + The action fetches data from an external source (Recorded Future) and does not + mutate any external or internal systems. It meets the criteria for an enrichment + action as it gathers supplemental context without violating internal state constraints. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1060,56 +1329,53 @@ Get Playbook Alert Details: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over or reference `siemplify.target_entities`. It + operates based on input parameters provided by the user. Ping: - ai_description: >- - ### General Description - - The **Ping** action is a diagnostic tool used to verify the connectivity between - the Google SecOps (Chronicle) environment and the Recorded Future API. It ensures - that the provided API URL and API Key are valid and that the network allows communication - with the service. - - - ### Parameters - - | Parameter Name | Description | Type | Mandatory | Default Value | - - | :--- | :--- | :--- | :--- | :--- | - - | ApiUrl | The base URL for the Recorded Future API. | String | Yes | N/A | - - | ApiKey | The API Key used for authentication with Recorded Future. | String - | Yes | N/A | - - | Verify SSL | If enabled, the action will verify the SSL certificate of the API - endpoint. | Boolean | No | False | - - - ### Flow Description - - 1. **Initialization**: The action initializes the Siemplify SDK and logger. - - 2. **Parameter Extraction**: It retrieves the `ApiUrl`, `ApiKey`, and `Verify - SSL` settings from the integration configuration. - - 3. **Manager Setup**: A `RecordedFutureManager` instance is created using the - extracted credentials. - - 4. **Connectivity Test**: The action calls the `test_connectivity` method, which - performs a sample enrichment lookup for a hardcoded IP address (8.8.8.8) to confirm - the API is responsive and the credentials are valid. - - 5. **Result Reporting**: If the test succeeds, it returns a 'Connection Established' - message. If it fails, it captures the exception and reports a failure status. - - - ### Additional Notes - - - This action does not process any entities from the current alert or case; it - uses a static internal test to validate the integration configuration. - - - As per standard SOAR conventions, this action is categorized as a connectivity - test and not as an enrichment action. + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action is a connectivity test (Ping) and does not perform any of the defined + operational tasks like enrichment, containment, or ticket management. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: "Tests connectivity to the Recorded Future API. This action verifies\ + \ that the integration is correctly configured by attempting to establish a connection\ + \ using the provided API credentials. \n\n### Parameters\n| Parameter | Type |\ + \ Mandatory | Description |\n| --- | --- | --- | --- |\n| ApiUrl | string | Yes\ + \ | The base URL for the Recorded Future API. |\n| ApiKey | string | Yes | The\ + \ API key used for authentication. |\n| Verify SSL | boolean | No | Whether to\ + \ verify SSL certificates when connecting to the API. Defaults to False. |\n\n\ + ### Flow Description\n1. The action initializes the Recorded Future manager using\ + \ the provided API URL, API key, and SSL verification setting.\n2. It attempts\ + \ to call the `test_connectivity` method on the manager to verify the connection.\n\ + 3. If the connection is successful, it logs the success and completes the action.\n\ + 4. If an error occurs, it logs the exception and marks the action as failed." capabilities: can_create_case_comments: false can_create_insight: false @@ -1118,10 +1384,17 @@ Ping: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null - fetches_data: true + fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a connectivity test to the Recorded Future API. It does + not fetch data about entities, mutate external systems, or modify internal SOAR + data. categories: enrichment: false + reasoning: >- + The action is a 'Ping' action, which is explicitly excluded from being an enrichment + action. It does not fetch data on entities or perform any enrichment tasks. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1137,46 +1410,80 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with any entities; it performs a global connectivity + test. Refresh Playbook Alert: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: true + reasoning: >- + The action fetches alert details from Recorded Future and adds them to the case. + This matches the 'Get Alert Information' category. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - Updates a Google SecOps case with the latest information from a Recorded Future - Playbook Alert. This action is designed to synchronize an existing case with new - data fetched directly from the Recorded Future platform, ensuring that the investigation - reflects the most current threat intelligence. + ### General Description + Updates information in a case created by the Playbook Alerts Connector with new + data from the Recorded Future platform. This action fetches the latest details + for a specific Playbook Alert and adds relevant entities (such as domains, IPs, + or hosts) to the case based on the alert's category. - ### Parameters Description + ### Parameters - | Parameter | Description | Type | Mandatory | + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Playbook Alert ID | The unique identifier of the playbook alert in Recorded - Future to be refreshed. | string | Yes | + | Playbook Alert ID | string | Yes | The ID of the playbook alert for which you + would like to fetch details. | - | Category | The specific category of the Playbook Alert. Supported values include: - `domain_abuse`, `cyber_vulnerability`, `code_repo_leakage`, `third_party_risk`, - `identity_novel_exposures`, and `geopolitics_facility`. | string | Yes | + | Category | string | Yes | The Category of the Playbook Alert. Possible values + are domain_abuse, cyber_vulnerability, code_repo_leakage, third_party_risk, identity_novel_exposures, + and geopolitics_facility. | ### Flow Description + 1. **Initialization**: Extracts configuration parameters (API URL, API Key, SSL + verification) and action parameters (Playbook Alert ID, Category). - 1. **Validation**: The action first verifies that the current case was generated - by the Recorded Future Playbook Alert product. If not, it terminates with an error. + 2. **Validation**: Verifies that the current alert is a valid Recorded Future + Playbook Alert. - 2. **Data Retrieval**: It connects to the Recorded Future API to fetch the latest - details for the specified Playbook Alert ID and Category. + 3. **Data Retrieval**: Calls the Recorded Future API to fetch the latest details + for the specified Playbook Alert ID and category. - 3. **Entity Synchronization**: Based on the alert category, the action identifies - relevant indicators (such as IPs, Domains, Hostnames, or CVEs) within the refreshed - data and automatically adds them as entities to the Google SecOps case. + 4. **Internal Mutation**: Based on the alert category, adds relevant entities + to the case using `siemplify.add_entity_to_case`. - 4. **Result Generation**: The action populates the execution results with a JSON - object containing the updated alert data (including HTML-formatted summaries for - widgets) and provides a direct link to the Recorded Future portal for the specific - alert. + 5. **Result Generation**: Adds the alert details as a JSON result and provides + a link to the Recorded Future portal for further investigation. capabilities: can_create_case_comments: false can_create_insight: false @@ -1187,10 +1494,19 @@ Refresh Playbook Alert: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - The action adds new entities discovered in the refreshed Recorded Future alert - data to the current Google SecOps case. + Adds new entities to the case based on the playbook alert details. + reasoning: >- + The action fetches data from the Recorded Future API (fetches_data=true). It + does not mutate external systems. It performs internal mutation by adding new + entities to the case using `siemplify.add_entity_to_case` (can_mutate_internal_data=true). + It does not update existing entities, create insights, or modify alert data. categories: enrichment: false + reasoning: >- + The action fetches data but performs internal mutations (adding entities to + the case) that are not in the allowed list for enrichment actions (Add Case + Comments, Create Case Insights, Update Entity fields/attributes). Therefore, + it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1206,57 +1522,84 @@ Refresh Playbook Alert: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over `siemplify.target_entities`. It uses parameters + to fetch data and then adds entities to the case. Search Hash Malware Intelligence: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action fetches malware intelligence (sandbox reports) for a file hash, which + provides threat intelligence. This matches the 'Enrich IOC' category. It does + not perform any other actions like blocking, ticketing, or alert management. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - Queries Recorded Future's Malware Intelligence to retrieve sandbox analysis reports - for SHA256 file hashes. This action allows security analysts to look up historical - detonation results from the Recorded Future Sandbox (Triage) without re-submitting - the file. It retrieves detailed technical data including risk scores, network - flows, and behavioral signatures. + ### General Description + This action queries the Recorded Future API to retrieve malware intelligence reports + for specific file hash entities. It allows users to search for sandbox reports + associated with a hash, optionally filtering by enterprise-specific submissions + and a defined date range. The action provides valuable context for threat hunting + and incident response by surfacing sandbox analysis results directly within the + case. - ### Parameters Description + ### Parameters Description | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | My Enterprise | boolean | No | If set to `true`, the search is restricted to - samples submitted by your organization's enterprise account. Default is `false`. - | + | My Enterprise | boolean | No | Specify if the sample hash should be searched + in your enterprise submissions only. Defaults to false. | - | Start Date | string | No | The starting point for the search lookback. Supports - relative formats like `-30d` or specific dates like `2026-01-23`. Default is `-30d`. - | + | Start Date | string | No | Specify the starting date to lookback. Accept format + like 2026-01-23 or -1d. Defaults to -30d. | - | End Date | string | No | The ending point for the search lookback. Supports - relative formats or specific dates. If left empty, it defaults to the current - date. | + | End Date | string | No | Specify the ending date to lookback. Accept format + like 2026-01-23 or -1d. None means today. | ### Flow Description + 1. The action extracts configuration parameters (API URL, API Key, SSL verification) + and action parameters (My Enterprise, Start Date, End Date). - 1. **Initialization**: The action extracts the API configuration and user-provided - parameters (Enterprise scope and date range). + 2. It iterates through the target entities, filtering for those with the type + `FILEHASH` and an identifier length of 64 characters. - 2. **Entity Filtering**: It iterates through the target entities in the case, - specifically looking for `FILEHASH` entities that are 64 characters long (SHA256). + 3. For each valid hash, it calls the Recorded Future API to fetch sandbox reports. - 3. **External Query**: For each valid hash, it queries the Recorded Future Malware - Intelligence API using the specified date filters and enterprise scope. + 4. If reports are found, it generates a detailed HTML insight containing the sandbox + analysis, including scores, tags, file extensions, signatures, and network flows, + and attaches it to the case. - 4. **Data Processing**: If reports are found, the action parses the sandbox results, - including analysis scores, completion timestamps, network flows (destination IPs/ports), - and behavioral signatures (TTPs and descriptions). - - 5. **Internal Enrichment**: It generates a detailed HTML Case Insight for each - hash, providing a summary of the sandbox findings directly within the Google SecOps - interface. - - 6. **Output**: The raw report data is attached as a JSON result for use in downstream - playbook logic. + 5. The action adds the raw JSON results of the API call to the action output. capabilities: can_create_case_comments: false can_create_insight: true @@ -1267,10 +1610,18 @@ Search Hash Malware Intelligence: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - The action creates Case Insights in Google SecOps to display detailed malware - sandbox report summaries for the analyzed file hashes. + Creates case insights with the retrieved malware intelligence report. + reasoning: >- + The action fetches malware intelligence data from Recorded Future (fetches_data=true). + It does not mutate external systems. It creates case insights (can_create_insight=true), + which is an internal mutation allowed for enrichment actions. It does not update + entities or modify alerts. categories: enrichment: true + reasoning: >- + The action fetches data (malware reports) and creates insights. It does not + mutate external systems or perform forbidden internal mutations. It is an enrichment + action. entity_usage: entity_types: - FILEHASH @@ -1287,31 +1638,85 @@ Search Hash Malware Intelligence: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action iterates over `siemplify.target_entities` and filters for `FILEHASH` + entities with an identifier length of 64. Update Alert: - ai_description: "### General Description\nUpdates the details of an existing alert\ - \ within the Recorded Future platform. This action allows analysts to programmatically\ - \ manage the lifecycle of Recorded Future alerts by changing their status, assigning\ - \ them to specific users, or adding administrative notes.\n\n### Parameters Description\n\ - | Parameter | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n\ - | **Alert ID** | string | Yes | The unique identifier of the Recorded Future alert\ - \ to be updated. |\n| **Assign To** | string | No | The identifier of the user\ - \ to whom the alert should be assigned. Accepts ID, username, user hash, or email.\ - \ |\n| **Note** | string | No | A text comment or note to be appended to the alert.\ - \ |\n| **Status** | ddl | Yes | The new lifecycle status for the alert. Options\ - \ include: `New`, `Pending`, `Dismissed`, `Resolved`, and `Flag for Tuning`. |\n\ - \n### Additional Notes\nWhile the `Status` parameter is marked as mandatory in\ - \ the configuration, the action logic requires that at least one of the following\ - \ parameters\u2014`Status` (if not set to 'None'), `Assign To`, or `Note`\u2014\ - must be provided for the update to proceed. If all three are empty or 'None',\ - \ the action will fail with an error message.\n\n### Flow Description\n1. **Parameter\ - \ Extraction**: Retrieves the API configuration and the specific alert details\ - \ (ID, Status, Assignee, Note) from the action input.\n2. **Validation**: Checks\ - \ if at least one update field (Status, Assignee, or Note) contains a value to\ - \ ensure a valid update request is sent.\n3. **API Interaction**: Uses the `RecordedFutureManager`\ - \ to send a request to the Recorded Future API's alert update endpoint.\n4. **Result\ - \ Processing**: Captures the API response, adds the raw JSON result to the action\ - \ output, and provides a success message if the update was accepted by the external\ - \ system." + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action updates an alert in the external Recorded Future platform. It does + not update an alert within the SecOps platform, nor does it create or update + an ITSM ticket. Therefore, it does not match any of the predefined product categories. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: >- + Updates an alert in the Recorded Future platform. This action allows users to + modify the status, assignee, or add a note to an existing alert in Recorded Future. + + + ### Parameters + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Alert ID | string | Yes | Specify the ID of the alert that needs to be updated. + | + + | Assign To | string | No | Specify to whom to assign the alert. You can provide + id, username, user hash, or email. | + + | Note | string | No | Specify a note that should be updated on the alert. | + + | Status | ddl | Yes | Specify the new status for the alert (None, New, Pending, + Dismissed, Resolved, Flag for Tuning). | + + + ### Additional Notes + + At least one of the following parameters must be provided for the action to successfully + update the alert: Assign To, Note, or Status. + + + ### Flow Description + + 1. Extract the configuration parameters (API URL, API Key, SSL verification) and + action parameters (Alert ID, Assign To, Note, Status). + + 2. Validate that at least one of the update parameters (Assign To, Note, or Status) + is provided. + + 3. Initialize the `RecordedFutureManager` with the provided credentials. + + 4. Call the `update_alert` method on the manager to perform the update in the + Recorded Future platform. + + 5. Add the result JSON to the action output and complete the script. capabilities: can_create_case_comments: false can_create_insight: false @@ -1320,12 +1725,19 @@ Update Alert: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates the status, assignee, and notes of an alert directly within the Recorded - Future platform. + Updates the status, assignee, or note of an alert in the Recorded Future platform. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action updates an alert in the external Recorded Future platform by sending + a request with the provided parameters (status, assignee, note). It does not + fetch data, update internal SecOps entities, or create insights/comments. categories: enrichment: false + reasoning: >- + The action performs a mutation on an external system (Recorded Future) and does + not retrieve data or perform any enrichment tasks. Therefore, it is not an enrichment + action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1341,67 +1753,97 @@ Update Alert: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over or process any entities from the SecOps platform. + It operates solely based on the provided action parameters. Update Playbook Alert: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action updates a playbook alert in an external system (Recorded Future). + It does not match the 'Update Alert' category, which is strictly defined as + updating alerts within the SecOps platform. It does not match other categories + like 'Create Ticket' or 'Contain Host'. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - Updates the details of a specific playbook alert in Recorded Future. This action - allows for modifying the alert's status, priority, assignee, and reopen strategy, - as well as adding log entries for auditing purposes. + ### General Description + Updates a specific Playbook Alert within the Recorded Future platform. This action + allows analysts to modify the status, priority, assignee, or add a log entry to + an existing playbook alert, facilitating automated alert management and synchronization + between Google SecOps and Recorded Future. - ### Parameters + + ### Parameters Description | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Playbook Alert ID | String | Yes | The unique identifier of the playbook alert + | Playbook Alert ID | string | Yes | The unique identifier of the playbook alert to be updated. | - | Playbook Alert Category | String | Yes | The category associated with the playbook - alert (e.g., domain_abuse, cyber_vulnerability). | + | Playbook Alert Category | string | Yes | The category of the playbook alert. + | - | Assign To | String | No | The user uhash of the person to whom the alert should - be assigned. | + | Assign To | string | No | The user uhash to assign the alert to. | - | Log Entry | String | No | A comment or note to be added to the alert's activity - log. | + | Log Entry | string | No | A comment or note to be added to the alert. | - | Status | DDL | No | The new status for the alert (New, In Progress, Dismissed, + | Status | ddl | No | The new status for the alert (e.g., New, In Progress, Dismissed, Resolved). | - | Priority | DDL | No | The new priority level for the alert (High, Moderate, + | Priority | ddl | No | The new priority for the alert (e.g., High, Moderate, Informational). | - | Reopen Strategy | DDL | No | The strategy for reopening the alert (Never, Significant - Updates). | + | Reopen Strategy | ddl | No | The strategy for reopening the alert (e.g., Never, + Significant Updates). | ### Additional Notes - At least one of the following parameters must be provided for the action to execute: - `Assign To`, `Log Entry`, `Status`, `Priority`, or `Reopen Strategy`. If none - are provided, the action will fail with an error message. + This action performs a direct update to the external Recorded Future system. It + does not modify any entities or alerts within the Google SecOps platform itself. ### Flow Description - 1. **Parameter Extraction:** The action retrieves the API configuration (URL, - Key, SSL verification) and the specific alert identifiers and update values from - the input parameters. - - 2. **Validation:** It verifies that at least one update field (Status, Priority, - Assignee, Log Entry, or Reopen Strategy) has been provided to ensure a mutation - is intended. + 1. **Initialization**: The action extracts configuration parameters (API URL, + API Key) and action parameters (Alert ID, Category, etc.). - 3. **Manager Initialization:** Initializes the Recorded Future Manager to facilitate - communication with the external API. + 2. **Validation**: It verifies that at least one update parameter (Assign To, + Log Entry, Status, Priority, or Reopen Strategy) is provided. - 4. **Alert Update:** The action first fetches the existing playbook alert to ensure - its existence and then submits a request to the Recorded Future API to apply the - specified changes. + 3. **Execution**: It initializes the `RecordedFutureManager` and calls the `update_playbook_alert` + method to send the update request to the Recorded Future API. - 5. **Result Processing:** The updated alert data is returned as a JSON object, - and a success message is logged in the action output. + 4. **Result**: The action adds the JSON result of the update operation to the + action results and completes the execution. capabilities: can_create_case_comments: false can_create_insight: false @@ -1410,12 +1852,20 @@ Update Playbook Alert: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates the status, priority, assignee, log entry, or reopen strategy of a playbook - alert in the Recorded Future platform. - fetches_data: true + Updates the status, priority, assignee, or adds a log entry to a playbook alert + in Recorded Future. + fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs an API call to update an external resource (Playbook Alert + in Recorded Future). It does not fetch data, nor does it modify any internal + Google SecOps data, entities, or case comments. categories: enrichment: false + reasoning: >- + The action is a mutation action that updates external data. It does not fetch + data for enrichment purposes, nor does it meet the criteria for an enrichment + action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1431,3 +1881,6 @@ Update Playbook Alert: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not operate on entities. It uses a specific 'Playbook Alert + ID' provided as a parameter to identify the target alert in the external system. diff --git a/content/response_integrations/third_party/partner/recorded_future_intelligence/resources/ai/connectors_ai_description.yaml b/content/response_integrations/third_party/partner/recorded_future_intelligence/resources/ai/connectors_ai_description.yaml new file mode 100644 index 000000000..0a1efa162 --- /dev/null +++ b/content/response_integrations/third_party/partner/recorded_future_intelligence/resources/ai/connectors_ai_description.yaml @@ -0,0 +1,207 @@ +"Recorded Future - Classic Alerts Connector": + ai_description: >- + ### General Description + + This connector integrates with Recorded Future to fetch "Classic" security alerts + and ingest them into Google SecOps (SOAR) as cases. It enables automated monitoring + of threat intelligence alerts, supporting advanced filtering, deduplication (overflow), + and environment mapping to ensure relevant alerts are prioritized and actionable + within the SOAR platform. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | API URL | String | Yes | API Root of the Recorded Future instance. | + + | API Key | Password | Yes | API Key from Recorded Future. | + + | Severity | String | Yes | Severity assigned to created alerts (Low, Medium, + High, Critical). | + + | DeviceProductField | String | Yes | Source field name for the Product Field. + | + + | EventClassId | String | Yes | Source field name for the Event Field. | + + | PythonProcessTimeout | Integer | Yes | Timeout limit for the python process. + | + + | Fetch Max Hours Backwards | Integer | No | Amount of hours to fetch events from. + | + + | Alert Statuses | String | No | Comma-separated statuses (e.g., New, Pending). + | + + | Max Alerts To Fetch | Integer | No | Max alerts per iteration. | + + | Use whitelist as a blacklist | Boolean | No | If enabled, whitelist acts as + a denylist. | + + | Enable Overflow | Boolean | No | If enabled, uses Google 'overflow' to deduplicate + alerts. | + + | Extract all Entities | Boolean | No | If enabled, extracts all entities from + events. | + + | Verify SSL | Boolean | No | Verify SSL certificate. | + + | Environment Field Name | String | No | Field name where environment is stored. + | + + | Environment Regex Pattern | String | No | Regex to manipulate environment field. + | + + | Proxy Server Address | String | No | Proxy server address. | + + | Proxy Username | String | No | Proxy username. | + + | Proxy Password | Password | No | Proxy password. | + + + ### Flow Description + + 1. Connects to the Recorded Future API using the provided credentials. + + 2. Reads previously processed alert IDs to ensure deduplication across iterations. + + 3. Queries Recorded Future for alerts based on the configured time range, status, + and severity. + + 4. Filters alerts based on the configured whitelist/blacklist (rule names). + + 5. Processes each alert: + * Maps the alert to the Google SecOps `AlertInfo` format. + * Applies environment mapping if configured. + * Checks for alert overflow (deduplication) if enabled. + 6. Ingests processed alerts into Google SecOps as cases. + + 7. Updates the state (timestamps and processed IDs) for subsequent runs. +"Recorded Future - Playbook Alerts Connector": + ai_description: >- + ### General Description + + The Recorded Future - Playbook Alerts Connector is designed to ingest security + alerts from the Recorded Future platform into Google SecOps. It enables automated + monitoring of various threat intelligence categories, such as domain abuse, cyber + vulnerabilities, and third-party risks, allowing security analysts to respond + to threats efficiently. The connector periodically polls the Recorded Future API, + filters alerts based on user-defined criteria, and creates cases within the SOAR + platform for further investigation. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | API URL | String | Yes | API Root of the Recorded Future instance. | + + | API Key | Password | Yes | API Key from Recorded Future. | + + | DeviceProductField | String | Yes | Source field name to retrieve the Product + Field name. | + + | EventClassId | String | Yes | Source field name to retrieve the Event Field + name. | + + | PythonProcessTimeout | Integer | Yes | Timeout limit for the python process + running the script. | + + | Fetch Max Hours Backwards | Integer | No | Amount of hours from where to fetch + events. | + + | Playbook Alert Categories | String | No | Comma-separated list of alert categories + to fetch. | + + | Playbook Alert Statuses | String | No | Comma-separated list of alert statuses + to fetch. | + + | Playbook Alert Priorities | String | No | Comma-separated list of alert priorities + to fetch. | + + | Max Alerts To Fetch | Integer | No | Maximum number of alerts to process per + iteration. | + + | Severity | String | No | Override severity for created alerts (Low, Medium, + High, Critical). | + + | Enable Overflow | Boolean | No | If enabled, uses Google 'overflow' to deduplicate + similar alerts. | + + | Verify SSL | Boolean | No | If enabled, verifies the SSL certificate for the + Recorded Future server. | + + | Environment Field Name | String | No | Field name where the environment name + is stored. | + + | Environment Regex Pattern | String | No | Regex pattern to manipulate the environment + field value. | + + | Proxy Server Address | String | No | Address of the proxy server. | + + | Proxy Username | String | No | Username for proxy authentication. | + + | Proxy Password | Password | No | Password for proxy authentication. | + + + ### Flow Description + + 1. The connector initializes and connects to the Recorded Future API using the + provided credentials. + + 2. It reads existing alert IDs from the system to ensure that only new alerts + are processed, preventing duplicates. + + 3. It queries the Recorded Future API for Playbook Alerts, applying filters for + categories, statuses, priorities, and the specified time range. + + 4. For each fetched alert, the connector checks for script timeouts and applies + deduplication logic if 'Enable Overflow' is enabled. + + 5. Valid alerts are mapped to the Google SecOps case format, including environment + mapping based on configured fields and regex patterns. + + 6. The processed alerts are ingested into the SOAR platform as new cases. + + 7. Finally, the connector saves the current timestamp and updated list of alert + IDs to ensure subsequent iterations continue from the correct point. +"Recorded Future - Playbook Alerts Tracking Connector": + ai_description: "### General Description\nThis connector integrates with Recorded\ + \ Future to track and ingest Playbook Alert updates into Google SecOps. It monitors\ + \ for specific changes in alerts\u2014such as status updates, priority increases,\ + \ new assessments, or added entities\u2014and automatically creates or updates\ + \ cases within the SOAR platform based on these events.\n\n### Parameters Description\n\ + | Parameter | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n\ + | API URL | String | Yes | API Root of the Recorded Future instance. |\n| API\ + \ Key | Password | Yes | API Key from Recorded Future. |\n| DeviceProductField\ + \ | String | Yes | Source field name for the Product Field name. |\n| EventClassId\ + \ | String | Yes | Source field name for the Event Field name. |\n| PythonProcessTimeout\ + \ | Integer | Yes | Timeout limit for the python process. |\n| Severity | String\ + \ | Yes | Severity assigned to created cases (Low, Medium, High, Critical). |\n\ + | Search Max Hours Backwards | Integer | No | Hours to look back for updates.\ + \ |\n| Playbook Alert Categories | String | No | Comma-separated categories to\ + \ fetch. |\n| Playbook Alert Statuses | String | No | Comma-separated statuses\ + \ to fetch. |\n| Playbook Alert Priorities | String | No | Comma-separated priorities\ + \ to fetch. |\n| Playbook Alert Reopened | Boolean | No | Create case if alert\ + \ is reopened. |\n| Priority Increased | Boolean | No | Create case if priority\ + \ increases. |\n| New Assessment Added | Boolean | No | Create case if new assessment\ + \ is added. |\n| Entity Added | Boolean | No | Create case if entities are added.\ + \ |\n| Max Alerts To Fetch | Integer | No | Max alerts per iteration. |\n| Enable\ + \ Overflow | Boolean | No | Use overflow to deduplicate alerts. |\n| Verify SSL\ + \ | Boolean | No | Verify SSL certificate. |\n| Environment Field Name | String\ + \ | No | Field name for environment. |\n| Environment Regex Pattern | String |\ + \ No | Regex for environment field. |\n| Proxy Server Address | String | No |\ + \ Proxy server address. |\n| Proxy Username | String | No | Proxy username. |\n\ + | Proxy Password | Password | No | Proxy password. |\n\n### Flow Description\n\ + 1. Authenticate with the Recorded Future API using the provided credentials.\n\ + 2. Retrieve Playbook Alerts based on configured filters (categories, statuses,\ + \ priorities) and the specified time window.\n3. Analyze alert logs to detect\ + \ specific changes (reopened, priority increase, new assessment, entity added).\n\ + 4. Filter alerts based on the enabled change criteria.\n5. Map valid alerts to\ + \ SOAR cases, applying environment settings and deduplication if overflow is enabled.\n\ + 6. Ingest the resulting cases into Google SecOps." diff --git a/content/response_integrations/third_party/partner/recorded_future_intelligence/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/partner/recorded_future_intelligence/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..8ef2618c9 --- /dev/null +++ b/content/response_integrations/third_party/partner/recorded_future_intelligence/resources/ai/integration_ai_description.yaml @@ -0,0 +1,22 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: false + reasoning: >- + The integration 'recorded_future_intelligence' provides extensive threat intelligence + enrichment capabilities, including actions to enrich various IOC types (IP, Hash, + URL, CVE, Hostname) and retrieve malware intelligence. This directly aligns with + the Threat Intelligence category. Additionally, the integration includes multiple + connectors (Classic Alerts, Playbook Alerts, Playbook Alerts Tracking) that ingest + security alerts from Recorded Future into Google SecOps, which is a core function + of a SIEM integration. The integration does not provide EDR, Network Security, + Email Security, IAM, Cloud Security, ITSM, Vulnerability Management, Asset Inventory, + or Collaboration capabilities as defined in the provided criteria. + siem: true + threat_intelligence: true + vulnerability_management: false diff --git a/content/response_integrations/third_party/partner/rubrik_security_cloud/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/partner/rubrik_security_cloud/resources/ai/actions_ai_description.yaml index 23c6c50f4..8fac09302 100644 --- a/content/response_integrations/third_party/partner/rubrik_security_cloud/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/partner/rubrik_security_cloud/resources/ai/actions_ai_description.yaml @@ -1,94 +1,115 @@ Advanced IOC Scan: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action initiates a threat hunt (scan) on the Rubrik Security Cloud platform. + It does not match any of the predefined categories, as it is a specialized security + operation for threat hunting rather than enrichment, containment, or ticket + management. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### Advanced IOC Scan - - - #### General Description + ### General Description - Initiates an advanced Indicator of Compromise (IOC) scan (Threat Hunt) on specified - Rubrik objects within the Rubrik Security Cloud. This action allows security teams - to search for specific file patterns, hashes, or YARA rules across snapshots of - protected systems, providing granular control over scan criteria such as file - size, date ranges, and path inclusions/exclusions. + This action initiates an advanced Indicator of Compromise (IOC) scan on specified + Rubrik objects within the Rubrik Security Cloud platform. It allows for highly + configurable threat hunting by supporting various IOC types, date ranges, file + size filters, and path inclusions/exclusions. The action triggers a bulk threat + hunt mutation and returns the results, which are then displayed in the SOAR interface + as a data table. - #### Parameters Description + ### Parameters Description | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | **Object ID** | String | Yes | Comma-separated list of Rubrik object IDs (snappables) - to perform the scan on. | + | Object ID | string | Yes | Comma-separated list of object IDs to scan. | - | **IOC Type** | DDL | No | The type of indicator to scan for. Options include: - `INDICATOR_OF_COMPROMISE_TYPE_PATH_OR_FILENAME`, `INDICATOR_OF_COMPROMISE_TYPE_HASH`, - or `INDICATOR_OF_COMPROMISE_TYPE_YARA_RULE`. | + | IOC Type | ddl | No | Type of IOC to search for (e.g., PATH_OR_FILENAME, HASH, + YARA_RULE). | - | **IOC Value** | String | No | The specific value of the indicator to search - for (e.g., a file hash or path pattern). | + | IOC Value | string | No | Specific IOC value to search for. | - | **Scan Name** | String | No | Custom name for the threat hunt. If not provided, - a name is auto-generated using the format `Google-SecOps-YYYY-MM-DD-HH:MM:SS`. + | Scan Name | string | No | Custom name for the scan (auto-generated if not provided). | - | **Advanced IOC** | String | No | A JSON-encoded object where keys represent - IOC types and values are lists of indicators. | + | Advanced IOC | string | No | JSON encoded Indicators Of Compromise to scan. + | - | **Start Date** | String | No | Filter snapshots from this date. Supported formats: - `yyyy-mm-dd`, `yyyy-mm-ddTHH:MM:SSZ`. | + | Start Date | string | No | Start date for snapshot range (ISO format). | - | **End Date** | String | No | Filter snapshots until this date. Supported formats: - `yyyy-mm-dd`, `yyyy-mm-ddTHH:MM:SSZ`. | + | End Date | string | No | End date for snapshot range (ISO format). | - | **Max Snapshots Per Object** | String | No | The maximum number of snapshots - to scan for each specified object. | + | Max Snapshots Per Object | string | No | Maximum snapshots to scan per object. + | - | **Max Matches Per Snapshot** | String | No | The scan for a snapshot terminates - once this number of matches is detected. | + | Max Matches Per Snapshot | string | No | Maximum matches to return per snapshot. + | - | **Min File Size** | String | No | Minimum file size in bytes to include in the - scan. | + | Min File Size | string | No | Minimum file size in bytes to scan. | - | **Max File Size** | String | No | Maximum file size in bytes to include in the - scan. | + | Max File Size | string | No | Maximum file size in bytes to scan. | - | **Paths To Include** | String | No | Comma-separated list of file paths to explicitly - include in the scan. | + | Paths To Include | string | No | Comma-separated paths to include in scan. | - | **Paths To Exclude** | String | No | Comma-separated list of file paths to exclude - from the scan. | + | Paths To Exclude | string | No | Comma-separated paths to exclude from scan. + | - | **Paths To Exempt** | String | No | Comma-separated list of paths to exempt - from the exclusion list. | + | Paths To Exempt | string | No | Comma-separated paths to exempt from exclusion. + | - #### Additional Notes + ### Additional Notes - - **Requirement Logic:** Either the `Advanced IOC` parameter must be configured, - OR both `IOC Type` and `IOC Value` must be provided for the action to run. If - neither set is provided, the action will fail. + Either the 'Advanced IOC' parameter must be configured, or the combination of + 'IOC Type' and 'IOC Value' must be provided for the action to run. If neither + is provided, the action will fail. - - The action returns a data table named "Advanced IOC Scan Results" containing - the Hunt IDs and their initial statuses. + ### Flow Description - #### Flow Description + 1. **Configuration Initialization**: Retrieves integration parameters (Service + Account JSON, SSL verification) from the SOAR configuration. - 1. **Initialization:** Extracts configuration parameters and action inputs. + 2. **Parameter Extraction**: Extracts all action parameters from the user input. - 2. **Validation:** Validates date formats, ensures integer parameters (like file - sizes and snapshot limits) are non-negative, and parses the `Advanced IOC` JSON - if provided. + 3. **Validation**: Validates parameters, including object IDs, integers, JSON + structures, and date formats. - 3. **Authentication:** Establishes a session with Rubrik Security Cloud using - OAuth credentials. + 4. **Client Initialization**: Initializes the Rubrik Security Cloud client using + the provided credentials. - 4. **Scan Initiation:** Executes a GraphQL mutation (`startBulkThreatHunt`) to - trigger the scan on the Rubrik platform with the defined IOCs and filters. + 5. **Execution**: Executes the `start_advance_ioc_scan` mutation to trigger the + threat hunt on the Rubrik platform. - 5. **Output:** Captures the resulting Hunt IDs and populates a data table and - the raw JSON result in Google SecOps. + 6. **Result Processing**: Processes the response, generates a data table with + the hunt details, and adds it to the SOAR action result. capabilities: can_create_case_comments: false can_create_insight: false @@ -97,13 +118,19 @@ Advanced IOC Scan: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Initiates a new Threat Hunt (IOC scan) on the Rubrik Security Cloud platform, - which creates new hunt records and starts background scanning processes on the - target objects. - fetches_data: true + Initiates a threat hunt (scan) on the Rubrik Security Cloud platform. + fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action triggers a threat hunt (mutation) on the Rubrik platform. It does + not fetch contextual data about entities, nor does it modify internal SOAR case + data (entities, insights, or comments). categories: enrichment: false + reasoning: >- + The action performs a mutation (starts a scan) on an external system. It does + not fetch data for enrichment purposes, nor does it modify internal SOAR data. + Therefore, it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -119,28 +146,75 @@ Advanced IOC Scan: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not operate on `siemplify.target_entities`. It takes `Object + ID` as a parameter to identify the target system for the scan. Get CDM Cluster Connection State: - ai_description: "### General Description\nRetrieves the connection state of a specific\ - \ Rubrik CDM (Cloud Data Management) cluster from Rubrik Security Cloud (RSC).\ - \ This action provides visibility into the operational status of a cluster and\ - \ its individual nodes, helping administrators verify connectivity and health.\n\ - \n### Parameters Description\n| Parameter | Type | Mandatory | Description |\n\ - | :--- | :--- | :--- | :--- |\n| Cluster ID | String | Yes | The unique identifier\ - \ of the CDM cluster to check. |\n\n### Flow Description\n1. **Parameter Extraction**:\ - \ The action retrieves the mandatory `Cluster ID` from the input parameters.\n\ - 2. **Authentication**: Initializes the Rubrik API manager using the provided service\ - \ account credentials and establishes a secure session.\n3. **Data Retrieval**:\ - \ Executes a GraphQL query (`CDM_CLUSTER_CONNECTION_STATE_QUERY`) against the\ - \ Rubrik Security Cloud API to fetch the connection status for the specified cluster.\n\ - 4. **Data Processing**: Parses the API response to extract node-specific connection\ - \ states (e.g., `connectedState`) using the `CDMClusterConnectionStateDatamodel`.\n\ - 5. **Output Generation**: \n * Adds the raw JSON response to the action's result\ - \ JSON.\n * Creates a data table named 'CDM Cluster Connection State' containing\ - \ the connection status of the cluster nodes for display in the SOAR interface.\n\ - \ * Returns a success message and sets the result value to `true` if data is\ - \ retrieved successfully.\n\n### Additional Notes\nThis action does not automatically\ - \ iterate over entities in the case. It is a standalone utility that requires\ - \ a manually provided `Cluster ID` to function." + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: true + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves contextual metadata (connection state) for a resource (CDM + cluster). This matches the 'Enrich Asset' category. It does not fetch alert + information, so 'Get Alert Information' is false. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: >- + ### General Description + + Retrieves the connection state of a specific CDM (Cloud Data Management) cluster + from Rubrik Security Cloud. This action provides visibility into the connectivity + status of nodes within the cluster. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | --- | --- | --- | --- | + + | Cluster ID | string | Yes | The unique identifier of the CDM cluster. | + + + ### Additional Notes + + There are no additional notes for this action. + + + ### Flow Description + + 1. Extracts the `Cluster ID` parameter. + + 2. Initializes the Rubrik Security Cloud API client. + + 3. Queries the Rubrik API for the connection state of the specified cluster. + + 4. Parses the response to extract node connection details. + + 5. Adds the retrieved data to the action results as a table and JSON. capabilities: can_create_case_comments: false can_create_insight: false @@ -151,8 +225,16 @@ Get CDM Cluster Connection State: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action fetches data from the Rubrik API (fetches_data=true). It does not + mutate external systems (can_mutate_external_data=false). It does not modify + internal SOAR case data (can_mutate_internal_data=false). categories: - enrichment: false + enrichment: true + reasoning: >- + The action fetches data from an external source (Rubrik Security Cloud) and + does not mutate any external or internal data. It is a read-only enrichment + action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -168,53 +250,74 @@ Get CDM Cluster Connection State: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over `siemplify.target_entities`. It uses a provided + `Cluster ID` parameter. Get CDM Cluster Location: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: true + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves contextual metadata (geographical location) for a specific + resource (CDM Cluster). This aligns with the 'Enrich Asset' category, which + covers returning contextual metadata for a user or resource. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description + Retrieves the geographical location information for a specific Rubrik CDM (Cloud + Data Management) cluster. This action interacts with the Rubrik Security Cloud + API to fetch location details for all nodes within the specified cluster and presents + the data in a structured table format. - The **Get CDM Cluster Location** action retrieves the geographical location information - for a specific Rubrik Cloud Data Management (CDM) cluster. It identifies the physical - address associated with the nodes within the cluster by querying the Rubrik Security - Cloud API. This action is useful for asset management and identifying the physical - residency of data stored in specific clusters. - - ### Parameters Description + ### Parameters | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | **Cluster ID** | String | Yes | The unique identifier of the CDM cluster for - which the location is being requested. | + | Cluster ID | string | Yes | The unique identifier of the CDM cluster to retrieve + location information for. | ### Flow Description - 1. **Parameter Extraction**: The action retrieves the mandatory `Cluster ID` from - the input parameters. - - 2. **API Initialization**: It initializes the Rubrik Security Cloud API manager - using the provided service account credentials and validates the connection. + 1. The action extracts the `Cluster ID` from the provided parameters. - 3. **Data Retrieval**: A GraphQL query is executed to fetch the `geoLocation` - (specifically the `address` field) for the specified cluster ID. + 2. It initializes the `APIManager` to establish a connection with the Rubrik Security + Cloud API. - 4. **Data Processing**: The response is parsed, and the location details for the - cluster nodes are extracted and structured using the `CDMClusterLocationDatamodel`. + 3. It calls the API to retrieve the CDM cluster location data using the provided + `Cluster ID`. - 5. **Result Output**: The action adds the raw JSON response to the execution results - and constructs a data table named "CDM Cluster Location" containing the Cluster - ID and its physical location for display in the SOAR interface. + 4. The retrieved data is added to the action results as a JSON object. - - ### Additional Notes - - - This action does not operate on entities; it requires a specific Cluster ID - as input. - - - The results are displayed in a data table for easy viewing within the SOAR interface, - limited to a maximum number of records defined by the integration's constants. + 5. The action parses the node location data and generates a data table titled + "CDM Cluster Location" containing the Cluster ID and its location, which is then + added to the action output. capabilities: can_create_case_comments: false can_create_insight: false @@ -225,8 +328,18 @@ Get CDM Cluster Location: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET-like operation to retrieve geographical location data + from the Rubrik Security Cloud API. It does not modify any external system state, + nor does it modify internal Google SecOps data (such as entities, alerts, or + insights). It only outputs the retrieved information to the action results. categories: enrichment: false + reasoning: >- + The action fetches data from an external source, but it does not operate on + Google SecOps entities (it uses a parameter-based ID). Therefore, it does not + meet the criteria for an Enrichment Action, which must be designed to gather + context about alerts or entities. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -242,16 +355,49 @@ Get CDM Cluster Location: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over or process `siemplify.target_entities`. It + relies solely on the `Cluster ID` provided as an action parameter. Get Sonar Sensitive Hits: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: true + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves sensitive data hits for a resource (Rubrik object), which + provides contextual metadata about the object's security posture. This matches + the 'Enrich Asset' category. It does not perform any other actions like ticket + creation, alert updates, or IOC management. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - The **Get Sonar Sensitive Hits** action retrieves data classification and sensitive - discovery results for a specific object within Rubrik Security Cloud (RSC). It - identifies violations and hits detected by Rubrik Sonar (the sensitive data discovery - engine) based on a configurable lookback period. This action is primarily used - to identify if sensitive data (such as PII, PHI, or financial information) exists - on a specific workload, backup, or file share object. + Retrieves sensitive data hits detected by Rubrik Sonar for a specific object within + a configurable lookback period. Sonar is Rubrik's data classification and sensitive + data discovery engine. ### Parameters Description @@ -260,50 +406,30 @@ Get Sonar Sensitive Hits: | :--- | :--- | :--- | :--- | - | **Object Name** | String | Yes | The exact name of the Rubrik object (e.g., - a Virtual Machine, physical host, or database) to check for sensitive hits. | + | Object Name | string | Yes | The name of the Rubrik object to check for sensitive + hits. | - | **Lookback Days** | String | No | The number of days in the past to retrieve - scan results from. For example, a value of 7 will return results as of 7 days - ago. Defaults to 7 if not provided. | + | Lookback Days | string | No | Number of days in the past to retrieve scan results + from. Defaults to 7. | ### Flow Description - 1. **Input Validation**: The action validates that the `Object Name` is a non-empty - string and that `Lookback Days` is a valid non-negative integer. - - 2. **Date Calculation**: It calculates a target search date by subtracting the - lookback days from the current system time. + 1. Extracts the `Object Name` and `Lookback Days` parameters from the action configuration. - 3. **Object Discovery**: The action queries the Rubrik Security Cloud API to list - all policy objects that were scanned on the calculated target date. + 2. Calculates the search date by subtracting the `Lookback Days` from the current + date. - 4. **Object Matching**: It iterates through the list of policy objects to find - a match for the provided `Object Name`. If no match is found, or if the object - has no snapshots for that date, the action fails. + 3. Initializes the Rubrik Security Cloud client using the provided service account + credentials. - 5. **Detail Retrieval**: Once the object is identified, it performs a secondary - GraphQL query to fetch detailed sensitive hit information, including analyzer - groups (e.g., 'US PII') and specific analyzer results (e.g., 'Social Security - Number'). - - 6. **Data Formatting**: The retrieved data is parsed into a structured format, - including hit counts and analyzer names. - - 7. **Output Generation**: The action returns the raw JSON response and creates - a data table named "Sonar Sensitive Hits" in the Google SecOps UI for analyst - review. - - - ### Additional Notes + 4. Queries the Rubrik API to find the object and retrieve its sensitive data hits + for the calculated date. - - This action does not operate on Google SecOps entities (like IP addresses or - Hostnames); it relies entirely on the `Object Name` parameter provided by the - user. + 5. Parses the response and formats the sensitive hits data using the `SonarSensitiveHitsDatamodel`. - - The action is read-only and does not modify any data within Rubrik Security - Cloud. + 6. Adds the raw JSON result and a formatted data table containing the sensitive + hits to the action output. capabilities: can_create_case_comments: false can_create_insight: false @@ -314,8 +440,16 @@ Get Sonar Sensitive Hits: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action fetches data from the Rubrik Security Cloud API to retrieve sensitive + data hits for a specified object. It does not mutate any external systems or + internal SOAR data (entities, insights, or comments). categories: - enrichment: false + enrichment: true + reasoning: >- + The action is designed to fetch supplemental context (sensitive data hits) about + a resource. It does not mutate external or internal state, making it a valid + enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -331,71 +465,100 @@ Get Sonar Sensitive Hits: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not operate on entities. It uses an action parameter 'Object + Name' to identify the target resource, rather than iterating over `siemplify.target_entities`. IOC Scan Results: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: true + reasoning: >- + The action retrieves detailed information about a threat hunt scan, which aligns + with 'Get Alert Information' (fetching details of a specific hunt) and 'Search + Events' (returning historical scan telemetry). + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: true + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description - - The **IOC Scan Results** action retrieves comprehensive details and metrics for - a specific threat hunt (either Turbo or Advanced) from Rubrik Security Cloud. - It is designed to provide visibility into the progress and findings of an Indicator - of Compromise (IOC) scan, including object metrics and scan status. - - - ### Parameters Description + Retrieves detailed results of a threat hunt (IOC scan) from Rubrik Security Cloud + using a specific Hunt ID. This action fetches scan status, object metrics, and + scan metrics to provide visibility into the threat hunt's progress and findings. - | Parameter | Type | Mandatory | Description | - | :--- | :--- | :--- | :--- | + ### Flow Description - | **Hunt ID** | String | Yes | The unique identifier of the threat hunt/IOC scan - to retrieve results for. | + 1. The action extracts the mandatory `Hunt ID` parameter. + 2. It initializes the Rubrik Security Cloud client using the configured service + account credentials. - ### Additional Notes + 3. It executes an API call to retrieve the threat hunt details and metrics associated + with the provided `Hunt ID`. - - This action is **asynchronous**. If the threat hunt is still in a `PENDING` - or `IN_PROGRESS` state in Rubrik, the action will return an 'In Progress' status - to Google SecOps, allowing for subsequent polling. + 4. The retrieved data is parsed and formatted into a data table for display in + the SOAR interface. - - The action outputs both the raw JSON response and a formatted data table named - 'IOC Scan Results'. + 5. The action returns the execution status and the formatted results. - ### Flow Description + ### Parameters - 1. **Parameter Extraction**: The action extracts the mandatory `Hunt ID` from - the input parameters. + | Parameter | Type | Mandatory | Description | - 2. **API Initialization**: It initializes the Rubrik Security Cloud API manager - using the provided service account credentials and handles OAuth token management. + | :--- | :--- | :--- | :--- | - 3. **Data Retrieval**: It executes a GraphQL query to fetch the scan's status, - object metrics (scanned, affected, unaffected, and unscannable objects), and scan - metrics (matched snapshots, unique file matches). + | Hunt ID | string | Yes | The unique identifier of the threat hunt or IOC scan + to retrieve. | - 4. **Data Processing**: The raw response is attached to the action results as - JSON. - 5. **Internal Mutation**: A formatted data table is created containing key metrics - such as Hunt Name, Hunt Type, Status, IOC Details, Object Metrics, and Scan Metrics. + ### Additional Notes - 6. **Status Handling**: If the hunt is still running (status is `PENDING` or `IN_PROGRESS`), - the action sets its state to `IN_PROGRESS`. Otherwise, it marks the execution - as `COMPLETED`. + This action is designed to be used for monitoring the status and results of previously + initiated threat hunts. It does not perform any modifications to the Rubrik Security + Cloud environment or internal SOAR entities. capabilities: can_create_case_comments: false can_create_insight: false can_modify_alert_data: false can_mutate_external_data: false - can_mutate_internal_data: true + can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null fetches_data: true - internal_data_mutation_explanation: >- - The action creates a data table named 'IOC Scan Results' within the Google SecOps - case to display hunt metrics and status. + internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET-like operation (via GraphQL POST) to retrieve threat + hunt scan results from Rubrik Security Cloud. It does not modify any external + systems or internal SOAR data (entities, insights, etc.). It simply formats + and returns the retrieved data as a result table. categories: - enrichment: false + enrichment: true + reasoning: >- + The action fetches supplemental context (threat hunt results) from an external + source without modifying any external or internal state. It meets the criteria + for an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -411,15 +574,50 @@ IOC Scan Results: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not operate on entities; it uses a specific 'Hunt ID' parameter + to fetch data. List Events: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves a list of events from the Rubrik Security Cloud API based + on user-defined filters. This matches the 'Search Events' category, which is + defined as returning a collection of historical logs or telemetry data matching + specific search parameters. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: true + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - Retrieves a list of events and activities from Rubrik Security Cloud (RSC). This - action allows security analysts to search through system activities, backup events, - and security anomalies by applying various filters such as status, severity, object - types, and date ranges. It is primarily used for auditing, monitoring task progress, - and investigating historical activities within the Rubrik environment. + This action retrieves a list of events and activities from the Rubrik Security + Cloud. It allows users to filter events based on various criteria such as activity + status, type, severity, object details, cluster IDs, and date ranges. The action + supports sorting and pagination to manage the volume of returned data. ### Parameters Description @@ -428,75 +626,55 @@ List Events: | :--- | :--- | :--- | :--- | - | Sort By | DDL | No | Specifies the field to use for sorting the response (e.g., - Last Updated, Severity, Cluster Name). | + | Activity Status | string | No | Comma-separated list of activity statuses to + filter (e.g., "Failure", "Success"). | - | Sort Order | DDL | No | Specifies the order to sort the data (Asc or Desc). - | + | Activity Type | string | No | Comma-separated list of activity types to filter + (e.g., "Sync", "Anomaly"). | - | Limit | String | No | The number of results to retrieve (1 to 1000). Defaults - to 50. | + | Severity | string | No | Comma-separated list of severity levels to filter (e.g., + "Critical", "Warning"). | - | Next Page Token | String | No | The cursor token used to retrieve the next set - of results for paginated requests. | + | Object Name | string | No | Name of the object to filter events for. | - | Activity Status | String | No | Comma-separated list of statuses to filter by - (e.g., "Failure", "Success", "Running"). | + | Object Type | string | No | Comma-separated list of object types to filter (e.g., + "ShareFileset", "VmwareVm"). | - | Activity Type | String | No | Comma-separated list of activity types to filter - by (e.g., "Backup", "Anomaly", "Recovery"). | + | Cluster ID | string | No | Comma-separated list of cluster IDs to filter. | - | Severity | String | No | Comma-separated list of severity levels to filter by - (e.g., "Critical", "Warning", "Info"). | + | Start Date | string | No | Start date for event range (ISO format: yyyy-mm-dd, + yyyy-mm-ddTHH:MM:SSZ). | - | Object Name | String | No | Filters events based on a specific object name. + | End Date | string | No | End date for event range (ISO format: yyyy-mm-dd, yyyy-mm-ddTHH:MM:SSZ). | - | Object Type | String | No | Comma-separated list of object types to filter by - (e.g., "VmwareVm", "WindowsFileset"). | - - | Cluster ID | String | No | Comma-separated list of Rubrik cluster IDs to filter - events. | - - | Start Date | String | No | The start date for the event search range. Supports - YYYY-MM-DD or ISO 8601 formats. | + | Sort By | ddl | No | Field to sort results by. | - | End Date | String | No | The end date for the event search range. Supports YYYY-MM-DD - or ISO 8601 formats. | + | Sort Order | ddl | No | Sort order (Asc/Desc). | + | Limit | string | No | Maximum number of events to retrieve (default: 50, max: + 1000). | - ### Additional Notes - - - **Date Formats**: Supported formats include `yyyy-mm-dd`, `yyyy-mm-ddTHH:MM:SSZ`, - and `yyyy-mm-ddTHH:MM:SS.fffZ`. - - - **Pagination**: If more results are available than the specified limit, the - action provides a 'Next Page Token' in the output message which can be used in - subsequent runs. - - - **Table Limits**: While the action can fetch up to 1000 records, the UI data - table is limited to displaying the first 20 records for performance. + | Next Page Token | string | No | Token for pagination to retrieve the next set + of results. | ### Flow Description - 1. **Parameter Initialization**: The action extracts all user-provided filters, - sorting preferences, and pagination tokens. - - 2. **Validation**: It validates that the 'Limit' is a valid positive integer and - ensures that the 'Start Date' occurs before the 'End Date'. + 1. **Initialization**: The action initializes the Rubrik Security Cloud client + using the provided service account credentials. - 3. **Authentication**: Connects to Rubrik Security Cloud using the provided Service - Account JSON and manages OAuth token lifecycle. + 2. **Validation**: It validates all input parameters, including date formats and + integer constraints. - 4. **API Request**: Executes a GraphQL query (`activitySeriesConnection`) against - the Rubrik API with the specified filters. + 3. **Data Retrieval**: It executes a GraphQL query to fetch events from Rubrik + Security Cloud, applying the specified filters, sorting, and pagination. - 5. **Data Processing**: Parses the GraphQL response into a structured data model, - extracting event IDs, object details, and status information. + 4. **Result Processing**: The action parses the API response, extracts event details, + and formats the data. - 6. **Output**: Generates a JSON result containing the full response and populates - a data table named "Events" in the Google SecOps interface. + 5. **Output**: It adds the raw JSON response to the action results and constructs + a CSV table of the retrieved events for display in the SOAR interface. capabilities: can_create_case_comments: false can_create_insight: false @@ -507,8 +685,17 @@ List Events: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a read-only GraphQL query to fetch event data from Rubrik + Security Cloud. It does not modify external systems or internal SecOps data. + It adds results to the action output (JSON and table), which is standard for + reporting and does not constitute internal data mutation. categories: enrichment: false + reasoning: >- + The action fetches data (events) but does not meet the criteria for an Enrichment + action because it does not enrich entities or alerts, nor does it create insights + or comments. It is a data retrieval/search action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -524,42 +711,104 @@ List Events: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with `siemplify.target_entities`. It operates independently + of any specific entity. List Object Snapshots: - ai_description: "### General Description\nThe **List Object Snapshots** action retrieves\ - \ metadata for snapshots associated with a specific object ID from Rubrik Security\ - \ Cloud (RSC). This action is designed to provide visibility into the backup history\ - \ of a specific workload, allowing analysts to identify available recovery points\ - \ or audit snapshot frequency.\n\n### Parameters Description\n| Parameter | Type\ - \ | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| **Object ID**\ - \ | String | Yes | The unique identifier of the Rubrik object (e.g., a VM, database,\ - \ or file share) for which snapshots are being retrieved. |\n| **Limit** | String\ - \ | No | The maximum number of snapshot records to return in the response. Default\ - \ is 50; the maximum allowed is 1000. |\n| **Next Page Token** | String | No |\ - \ A cursor used for pagination to retrieve the next set of results if the total\ - \ number of snapshots exceeds the limit. |\n| **Sort Order** | DDL | No | Specifies\ - \ the chronological order of the results. Options are **Asc** (Ascending) or **Desc**\ - \ (Descending). Default is Asc. |\n| **Start Date** | String | No | Filters snapshots\ - \ to include only those created on or after this date. Supports `yyyy-mm-dd` or\ - \ `yyyy-mm-ddTHH:MM:SSZ` formats. |\n| **End Date** | String | No | Filters snapshots\ - \ to include only those created on or before this date. Supports `yyyy-mm-dd`\ - \ or `yyyy-mm-ddTHH:MM:SSZ` formats. |\n| **Snapshot Type** | String | No | A\ - \ comma-separated list of snapshot types to filter the results (e.g., `OnDemand`,\ - \ `Scheduled`). |\n\n### Flow Description\n1. **Input Validation**: The action\ - \ validates the mandatory `Object ID`. It also checks that `Start Date` and `End\ - \ Date` follow supported ISO formats and that the start date does not occur after\ - \ the end date.\n2. **Authentication**: It initializes the Rubrik API manager\ - \ using the provided Service Account JSON, handling OAuth token lifecycle management.\n\ - 3. **Data Retrieval**: The action executes a GraphQL query (`OBJECT_SNAPSHOTS_QUERY`)\ - \ against Rubrik Security Cloud, applying the provided filters for time range,\ - \ snapshot types, and pagination.\n4. **Result Processing**: \n * The raw\ - \ API response is attached to the action results as a JSON object.\n * A\ - \ data table named \"Object Snapshots\" is generated, displaying key attributes:\ - \ Snapshot ID, Creation Date, Cluster Name, and SLA Domain Name.\n5. **Completion**:\ - \ The action returns a success message indicating the number of snapshots found.\ - \ If more results are available, it provides the `Next Page Token` in the output\ - \ message.\n\n### Additional Notes\n* This action does not automatically iterate\ - \ over Google SecOps entities; it requires a manual or mapped input for the **Object\ - \ ID** parameter." + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves a list of snapshots for a specific object. It does not + match any of the defined categories such as IOC enrichment, asset enrichment, + ticket management, or containment actions. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: >- + Retrieves a list of snapshots for a specific object from Rubrik Security Cloud. + This action allows users to query backup snapshots based on an object ID, with + options to filter by date range, snapshot type, and sort order. The results are + returned as a JSON object and a formatted CSV table. + + + ### Flow Description + + 1. **Parameter Extraction**: The action extracts the required `Object ID` and + optional parameters (`Start Date`, `End Date`, `Snapshot Type`, `Limit`, `Next + Page Token`, `Sort Order`) from the action configuration. + + 2. **Validation**: It validates the provided parameters, ensuring the `Object + ID` is present, dates are in the correct format, and the `Limit` is a valid integer. + + 3. **API Initialization**: The action initializes the Rubrik API client using + the provided service account credentials. + + 4. **Data Retrieval**: It executes a GraphQL query to fetch the snapshots from + Rubrik Security Cloud based on the provided filters. + + 5. **Result Processing**: The action processes the API response, extracts snapshot + details, and handles pagination information. + + 6. **Output Generation**: It adds the raw JSON response to the action results + and generates a CSV table containing snapshot details (Snapshot ID, Creation Date, + Cluster Name, SLA Domain Name) for the analyst to review. + + + ### Parameters + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Object ID | String | Yes | The unique identifier of the object to list snapshots + for. | + + | Start Date | String | No | The start date to get snapshots from (Format: yyyy-mm-dd, + yyyy-mm-ddTHH:MM:SSZ). | + + | End Date | String | No | The end date to get snapshots until (Format: yyyy-mm-dd, + yyyy-mm-ddTHH:MM:SSZ). | + + | Snapshot Type | String | No | Comma-separated list of snapshot types to filter. + | + + | Limit | String | No | Number of results to retrieve (Default: 50, Max: 1000). + | + + | Next Page Token | String | No | The next page cursor to retrieve the next set + of results. | + + | Sort Order | String | No | Specify the order to sort the data in (Asc/Desc). + | + + + ### Additional Notes + + - The action does not modify any data; it is a read-only operation for retrieving + backup information. capabilities: can_create_case_comments: false can_create_insight: false @@ -570,8 +819,16 @@ List Object Snapshots: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a read-only GraphQL query to the Rubrik API to retrieve + snapshot information. It does not modify external systems, nor does it update + internal SOAR entities, insights, or alert data. categories: enrichment: false + reasoning: >- + The action retrieves data (snapshots) from an external system but does not meet + the criteria for an Enrichment Action as it does not enrich entities or alerts + within the SOAR platform. It is a data retrieval/listing action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -587,95 +844,126 @@ List Object Snapshots: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over `siemplify.target_entities`. It accepts an + `Object ID` as a direct input parameter, meaning it does not operate on SOAR + entities. List Sonar File Contexts: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: true + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves contextual metadata (file contexts, sensitive data findings) + for a resource (the object/snapshot), which aligns with the 'Enrich Asset' category. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - Retrieves the Sonar file contexts for a specific object snapshot from Rubrik Security - Cloud (RSC). This action allows security analysts to identify files, folders, - or file shares that contain sensitive data findings detected by Rubrik Sonar. - It provides detailed information such as file names, sizes, total sensitive hits, - daily hit changes, and access/modification times. The action supports extensive - filtering by file name, path, and user ID, as well as pagination and sorting. + Retrieves file contexts and sensitive data findings from Rubrik Sonar for a specific + object snapshot. This action allows analysts to investigate file-level details, + including sensitive hits and access patterns, by querying the Rubrik Security + Cloud API. - ### Parameters Description - - | Parameter | Type | Mandatory | Description | + ### Flow Description - | :--- | :--- | :--- | :--- | + 1. **Parameter Extraction**: The action extracts required parameters (Object ID, + Snapshot ID) and optional filters (File Name, File Path, User ID, etc.) from the + action configuration. - | **Object ID** | string | Yes | The unique identifier of the Rubrik object (Snappable - ID) to query. | + 2. **API Initialization**: Initializes the Rubrik Security Cloud client using + the provided service account credentials. - | **Snapshot ID** | string | Yes | The unique identifier of the specific snapshot - for the object. | + 3. **Data Retrieval**: Executes a GraphQL query to fetch file context data from + Rubrik Sonar based on the provided filters and pagination settings. - | **File Name** | string | No | Filter results to include only files with a specific - name. | + 4. **Result Processing**: Parses the API response, formats the data into a table, + and adds the raw JSON response to the action results. - | **File Path** | string | No | Filter results by a specific standard file path. - | + 5. **Output**: Returns a status message and displays the retrieved file context + data in the SOAR interface. - | **User ID** | string | No | Filter results by a specific user ID associated - with the file context. | - | **Include Whitelisted Results** | ddl | No | Boolean (True/False) indicating - whether to include results that have been whitelisted in Rubrik. | + ### Parameters Description - | **Limit** | string | No | The maximum number of file contexts to retrieve in - a single request (default is 50). | + | Parameter | Type | Mandatory | Description | - | **Next Page Token** | string | No | The cursor token used to retrieve the next - set of paginated results. | + | :--- | :--- | :--- | :--- | - | **Sort By** | ddl | No | The field used to sort the results (e.g., HITS, NAME, - LAST_MODIFIED). | + | Object ID | string | Yes | The unique identifier of the object or Snappable + ID. | - | **Sort Order** | ddl | No | The order of sorting, either 'Asc' (Ascending) or - 'Desc' (Descending). | + | Snapshot ID | string | Yes | The Snapshot ID of the object. | + | File Name | string | No | Specify the name of the file, folder, or file share + object to filter by. | - ### Additional Notes + | File Path | string | No | Specify the standard file path to filter with. | - - This action does not run on entities; it requires specific IDs provided as parameters. + | User ID | string | No | Specify the user ID to filter with. | - - The results are displayed in a data table named 'Sonar File Contexts' and also - provided as a raw JSON result. + | Include Whitelisted Results | ddl | No | Boolean to include whitelisted results + (True/False). | + | Limit | string | No | Number of results to retrieve (default: 50). | - ### Flow Description + | Next Page Token | string | No | The next page cursor to retrieve the next set + of results. | - 1. **Parameter Validation**: The action validates that the mandatory 'Object ID' - and 'Snapshot ID' are provided and that the 'Limit' is a valid integer. + | Sort By | ddl | No | Field to use for sorting the response (e.g., HITS, NAME, + LAST_ACCESS_TIME). | - 2. **Authentication**: Initializes the Rubrik API Manager using the provided Service - Account JSON and authenticates with Rubrik Security Cloud. + | Sort Order | ddl | No | Order to sort the data (Asc/Desc, default: Desc). | - 3. **Data Retrieval**: Executes a GraphQL query (`SONAR_FILE_CONTEXTS_QUERY`) - against the Rubrik API to fetch file context data based on the provided IDs and - filters. - 4. **Data Processing**: Parses the GraphQL response into a structured data model, - extracting file metadata and sensitive hit counts. + ### Additional Notes - 5. **Output Generation**: Creates a data table 'Sonar File Contexts' containing - the processed file details and attaches the full raw JSON response to the action - results. + - Either Object ID or Snapshot ID must be provided as they are mandatory for the + API call to succeed. capabilities: can_create_case_comments: false can_create_insight: false can_modify_alert_data: false can_mutate_external_data: false - can_mutate_internal_data: true + can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null fetches_data: true - internal_data_mutation_explanation: >- - Adds a data table 'Sonar File Contexts' and a result JSON containing the file - context details to the Google SecOps action results. + internal_data_mutation_explanation: null + reasoning: >- + The action fetches data from Rubrik Security Cloud via GraphQL. It does not + mutate external systems or internal SOAR data. It presents the retrieved data + in a table and JSON format, which is standard for enrichment actions. categories: - enrichment: false + enrichment: true + reasoning: >- + The action fetches data (file contexts) to provide context about an object/snapshot. + It does not mutate external systems or internal SOAR data. It qualifies as an + enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -691,47 +979,67 @@ List Sonar File Contexts: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not operate on `target_entities`. It uses parameters provided + in the action configuration to identify the object and snapshot. Ping: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action is a connectivity test ('Ping'). It does not match any of the defined + product categories such as Enrich IOC, Contain Host, or Create Ticket. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - The **Ping** action is a utility designed to verify the connectivity and authentication - between the Google SecOps SOAR platform and the **Rubrik Security Cloud** instance. - It ensures that the provided Service Account credentials are valid and that the - network path to the Rubrik GraphQL API is open and functional. + This action tests the connectivity between the Google SecOps SOAR server and the + Rubrik Security Cloud instance. It verifies that the integration is correctly + configured and that the SOAR platform can successfully authenticate and communicate + with the Rubrik API. ### Parameters Description - | Parameter Name | Description | Type | Mandatory | Default Value | - - | :--- | :--- | :--- | :--- | :--- | - - | N/A | This action does not require any input parameters. | N/A | N/A | N/A | - - - ### Additional Notes - - This action relies entirely on the global integration configuration (Service Account - JSON and Verify SSL) to establish a connection. It does not interact with specific - case entities. + There are no parameters for this action. ### Flow Description - 1. **Initialization**: The action initializes the Siemplify environment and retrieves - the integration's global configuration parameters. + 1. Initialize the `SiemplifyAction` module. + + 2. Retrieve integration parameters (Service Account JSON, Verify SSL) from the + integration configuration. - 2. **API Manager Setup**: It instantiates the `APIManager`, which handles OAuth2 - token management, including retrieving tokens from encrypted storage or generating - new ones via the Rubrik OAuth adapter if the current token is expired or missing. + 3. Initialize the `APIManager` to handle authentication and API communication. - 3. **Connectivity Test**: It executes a lightweight GraphQL query (`deploymentVersion`) - against the Rubrik API to confirm reachability and authorization. + 4. Perform a connectivity test by sending a GraphQL query to the Rubrik API. - 4. **Result Reporting**: The action concludes by returning a boolean status (`connectivity_result`) - and a descriptive message indicating whether the connection was successful or - failed. + 5. Log the result and terminate the action with a success or failure status. capabilities: can_create_case_comments: false can_create_insight: false @@ -740,10 +1048,18 @@ Ping: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null - fetches_data: false + fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a connectivity test by sending a GraphQL query to the Rubrik + Security Cloud API. It does not modify external or internal data, nor does it + update entities or create insights. categories: enrichment: false + reasoning: >- + The action is a 'Ping' action. Per the provided instructions, 'Actions named + Ping must not be categorized as enrichment actions.' Therefore, it is not an + enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -759,72 +1075,59 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not operate on any entities; it performs a global connectivity + test. Turbo IOC Scan: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action initiates a threat hunt scan in Rubrik Security Cloud. This does + not align with any of the provided categories (e.g., Enrichment, Containment, + Ticket Management). + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description - - This action initiates a **Turbo IOC (Indicator of Compromise) Scan** within Rubrik - Security Cloud. Turbo scans are high-performance threat hunts optimized for speed, - allowing security teams to search for specific file hashes (MD5, SHA1, SHA256) - across multiple clusters and snapshots. The action returns a unique Hunt ID which - can be used to track the progress and results of the scan. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | **IOC** | String | Yes | A comma-separated list of indicator values (hashes) - to scan for. | - - | **Scan Name** | String | No | A custom name for the threat hunt. If not provided, - the system auto-generates a name using the format `Google-SecOps-YYYY-MM-DD-HH:MM:SS`. - | - - | **Cluster ID** | String | No | A comma-separated list of specific Rubrik cluster - IDs to target. If left empty, the scan will run across all available clusters. - | - - | **Start Time** | String | No | Filters the snapshots to be scanned starting - from this date. Supported formats: `yyyy-mm-dd`, `yyyy-mm-ddTHH:MM:SSZ`. | - - | **End Time** | String | No | Filters the snapshots to be scanned until this - date. Supported formats: `yyyy-mm-dd`, `yyyy-mm-ddTHH:MM:SSZ`. | - - | **Max Snapshots Per Object** | String | No | The maximum number of snapshots - to scan for each object (e.g., VM or File System). | - - - ### Additional Notes - - - The `Start Time` must be chronologically before the `End Time` if both are provided. - - - The action uses GraphQL mutations to interact with the Rubrik Security Cloud - API. - - - Results include a data table containing the generated `Turbo Threat Hunt ID`. - - - ### Flow Description - - 1. **Parameter Extraction:** The action retrieves and trims all input parameters, - including the mandatory IOC list. - - 2. **Validation:** It validates date formats for `Start Time` and `End Time`, - ensures `Max Snapshots Per Object` is a valid integer, and generates a default - scan name if none was provided. - - 3. **Authentication:** Initializes the Rubrik API Manager, which handles OAuth - token generation and encrypted storage. - - 4. **Scan Initiation:** Executes a GraphQL mutation (`startTurboThreatHunt`) to - the Rubrik Security Cloud endpoint with the specified IOCs and filters. - - 5. **Result Processing:** Captures the `huntId` from the API response, adds the - raw JSON response to the action results, and creates a data table for the SOAR - interface displaying the Hunt ID. + ### General Description This action initiates a Turbo IOC (Indicator of Compromise) + scan across Rubrik infrastructure. Turbo scans are optimized for speed and can + scan multiple IOCs across clusters with configurable time ranges and snapshot + limits. ### Parameters Description | Parameter | Type | Mandatory | Description + | | :--- | :--- | :--- | :--- | | IOC | string | Yes | Comma-separated list of + IOCs to scan for. | | Scan Name | string | No | Custom name for the scan (auto-generated + if not provided). | | Cluster ID | string | No | Comma-separated list of cluster + IDs to scan. | | Start Time | string | No | Start time for snapshot range (ISO + format). | | End Time | string | No | End time for snapshot range (ISO format). + | | Max Snapshots Per Object | string | No | Maximum number of snapshots to scan + per object. | ### Additional Notes There are no additional notes. ### Flow Description + 1. Extract the action parameters (IOC, Scan Name, Cluster ID, etc.). 2. Initialize + the Rubrik Security Cloud client using the provided service account credentials. + 3. Execute the start_turbo_ioc_scan mutation via the Rubrik GraphQL API. 4. Retrieve + the hunt_id from the response. 5. Add the raw JSON response and a data table containing + the hunt_id to the SOAR action results. capabilities: can_create_case_comments: false can_create_insight: false @@ -833,12 +1136,18 @@ Turbo IOC Scan: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Initiates a new Turbo Threat Hunt scan job in Rubrik Security Cloud, creating - a new resource/activity in the external system. + Initiates a Turbo IOC scan (threat hunt) in the Rubrik Security Cloud. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a mutation on the Rubrik Security Cloud platform by initiating + a threat hunt scan. It does not fetch contextual data about entities or alerts, + nor does it modify internal SOAR data. categories: enrichment: false + reasoning: >- + The action initiates a scan (mutation) rather than retrieving data, so it is + not an Enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -854,3 +1163,6 @@ Turbo IOC Scan: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not use target_entities and operates independently of any specific + entity. diff --git a/content/response_integrations/third_party/partner/rubrik_security_cloud/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/partner/rubrik_security_cloud/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..77430f571 --- /dev/null +++ b/content/response_integrations/third_party/partner/rubrik_security_cloud/resources/ai/integration_ai_description.yaml @@ -0,0 +1,22 @@ +product_categories: + asset_inventory: false + cloud_security: true + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: false + reasoning: >- + The Rubrik Security Cloud integration is designed to manage and secure data protection + environments, which are integral to cloud-native security architectures. The integration + provides actions to retrieve configuration states (CDM Cluster Connection State, + Location) and security findings (Sonar Sensitive Hits, File Contexts), which directly + aligns with the Cloud Security category's objective of returning resource configuration + states and findings. While the integration includes threat hunting capabilities + (IOC Scans), it does not provide reputation services for external indicators, + nor does it function as a general-purpose SIEM or IT asset inventory system. Therefore, + it is classified under Cloud Security. + siem: false + threat_intelligence: false + vulnerability_management: false diff --git a/content/response_integrations/third_party/partner/silentpush/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/partner/silentpush/resources/ai/actions_ai_description.yaml index 0cafc91e0..426d93554 100644 --- a/content/response_integrations/third_party/partner/silentpush/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/partner/silentpush/resources/ai/actions_ai_description.yaml @@ -1,59 +1,82 @@ Add Feed: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action creates a new feed in the Silent Push platform. This does not align + with any of the provided categories (Enrich IOC, Contain Host, etc.). + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - Adds a new feed to the Silent Push platform. This action allows users to programmatically - create and configure threat intelligence feeds by providing metadata such as name, - type, category, and vendor. It is typically used for administrative organization - or for setting up containers for indicators within the Silent Push ecosystem. + This action adds a new feed to the Silent Push platform. It interacts with the + Silent Push API to create a feed based on the provided parameters, such as name, + type, category, vendor, description, and tags. - ### Parameters + ### Parameters Description | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Name | string | Yes | The unique name for the new feed. | + | Name | string | Yes | Name of the feed. | - | Type | string | Yes | The classification or type of the feed. | + | Type | string | Yes | Feed Type. | - | Category | string | No | The category the feed belongs to. | + | Category | string | No | Feed Category. | - | Vendor | string | No | The vendor associated with the feed data. | + | Vendor | string | No | Vendor. | - | Feed Description | string | No | A description for the feed. Note: The metadata - suggests this field may be used for a screenshot URL. | + | Feed Description | string | No | URL for the screenshot. | - | Tags | string | No | A comma-separated list of tags to be attached to the feed - for organization. | + | Tags | string | No | Tags that should be attached with the feed. | - ### Flow Description + ### Additional Notes - 1. **Configuration Extraction:** The action retrieves the Silent Push server URL - and API key from the integration's global configuration. + This action does not perform any operations on entities. It is a configuration/management + action that interacts with the Silent Push API. - 2. **Parameter Retrieval:** It extracts the feed details (Name, Type, Category, - Vendor, Description, and Tags) from the action's input parameters. - 3. **API Interaction:** The action uses the `SilentPushManager` to send a POST - request to the `/api/v1/feeds/` endpoint on the Silent Push server with the provided - metadata. + ### Flow Description - 4. **Tag Processing:** If tags are provided, they are split into a list before - being sent in the API payload. + 1. Extract the integration configuration (Server URL, API Key). - 5. **Execution Finalization:** The action evaluates the API response. If the feed - is successfully created, it returns a success message; otherwise, it logs an error - and terminates with a failure status. + 2. Extract the action parameters (Name, Type, Category, Vendor, Feed Description, + Tags). + 3. Initialize the `SilentPushManager` with the extracted configuration. - ### Additional Notes + 4. Call the `add_feed` method, which sends a POST request to the Silent Push API + to create the new feed. - - This action does not utilize or depend on entities within the Google SecOps - case scope, although it may log entity identifiers if they are present in the - context. + 5. Handle the API response, log the outcome, and end the action with the appropriate + status. capabilities: can_create_case_comments: false can_create_insight: false @@ -62,12 +85,17 @@ Add Feed: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates a new feed resource on the Silent Push platform via a POST request to - the feeds API endpoint. + Creates a new feed in the Silent Push platform. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a POST request to the Silent Push API to create a new feed. + It does not fetch data or modify internal SecOps data. categories: enrichment: false + reasoning: >- + The action creates external data (a feed) rather than retrieving data, so it + cannot be an Enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -83,54 +111,72 @@ Add Feed: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over `siemplify.target_entities` only to print them, but does + not use them to perform the action. Therefore, no entities are used. Add Feed Tags: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action updates tags on a feed in the Silent Push platform. This does not + align with any of the provided categories (Enrich IOC, Update Alert, Create + Ticket, etc.). + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - The **Add Feed Tags** action allows users to append specific tags to an existing - feed within the Silent Push platform. This is primarily used for organizing and - categorizing threat intelligence feeds based on custom metadata or operational - requirements. + Adds tags to a specific feed in the Silent Push platform. This action takes a + Feed UUID and a comma-separated list of tags as input, and performs a POST request + to the Silent Push API to update the tags associated with the specified feed. ### Parameters Description | Parameter | Type | Mandatory | Description | - | :--- | :--- | :--- | :--- | - - | **Feed UUID** | String | Yes | The unique identifier (UUID) of the feed in Silent - Push that you want to update. | - - | **Tags** | String | No | A comma-separated list of tags to be added to the specified - feed. | - - - ### Additional Notes - - - Although the YAML configuration lists the parameters as non-mandatory, the action - logic requires a valid `Feed UUID` to construct the API endpoint. + |---|---|---|---| - - The Python script attempts to extract an `ASN` parameter which is not present - in the YAML configuration; this parameter is currently only used in error logging. + | Feed UUID | string | No | The unique identifier of the feed to update. | - - The YAML description incorrectly mentions adding "indicators," whereas the action - specifically manages "tags." + | Tags | string | No | Comma-separated tags to be updated to the feed. | ### Flow Description - 1. **Initialization**: The action retrieves the Silent Push Server URL and API - Key from the integration configuration. + 1. Extract configuration parameters (Server URL, API Key). - 2. **Parameter Extraction**: It extracts the `Feed UUID` and the string of `Tags` - provided by the user. + 2. Extract action parameters (Feed UUID, Tags). - 3. **API Interaction**: The `SilentPushManager` formats the tags into a list and - performs a **POST** request to the `/api/v1/feeds/{feed_uuid}/tags/` endpoint. + 3. Initialize `SilentPushManager`. - 4. **Result Handling**: The action checks the API response. If successful, it - returns the result; otherwise, it logs an error and marks the action as failed. + 4. Call `add_feed_tags` with the provided UUID and tags. + + 5. Log the result and end the action. capabilities: can_create_case_comments: false can_create_insight: false @@ -139,48 +185,19 @@ Add Feed Tags: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Adds tags to a specific feed in the Silent Push platform via a POST request. + Updates the tags associated with a feed in the Silent Push platform. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a POST request to the Silent Push API to update tags for + a feed. It does not fetch data, nor does it modify internal SOAR data or entities. categories: enrichment: false + reasoning: >- + The action is a mutation action (POST request) that updates external data (feed + tags). It does not retrieve data for enrichment purposes. entity_usage: - entity_types: - - ADDRESS - - ALERT - - APPLICATION - - CHILDHASH - - CHILDPROCESS - - CLUSTER - - CONTAINER - - CREDITCARD - - CVE - - CVEID - - DATABASE - - DEPLOYMENT - - DESTINATIONDOMAIN - - DOMAIN - - EMAILSUBJECT - - EVENT - - FILEHASH - - FILENAME - - GENERICENTITY - - HOSTNAME - - IPSET - - MacAddress - - PARENTHASH - - PARENTPROCESS - - PHONENUMBER - - POD - - PROCESS - - SERVICE - - SOURCEDOMAIN - - THREATACTOR - - THREATCAMPAIGN - - THREATSIGNATURE - - DestinationURL - - USB - - USERUNIQNAME + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -194,60 +211,85 @@ Add Feed Tags: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over `siemplify.target_entities` only to print their identifiers. + It does not use these entities to perform the API call or filter the action's + logic. Therefore, it does not run on entities. Add Indicators: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action adds indicators to a feed in the Silent Push platform. This does + not match any of the provided categories (e.g., blocklist, allowlist, ticket, + etc.). + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description - - The **Add Indicators** action allows users to programmatically add a list of indicators - (such as domains or IP addresses) to a specific feed within the Silent Push platform. - This action is primarily used for updating threat intelligence feeds with new - indicators identified during an investigation. - - - ### Parameters + Adds indicators to a specified feed in the Silent Push platform. This action facilitates + the management of threat intelligence feeds by pushing new indicators to a target + feed. - | Parameter | Type | Mandatory | Description | - | :--- | :--- | :--- | :--- | + ### Flow Description - | Feed UUID | String | Yes | The unique identifier (UUID) of the target feed in - Silent Push where indicators will be added. | + 1. The action extracts the required configuration parameters (Silent Push Server + URL and API Key) and action parameters (Feed UUID, Indicators, and ASN) from the + integration settings. - | Indicators | String | Yes | A comma-separated list of indicators (e.g., 'example.com, - 1.2.3.4') to be added to the feed. | + 2. It initializes the `SilentPushManager` with the provided credentials. + 3. It calls the `add_indicators` method, which performs a POST request to the + Silent Push API to add the provided indicators to the specified feed. - ### Additional Notes + 4. The action logs the outcome of the API request and terminates with the appropriate + execution status. - - Although the configuration metadata marks parameters as not mandatory, the action - logic requires a valid `Feed UUID` to construct the API endpoint and `Indicators` - to provide data to the external system. - - The action code extracts an `ASN` parameter which is not defined in the provided - YAML configuration; this parameter appears to be used primarily for error reporting - in the current implementation. + ### Parameters Description - - The action iterates through all entities in the current scope and logs their - identifiers, but it does not perform any enrichment or modifications on the entities - themselves. + | Parameter | Type | Mandatory | Description | + | :--- | :--- | :--- | :--- | - ### Flow Description + | Feed UUID | string | No | The unique identifier of the feed to which indicators + will be added. | - 1. **Configuration Extraction:** Retrieves the Silent Push server URL and API - key from the integration settings. + | Indicators | string | No | A comma-separated list of indicators to be added + to the feed. | - 2. **Parameter Retrieval:** Extracts the target Feed UUID and the list of indicators - from the action input parameters. + | ASN | string | No | An optional ASN parameter extracted by the script, though + not explicitly used in the primary API call logic. | - 3. **API Interaction:** Initializes the Silent Push Manager and sends a POST request - to the indicators endpoint for the specified feed. - 4. **Entity Logging:** Iterates through the `target_entities` in the Google SecOps - case and logs their identifiers to the script output for visibility. + ### Additional Notes - 5. **Completion:** Returns a success message if the indicators were added successfully - or terminates with a failure status if the API returns an error or no data. + - The action does not perform any operations on the entities present in the case, + despite iterating over them for logging purposes. It is strictly an external mutation + action. capabilities: can_create_case_comments: false can_create_insight: false @@ -256,49 +298,20 @@ Add Indicators: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Adds new indicators to a specified feed within the Silent Push platform via - a POST request to the indicators endpoint. + Adds indicators to a specified feed in the Silent Push platform via a POST request. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a POST request to an external API (Silent Push) to add indicators + to a feed. It does not fetch data for enrichment, nor does it modify internal + SOAR data (entities, insights, etc.). categories: enrichment: false + reasoning: >- + The action is a mutation action (adding data to an external system) and does + not retrieve data for enrichment, therefore it is not an enrichment action. entity_usage: - entity_types: - - ADDRESS - - ALERT - - APPLICATION - - CHILDHASH - - CHILDPROCESS - - CLUSTER - - CONTAINER - - CREDITCARD - - CVE - - CVEID - - DATABASE - - DEPLOYMENT - - DESTINATIONDOMAIN - - DOMAIN - - EMAILSUBJECT - - EVENT - - FILEHASH - - FILENAME - - GENERICENTITY - - HOSTNAME - - IPSET - - MacAddress - - PARENTHASH - - PARENTPROCESS - - PHONENUMBER - - POD - - PROCESS - - SERVICE - - SOURCEDOMAIN - - THREATACTOR - - THREATCAMPAIGN - - THREATSIGNATURE - - DestinationURL - - USB - - USERUNIQNAME + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -312,35 +325,85 @@ Add Indicators: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over `siemplify.target_entities` only to print their identifiers, + but does not use them for any logic or API calls. Therefore, it does not run + on entities. Add Indicators Tags: - ai_description: "### General Description\nThe **Add Indicators Tags** action is\ - \ designed to update or add tags to a specific indicator (such as a domain or\ - \ IP address) within a designated feed on the Silent Push platform. This action\ - \ allows security analysts to categorize and organize threat intelligence indicators\ - \ directly from Google SecOps, facilitating better tracking and management of\ - \ malicious or suspicious assets.\n\n### Parameters Description\n| Parameter |\ - \ Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| **Feed UUID**\ - \ | String | Yes | The unique identifier (UUID) of the feed where the indicator\ - \ is located. |\n| **Indicator Name** | String | Yes | The specific indicator\ - \ value (e.g., a domain name like `example.com`) that you wish to tag. |\n| **Tags**\ - \ | String | Yes | A string containing the tags to be applied to the indicator.\ - \ |\n\n### Flow Description\n1. **Configuration Extraction**: The action retrieves\ - \ the Silent Push server URL and API key from the integration's global configuration.\n\ - 2. **Parameter Retrieval**: It extracts the `Feed UUID`, `Indicator Name`, and\ - \ `Tags` from the action's input parameters.\n3. **API Request**: The action initializes\ - \ the `SilentPushManager` and executes a `PUT` request to the Silent Push API\ - \ endpoint: `/api/v1/feeds/{feed_uuid}/indicators/{indicator_name}/update-tags/`.\n\ - 4. **Execution Status**: \n - If the API call returns a successful response,\ - \ the action completes with a success message containing the Feed UUID and the\ - \ result.\n - If the API call fails or the manager returns no data, the action\ - \ logs an error and terminates with a failure status.\n5. **Entity Iteration**:\ - \ The script iterates through the target entities in the scope and prints their\ - \ identifiers to the log, though these entities do not drive the primary tagging\ - \ logic.\n\n### Additional Notes\n- **Unused Parameter**: The script code attempts\ - \ to extract an `ASN` parameter from the action inputs, but this parameter is\ - \ not defined in the YAML configuration and is not utilized by the underlying\ - \ manager method for this specific action.\n- **External Mutation**: This action\ - \ performs a state-changing operation (PUT) on the Silent Push platform." + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action updates tags for an indicator in an external system (Silent Push). + This does not match any of the provided categories (Enrich IOC, Contain Host, + Update Ticket, etc.). + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: >- + ### General Description + + This action updates the tags of a specific indicator within a feed on the Silent + Push platform. It allows analysts to manage and categorize indicators by adding + custom tags directly to the Silent Push system. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Feed UUID | string | Yes | The unique identifier (UUID) of the feed containing + the indicator. | + + | Indicator Name | string | Yes | The name of the indicator to be tagged. | + + | Tags | string | Yes | The tags to be added to the indicator. | + + + ### Additional Notes + + The action requires a valid Silent Push API key and server URL configured in the + integration settings. All parameters (Feed UUID, Indicator Name, Tags) are mandatory + for the action to execute successfully. + + + ### Flow Description + + 1. Extract the integration configuration (Server URL, API Key) from the environment. + + 2. Extract the action parameters (Feed UUID, Indicator Name, Tags). + + 3. Initialize the `SilentPushManager` with the provided configuration. + + 4. Call the `add_indicators_tags` method via the manager, which performs a `PUT` + request to the Silent Push API to update the tags for the specified indicator. + + 5. Log the result of the operation and terminate the action with the appropriate + status. capabilities: can_create_case_comments: false can_create_insight: false @@ -349,12 +412,18 @@ Add Indicators Tags: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates the tags associated with a specific indicator within a Silent Push feed - using a PUT request. + Updates the tags for a specific indicator within a feed on the Silent Push platform. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a `PUT` request to the Silent Push API to update tags for + an indicator. This is an external mutation. It does not fetch data, nor does + it modify internal SecOps data (entities, insights, etc.). categories: enrichment: false + reasoning: >- + The action is a mutation action (updating tags in an external system) and does + not fetch data for enrichment. Therefore, it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -370,59 +439,82 @@ Add Indicators Tags: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over `siemplify.target_entities` only to print their identifiers. + It does not use them to perform the API call or filter the action. Therefore, + it does not run on entities. Density Lookup: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves density information (DNS/IP parameters) for indicators, + which provides threat intelligence and context. This aligns with the 'Enrich + IOC' category. It does not perform any other actions like ticketing, blocking, + or asset management. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description + The action queries granular DNS/IP parameters (e.g., NS servers, MX servers, IP + addresses, ASNs) for density information using the Silent Push platform. This + action is used to retrieve threat intelligence and contextual data about indicators. - The **Density Lookup** action queries the Silent Push platform to retrieve granular - density information for various DNS and IP parameters. This capability allows - security analysts to understand the prevalence and distribution of specific infrastructure - components, such as Name Servers (NS), Mail Servers (MX), IP addresses, and ASNs. - By analyzing the "density" of these records, analysts can identify patterns associated - with malicious infrastructure, shared hosting environments, or large-scale campaigns. + ### Flow - ### Parameters Description - - | Parameter | Type | Mandatory | Description | + 1. Extracts configuration parameters (`Silent Push Server`, `API Key`) and action + parameters (`Qtype`, `Query`, `Scope`). - | :--- | :--- | :--- | :--- | + 2. Initializes the `SilentPushManager` with the provided credentials. - | **Qtype** | String | Yes | Specifies the type of density lookup to perform. - Supported types include `nssrv` (Name Server), `mxsrv` (Mail Server), `nshash`, - `mxhash`, `ipv4`, `ipv6`, `asn`, and `chv`. | + 3. Executes a `GET` request to the Silent Push API endpoint `explore/padns/lookup/density/{qtype}/{query}`. - | **Query** | String | Yes | The specific value to be queried (e.g., a nameserver - domain like `ns1.example.com` or an IP address). | + 4. Retrieves and processes the density records. - | **Scope** | String | No | Defines the match level or scope for the lookup to - filter results. | + 5. Logs the results and completes the action. - ### Flow Description + ### Parameters - 1. **Configuration Extraction:** The action retrieves the Silent Push Server URL - and API Key from the integration settings. + | Parameter | Type | Mandatory | Description | - 2. **Parameter Parsing:** It extracts the `Qtype`, `Query`, and `Scope` provided - by the user. + | :--- | :--- | :--- | :--- | - 3. **API Interaction:** The action calls the Silent Push `density_lookup` API - endpoint using a GET request. + | Qtype | string | Yes | Query Type (e.g., nssrv, mxsrv, nshash, mxhash, ipv4, + ipv6, asn, chv). | - 4. **Data Validation:** It checks the API response for the presence of density - records. + | Query | string | Yes | Value to query. | - 5. **Result Reporting:** If records are found, the action completes successfully - and returns the record data. If no records are found or an error occurs, the action - reports a failure. + | Scope | string | No | Match level. | ### Additional Notes - - This action is a standalone lookup and does not automatically process entities - from the current context; it relies entirely on the manually provided `Query` - and `Qtype` parameters. + The action does not use the target entities provided in the case, even though + it iterates over them in the code. capabilities: can_create_case_comments: false can_create_insight: false @@ -433,8 +525,14 @@ Density Lookup: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the Silent Push API to retrieve density + records. It does not modify any external or internal data. categories: enrichment: true + reasoning: >- + The action fetches data from an external source (Silent Push) and does not mutate + any external or internal systems, making it an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -450,95 +548,115 @@ Density Lookup: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over `siemplify.target_entities` only to print their identifiers, + but it does not use these entities to perform the density lookup. The lookup + is performed using the `Qtype` and `Query` action parameters. Therefore, the + action does not run on entities. Forward Padns Lookup: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action performs a PADNS lookup, which provides threat intelligence and context + about a domain or DNS record. This aligns with the 'Enrich IOC' category. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description + Performs a forward Passive DNS (PADNS) lookup using the Silent Push API to retrieve + DNS record information. This action is useful for gathering threat intelligence + and infrastructure context regarding specific DNS records. - Performs a forward Passive DNS (PADNS) lookup using the Silent Push API. This - action allows users to retrieve historical DNS records for a specific domain or - record name (`Qname`) and record type (`Qtype`). It supports extensive filtering - options such as date ranges (first/last seen), regex patterns, and netmasks to - narrow down the results. - - - ### Parameters Description + ### Flow Description - | Parameter | Type | Mandatory | Description | + 1. **Configuration Extraction**: The action retrieves the Silent Push server URL + and API key from the integration configuration. - | :--- | :--- | :--- | :--- | + 2. **Parameter Extraction**: It extracts the required `Qname` (DNS record name) + and optional filtering parameters (e.g., `Qtype`, `Netmask`, `Regex`, `Limit`) + from the action settings. - | **Qname** | string | Yes | The DNS record name to lookup (e.g., 'silentpush.com'). - | + 3. **API Request**: The action calls the Silent Push API to perform a forward + PADNS lookup using the provided parameters. - | **Qtype** | string | No | The DNS record type to query (e.g., 'ns', 'a', 'mx'). - Defaults to 'ns'. | + 4. **Response Handling**: It validates the API response. If records are found, + it returns the data; otherwise, it logs an error and fails the execution. - | **Netmask** | string | No | Filter results by a specific network mask. | - | **subdomain** | string | No | Flag to include subdomains in the lookup results. - | + ### Parameters Description - | **Regex** | string | No | A regular expression to filter the returned DNS records. - | + | Parameter | Type | Mandatory | Description | - | **Match** | string | No | Specifies the match type for the query (e.g., 'exact', - 'partial'). | + | :--- | :--- | :--- | :--- | - | **First Seen After** | string | No | Filter for records first observed after - this timestamp. | + | Qname | string | Yes | The DNS record name to lookup. | - | **First Seen Before** | string | No | Filter for records first observed before - this timestamp. | + | Qtype | string | No | DNS record type (e.g., ns, a, mx). Defaults to 'ns'. | - | **Last Seen After** | string | No | Filter for records last observed after this - timestamp. | + | Netmask | string | No | The netmask to filter the lookup results. | - | **Last Seen Before** | string | No | Filter for records last observed before - this timestamp. | + | Subdomains | string | No | Flag to include subdomains in the lookup results. + | - | **As Of** | string | No | Retrieve DNS records as they appeared at a specific - point in time. | + | Regex | string | No | Regular expression to filter the DNS records. | - | **Sort** | string | No | Field used to sort the results. | + | Match | string | No | Type of match for the query (e.g., exact, partial). | - | **Output Format** | string | No | The desired format for the output data. | + | First Seen After | string | No | Filter results to include only records first + seen after this date. | - | **Prefer** | string | No | Preference for specific DNS sources or servers. | + | First Seen Before | string | No | Filter results to include only records first + seen before this date. | - | **With Metadata** | string | No | Whether to include additional metadata in - the response. | + | Last Seen After | string | No | Filter results to include only records last + seen after this date. | - | **Max Wait** | string | No | Maximum time in seconds to wait for the API response. - | + | Last Seen Before | string | No | Filter results to include only records last + seen before this date. | - | **Skip** | string | No | Number of records to skip for pagination. | + | As Of | string | No | Date or time to get the DNS records as of a specific point + in time. | - | **Limit** | string | No | Maximum number of records to return in the response. + | Sort | string | No | Sort the results by the specified field (e.g., date, score). | + | Output Format | string | No | The format in which the results should be returned + (e.g., JSON, XML). | - ### Flow Description + | Prefer | string | No | Preference for specific DNS servers or sources. | - 1. **Configuration**: Extracts the Silent Push server URL and API key from the - integration settings. + | With Metadata | string | No | Flag to include metadata in the DNS records. | - 2. **Input Gathering**: Collects the mandatory `Qname` and optional filtering - parameters from the action input. + | Max Wait | string | No | Maximum number of seconds to wait for results before + timing out. | - 3. **API Execution**: Initiates a GET request to the Silent Push `explore/padns/lookup/query` - endpoint, passing the query type, name, and filters as parameters. + | Skip | string | No | Number of results to skip for pagination purposes. | - 4. **Validation**: Checks the API response for errors. If the API returns an error - or no records are found, the action fails with a descriptive message. - - 5. **Completion**: Returns the list of DNS records found as the action result. - - - ### Additional Notes - - This action is parameter-driven and does not automatically process entities from - the current context. The `Qname` must be explicitly provided to perform the lookup. + | Limit | string | No | Maximum number of results to return. | capabilities: can_create_case_comments: false can_create_insight: false @@ -549,8 +667,15 @@ Forward Padns Lookup: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the Silent Push API to retrieve DNS records. + It does not modify external systems or internal SOAR data (entities, insights, + comments). categories: - enrichment: false + enrichment: true + reasoning: >- + The action fetches data from an external source (Silent Push) and does not mutate + any external or internal systems. It fits the criteria for an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -566,30 +691,89 @@ Forward Padns Lookup: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over `siemplify.target_entities` only to print them, but does + not use them for the lookup logic. The lookup is performed based on the `Qname` + parameter provided in the action settings. Therefore, it does not run on entities. Get ASN Reputation: - ai_description: "### General Description\nThe **Get ASN Reputation** action retrieves\ - \ historical reputation data for a specific Autonomous System Number (ASN) from\ - \ the Silent Push platform. This information helps security analysts understand\ - \ the risk profile of an ASN over time, including its reputation score and associated\ - \ metadata. \n\n### Parameters Description\n| Parameter | Type | Mandatory | Description\ - \ |\n| :--- | :--- | :--- | :--- |\n| **ASN** | String | Yes | The Autonomous\ - \ System Number (ASN) to perform the reputation lookup for. |\n| **Explain** |\ - \ Boolean | No | If enabled, the action will include detailed information explaining\ - \ how the reputation score was calculated. |\n| **Limit** | String | No | Specifies\ - \ the maximum number of historical reputation records to retrieve. |\n\n### Additional\ - \ Notes\n* Although the action metadata description mentions IPv4, the logic specifically\ - \ performs a lookup based on the provided **ASN** parameter.\n* The results are\ - \ sorted by date in descending order (most recent first).\n\n### Flow Description\n\ - 1. **Configuration Extraction:** Retrieves the Silent Push Server URL and API\ - \ Key from the integration settings.\n2. **Parameter Parsing:** Extracts the target\ - \ `ASN`, the `Explain` flag, and the `Limit` value from the action inputs.\n3.\ - \ **API Interaction:** Connects to the Silent Push API via the `SilentPushManager`\ - \ and requests reputation history for the specified ASN using a GET request.\n\ - 4. **Data Processing:** Extracts the reputation records from the API response,\ - \ sorts them by date (newest first), and formats them into a structured list suitable\ - \ for a results table.\n5. **Result Delivery:** Adds the formatted reputation\ - \ data to the action's JSON results and completes the execution with a success\ - \ or failure status." + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves reputation history and threat intelligence for an ASN. + This aligns with the 'Enrich IOC' category. It does not perform any other actions + like ticketing, containment, or alert updates. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: >- + ### General Description + + This action retrieves historical reputation data for a specific Autonomous System + Number (ASN) from the Silent Push platform. It provides analysts with insights + into the reputation history of an ASN, which can be used to assess the risk associated + with network infrastructure. + + + ### Flow Description + + 1. **Configuration Extraction**: The action retrieves the Silent Push server URL + and API key from the integration configuration. + + 2. **Parameter Extraction**: It extracts the `ASN` (mandatory), `Explain` (optional), + and `Limit` (optional) parameters provided by the user. + + 3. **Data Retrieval**: The action initializes the `SilentPushManager` and performs + an API request to fetch the ASN reputation history. + + 4. **Data Processing**: The raw response is parsed, and the reputation entries + are sorted by date in descending order. + + 5. **Result Generation**: The processed data is formatted into a table and added + to the action's result JSON for display in the SecOps platform. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | ASN | string | Yes | The Autonomous System Number (ASN) to look up. | + + | Explain | boolean | No | If set to true, includes detailed information used + to calculate the reputation score. | + + | Limit | string | No | The maximum number of reputation history records to retrieve. + | + + + ### Additional Notes + + This action does not perform any operations on entities present in the case; it + relies solely on the `ASN` parameter provided by the user. capabilities: can_create_case_comments: false can_create_insight: false @@ -600,8 +784,16 @@ Get ASN Reputation: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to an external API (Silent Push) to retrieve + reputation data. It does not modify any external systems, nor does it update + internal SecOps data such as entities, insights, or case comments. categories: - enrichment: false + enrichment: true + reasoning: >- + The action fetches reputation data from an external source (Silent Push) and + returns it to the user. It does not mutate any external or internal systems. + This fits the definition of an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -617,14 +809,50 @@ Get ASN Reputation: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not use entities to perform its logic. It relies on the 'ASN' + parameter provided by the user. The code iterates over 'siemplify.target_entities' + only for logging purposes, which does not constitute processing entities. Get ASN Takedown Reputation: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves reputation and threat intelligence for an ASN, which is + a form of indicator. This aligns with the 'Enrich IOC' category. It does not + perform any other actions like ticket creation, containment, or alert modification. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - The **Get ASN Takedown Reputation** action retrieves historical and current takedown - reputation data for a specific Autonomous System Number (ASN) from the Silent - Push platform. This information helps security analysts evaluate the risk associated - with an ASN by reviewing its history of malicious activity and subsequent takedowns. + This action retrieves takedown reputation history for a specific Autonomous System + Number (ASN) from the Silent Push platform. It provides threat intelligence regarding + the ASN's involvement in takedown activities, which can be used to assess the + risk associated with infrastructure. ### Parameters Description @@ -633,40 +861,37 @@ Get ASN Takedown Reputation: | :--- | :--- | :--- | :--- | - | **ASN** | String | Yes | The Autonomous System Number (ASN) to investigate (e.g., - '211298'). | + | ASN | string | Yes | The Autonomous System Number (ASN) to lookup. | - | **Explain** | Boolean | No | If set to `true` (default), the response includes - the underlying information and logic used to calculate the reputation score. | + | Explain | boolean | No | If set to true, includes detailed information used + to calculate the reputation score. | - | **Limit** | String | No | The maximum number of historical reputation records - to retrieve from the API. | + | Limit | string | No | The maximum number of reputation history records to retrieve. + | ### Flow Description - 1. **Initialization**: The action extracts the Silent Push Server URL and API - Key from the integration configuration. + 1. The action extracts the integration configuration (Server URL, API Key) and + the action parameters (ASN, Explain, Limit). - 2. **Input Extraction**: It retrieves the `ASN`, `Explain`, and `Limit` parameters - provided by the user or playbook. + 2. It initializes the `SilentPushManager` to handle communication with the Silent + Push API. - 3. **API Request**: The action calls the Silent Push API via the `get_asn_takedown_reputation` - method in the manager class, which performs a GET request to the `explore/takedownreputation/asn/{asn}` - endpoint. + 3. The action calls the `get_asn_takedown_reputation` method, which performs a + GET request to the Silent Push API endpoint. - 4. **Response Validation**: It checks if the API returned valid takedown reputation - history. If no data is found, the action fails with an informative error message. + 4. If reputation data is successfully retrieved, the action adds the result as + a JSON object to the action results. - 5. **Output Generation**: The retrieved reputation data is formatted into a JSON - object and returned as the action's primary result for use in playbooks. + 5. If no data is found or an error occurs during the API call, the action logs + the error and terminates with a failed status. ### Additional Notes - - This action operates based on the manually provided **ASN** parameter rather - than automatically iterating through entities in the case scope. While it accesses - the `target_entities` list, it does not use them to drive the lookup logic. + This action does not perform any modifications to the entities or the case. It + is strictly a data retrieval action. capabilities: can_create_case_comments: false can_create_insight: false @@ -677,8 +902,17 @@ Get ASN Takedown Reputation: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to an external API (Silent Push) to retrieve + reputation data. It does not modify any external systems, nor does it update + internal entities, create insights, or modify case data. It simply returns the + retrieved data as a JSON result. categories: - enrichment: true + enrichment: false + reasoning: >- + While the action fetches data (reputation), it does not meet the strict criteria + for an Enrichment Action because it does not update entities, create insights, + or add case comments. It only returns a result JSON. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -694,50 +928,70 @@ Get ASN Takedown Reputation: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over `siemplify.target_entities` only to print their identifiers + to the logs. It does not use these entities to filter the API request or perform + any logic on them. Therefore, the action does not run on entities. Get ASNs for Domain: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves threat intelligence (ASNs) for a domain. This matches the + 'Enrich IOC' category as it provides contextual intelligence for an indicator. + It does not perform any other actions like ticketing or containment. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - The **Get ASNs for Domain** action retrieves Autonomous System Numbers (ASNs) - associated with a specific domain using the Silent Push platform. It identifies - ASNs linked to A records for the domain and its subdomains that have been observed - in the last 30 days. This action is primarily used for infrastructure mapping - and network attribution during security investigations. + This action retrieves Autonomous System Numbers (ASNs) associated with a specific + domain using the Silent Push platform. It queries the Silent Push API to fetch + the associated ASNs for the provided domain, providing valuable threat intelligence. ### Parameters Description - | Parameter | Type | Mandatory | Default Value | Description | + | Parameter | Type | Mandatory | Description | - | :--- | :--- | :--- | :--- | :--- | + | :--- | :--- | :--- | :--- | - | Domain | String | Yes | silentpush.com | The domain name for which to retrieve - associated ASNs. | + | Domain | string | Yes | The domain name to search for associated ASNs. | ### Flow Description - 1. **Configuration Extraction:** The action retrieves the Silent Push Server URL - and API Key from the integration's configuration settings. - - 2. **Parameter Retrieval:** It extracts the target domain name from the action - input parameters. - - 3. **API Request:** The action calls the Silent Push `explore/padns/lookup/domain/asns` - endpoint to fetch ASN records associated with the domain's historical A records. + 1. Extracts the `Domain` parameter from the action configuration. - 4. **Response Validation:** It checks the API response for valid records. If no - ASNs are found, the action logs an error and terminates with a failure status. + 2. Initializes the `SilentPushManager` with the provided API credentials. - 5. **Result Output:** Upon success, the action returns the list of ASNs in a JSON - result and provides a summary message to the Google SecOps platform. + 3. Queries the Silent Push API (`explore/padns/lookup/domain/asns/{domain}`) to + fetch associated ASNs. - - ### Additional Notes - - This action is parameter-driven and does not automatically iterate over entities - in a case. To use this action with entities, the 'Domain' parameter should be - mapped to an entity identifier within a playbook. + 4. Logs the results or errors and terminates the action with the retrieved data. capabilities: can_create_case_comments: false can_create_insight: false @@ -748,8 +1002,16 @@ Get ASNs for Domain: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to retrieve ASN data for a domain. It does + not mutate external systems, nor does it update internal SOAR entities or insights. categories: - enrichment: true + enrichment: false + reasoning: >- + The action fetches data but does not update entities, create insights, or add + comments. It does not meet the criteria for an Enrichment Action as defined, + because it does not perform any internal mutations (like updating the entity + profile). entity_usage: entity_types: [] filters_by_additional_properties: false @@ -765,50 +1027,71 @@ Get ASNs for Domain: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over `siemplify.target_entities` only to print their identifiers. + It does not use them to perform the lookup or update them. Therefore, it does + not process entities. Get Data Exports: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: true + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action downloads a file from a remote host. This matches the 'Download File' + category. It does not perform any other operations. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - Downloads exported threat intelligence feed data from the Silent Push platform. - This action utilizes a specific Feed URL to retrieve data (typically in CSV format) - containing indicators or other threat-related information. The retrieved content - is returned as part of the action result for further processing within the playbook. - + Downloads data export files from the Silent Push platform. This action retrieves + a file from a specified URL and logs the content. - ### Flow Description: - 1. **Configuration Extraction:** Retrieves the Silent Push server URL and API - key from the integration's global configuration. + ### Flow - 2. **Parameter Retrieval:** Obtains the mandatory 'Feed URL' provided as an action - parameter. + 1. Extracts configuration (Server URL, API Key) and the `Feed URL` parameter. - 3. **API Request:** Executes a GET request to the Silent Push export endpoint - (`/app/v1/export/organization-exports/`) using the constructed URL. + 2. Initializes the `SilentPushManager`. - 4. **Response Validation:** Checks if the request was successful (HTTP 200). If - the server returns an error, the action logs the failure and terminates. + 3. Sends a GET request to the specified `Feed URL` to retrieve the export data. - 5. **Result Processing:** Extracts the filename from the URL and returns the raw - content of the exported feed in the action output. + 4. Logs the status and the content of the downloaded file. - ### Parameters Description: + ### Parameters | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Feed URL | String | Yes | The specific URL suffix or identifier for the feed - data to be exported from Silent Push. Default is a specific indicator CSV. | - + | Feed URL | string | Yes | The URL from which to export the feed data. | - ### Additional Notes: - - This action is designed for bulk data retrieval and does not perform individual - entity-level enrichment. + ### Additional Notes - - Although the action iterates over target entities in the environment, it does - not use them to filter or modify the data retrieval process; it simply logs their - identifiers. + This action is a utility for downloading data and does not perform any operations + on entities or alerts. capabilities: can_create_case_comments: false can_create_insight: false @@ -819,45 +1102,18 @@ Get Data Exports: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to download a file from an external URL. It + does not modify any external systems, nor does it update any internal SOAR entities + or insights. It only logs the result. categories: enrichment: false + reasoning: >- + The action downloads a file. It does not associate the data with any entity + or alert, nor does it perform any enrichment logic. Therefore, it is not an + enrichment action. entity_usage: - entity_types: - - ADDRESS - - ALERT - - APPLICATION - - CHILDHASH - - CHILDPROCESS - - CLUSTER - - CONTAINER - - CREDITCARD - - CVE - - CVEID - - DATABASE - - DEPLOYMENT - - DESTINATIONDOMAIN - - DOMAIN - - EMAILSUBJECT - - EVENT - - FILEHASH - - FILENAME - - GENERICENTITY - - HOSTNAME - - IPSET - - MacAddress - - PARENTHASH - - PARENTPROCESS - - PHONENUMBER - - POD - - PROCESS - - SERVICE - - SOURCEDOMAIN - - THREATACTOR - - THREATCAMPAIGN - - THREATSIGNATURE - - DestinationURL - - USB - - USERUNIQNAME + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -871,42 +1127,68 @@ Get Data Exports: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over `siemplify.target_entities` but only prints their identifiers + to the log. It does not use the entities to perform any logic or filtering. Get Domain Certificates: - ai_description: "### General Description\nThis action retrieves SSL/TLS certificate\ - \ data for a specified domain using the Silent Push API. It allows security analysts\ - \ to examine certificate history and metadata collected from domain scanning,\ - \ which is essential for identifying infrastructure patterns, verifying ownership,\ - \ or detecting malicious impersonation and phishing infrastructure.\n\n### Parameters\ - \ Description\n| Parameter | Type | Mandatory | Description |\n| :--- | :--- |\ - \ :--- | :--- |\n| Domain | string | Yes | The target domain to query certificates\ - \ for (e.g., silentpush.com). |\n| Domain Regex | string | No | A regular expression\ - \ to filter the domains returned in the certificate data. |\n| Certificate Issuer\ - \ | string | No | Filter results by the name of the certificate issuer (CA). |\n\ - | Date Min | string | No | Filter for certificates issued on or after this date\ - \ (ISO format). |\n| Date Max | string | No | Filter for certificates issued on\ - \ or before this date (ISO format). |\n| Prefer | string | No | Specifies whether\ - \ to wait for results (synchronous) or return a job_id immediately (asynchronous).\ - \ |\n| Max Wait | string | No | The number of seconds (0-25) to wait for results\ - \ before the API returns a job_id. |\n| With Metadata | string | No | If set to\ - \ true, includes a metadata object containing result counts and job identifiers.\ - \ |\n| Skip | string | No | The number of results to skip for pagination. |\n\ - | Limit | string | No | The maximum number of results to return. |\n\n### Flow\ - \ Description\n1. **Initialization:** The action extracts the Silent Push server\ - \ URL and API key from the integration configuration.\n2. **Parameter Extraction:**\ - \ It retrieves the target domain and optional filters (regex, issuer, dates, pagination)\ - \ from the action parameters.\n3. **API Request:** The action calls the Silent\ - \ Push `explore/domain/certificates/{domain}` endpoint using a GET request, passing\ - \ the filters as query parameters.\n4. **Response Handling:** \n * If the API\ - \ returns a `job_status` (indicating a long-running query), the action completes\ - \ successfully and provides the job details for later retrieval.\n * If the\ - \ API returns certificate data immediately, the action parses the list of certificates\ - \ and associated metadata.\n5. **Completion:** The action outputs the retrieved\ - \ certificate data or job information to the Google SecOps result JSON.\n\n###\ - \ Additional Notes\n* This action is parameter-driven and does not automatically\ - \ iterate over entities in the current case scope. The 'Domain' parameter must\ - \ be explicitly provided or mapped from an entity identifier in a playbook.\n\ - * If no certificates are found for the provided domain, the action will return\ - \ a failure status." + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves SSL certificate information for a domain, which provides + threat intelligence and context about the domain's infrastructure. This aligns + with the 'Enrich IOC' category. It does not perform any other actions like updating + tickets, blocking IOCs, or managing identities. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: "### General Description\nThis action retrieves SSL certificate\ + \ details for a specified domain using the Silent Push platform. It allows for\ + \ advanced filtering of certificate data, including regex matching, issuer filtering,\ + \ and date range constraints. The action is designed to provide contextual intelligence\ + \ about a domain's infrastructure by querying historical and current certificate\ + \ records.\n\n### Parameters Description\n| Parameter | Type | Mandatory | Description\ + \ |\n| :--- | :--- | :--- | :--- |\n| Domain | string | Yes | The domain to query\ + \ certificates for. |\n| Domain Regex | string | No | Regular expression to match\ + \ domains. |\n| Certificate Issuer | string | No | Filter by certificate issuer.\ + \ |\n| Date Min | string | No | Filter certificates issued on or after this date.\ + \ |\n| Date Max | string | No | Filter certificates issued on or before this date.\ + \ |\n| Prefer | string | No | Prefer to wait for results for longer running queries\ + \ or to return job_id immediately. |\n| Max Wait | string | No | Number of seconds\ + \ to wait for results before returning a job_id (0-25 seconds). |\n| With Metadata\ + \ | string | No | Includes a metadata object in the response. |\n| Skip | string\ + \ | No | Number of results to skip. |\n| Limit | string | No | Number of results\ + \ to return. |\n\n### Flow Description\n1. **Configuration Extraction**: The action\ + \ retrieves the Silent Push server URL and API key from the integration configuration.\n\ + 2. **Parameter Parsing**: It extracts and validates the provided action parameters,\ + \ including domain, filters, and pagination settings.\n3. **API Request**: The\ + \ action calls the Silent Push API (`/explore/domain/certificates/{domain}`) to\ + \ fetch certificate data.\n4. **Response Handling**: \n - If the API returns\ + \ a job status, the action reports the job details.\n - If certificate data\ + \ is returned, it processes the certificates and metadata.\n5. **Output**: The\ + \ action returns the certificate information and metadata as the script result." capabilities: can_create_case_comments: false can_create_insight: false @@ -914,11 +1196,20 @@ Get Domain Certificates: can_mutate_external_data: false can_mutate_internal_data: false can_update_entities: false - external_data_mutation_explanation: 'null' + external_data_mutation_explanation: null fetches_data: true - internal_data_mutation_explanation: 'null' + internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the Silent Push API to retrieve certificate + data. It does not modify any external systems (no POST/PUT/DELETE) and does + not modify any internal Google SecOps data (no entity updates, insights, or + comments). categories: enrichment: true + reasoning: >- + The action fetches data from an external source (Silent Push) to provide context + about a domain. It does not mutate external systems or modify internal Google + SecOps data. Therefore, it qualifies as an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -934,67 +1225,85 @@ Get Domain Certificates: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action uses the 'Domain' parameter provided in the action settings to perform + the query. While it iterates over `siemplify.target_entities` for logging purposes, + it does not use these entities to drive the logic or filter the request. Therefore, + it does not run on specific entity types. Get Enrichment Data: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action fetches enrichment data for domains or IP addresses from the Silent + Push API. This matches the 'Enrich IOC' expected outcome. It does not mutate + external systems or modify internal case data, so it is not a containment or + update action. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description + This action retrieves comprehensive enrichment information for a given resource + (domain, IPv4, or IPv6) from the Silent Push platform. It allows users to specify + the resource type and value, and optionally include detailed calculation explanations + or scan data for IPv4 resources. - This action retrieves comprehensive enrichment information for a specific resource, - such as a domain, IPv4, or IPv6 address, from the Silent Push platform. It is - designed for manual lookups where a user provides a specific value to investigate. - The action returns detailed metadata, including ASN information and reputation - data, which can be used to assess the risk associated with the resource. + ### Parameters - ### Parameters Description | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Resource | string | Yes | The type of resource for which information needs to - be retrieved (e.g., domain, ipv4, ipv6). | - - | Value | string | Yes | The value corresponding to the selected resource (e.g., - silentpush.com or an IP address). | - - | Explain | boolean | No | When set to `true`, the response will include an explanation - of how the data calculations were performed. | + | Resource | string | Yes | Type of resource for which information needs to be + retrieved (e.g., domain, ipv4, ipv6). | - | Scan Data | boolean | No | When set to `true`, the response will include scan - data. This is only applicable when the resource type is `ipv4`. | + | Value | string | Yes | Value corresponding to the selected "resource" for which + information needs to be retrieved (e.g., silentpush.com). | + | Explain | boolean | No | Include explanation of data calculations. | - ### Additional Notes - - - This action does not automatically process entities from the Google SecOps case - scope; it relies entirely on the provided `Value` and `Resource` parameters. - - - The `Scan Data` parameter is only applicable when the `Resource` type is set - to `ipv4`. - - - The action performs a read-only operation and does not modify any data in Silent - Push or Google SecOps. + | Scan Data | boolean | No | Include scan data (IPv4 only). | ### Flow Description - 1. **Configuration Retrieval**: The action extracts the Silent Push server URL - and API key from the integration configuration. - 2. **Parameter Extraction**: It retrieves the user-provided parameters: `Resource`, - `Value`, `Explain`, and `Scan Data`. + 1. **Initialization**: The action extracts the Silent Push API credentials and + the action parameters (`Resource`, `Value`, `Explain`, `Scan Data`). - 3. **Input Validation**: The action validates that the `Resource` type is one - of the allowed values (`ipv4`, `ipv6`, `domain`). If the resource is an IP, it - validates the format using the `validate_ip` helper. + 2. **Validation**: It validates the `Resource` type against allowed values and + performs IP address validation if the resource is an IPv4 or IPv6 address. - 4. **Data Retrieval**: It calls the `get_enrichment_data` method in the `SilentPushManager`, - which sends a GET request to the Silent Push API's enrichment endpoint. + 3. **Data Retrieval**: The action queries the Silent Push API to fetch enrichment + data based on the provided resource and value. - 5. **Result Handling**: If data is retrieved, it is added to the action's JSON - results. The action then concludes by providing an output message and a success - status. If an error occurs or no data is found, it logs the error and ends with - a failure status. + 4. **Result Processing**: If enrichment data is successfully retrieved, it is + added to the action's result JSON. If no data is found or an error occurs, the + action fails with an appropriate error message. capabilities: can_create_case_comments: false can_create_insight: false @@ -1005,8 +1314,17 @@ Get Enrichment Data: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the Silent Push API to retrieve enrichment + data. It does not mutate external systems or modify internal SOAR data (entities, + insights, or case comments). It only returns the retrieved data as a result + JSON. categories: - enrichment: false + enrichment: true + reasoning: >- + The action fetches data from an external source (Silent Push) to provide context + for IOCs. It does not mutate external systems or modify internal SOAR data. + This aligns with the definition of an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1022,57 +1340,89 @@ Get Enrichment Data: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action uses action parameters (`Resource` and `Value`) to perform the lookup. + While it iterates over `siemplify.target_entities` for logging purposes, it + does not use them to perform the enrichment logic. Therefore, no entity types + are processed. Get Future Attack Indicatiors: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves a list of indicators from a feed. It does not enrich a + specific IOC, update an alert, or perform any of the other listed actions. It + is a data retrieval action for threat intelligence feeds. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - This action retrieves indicators of potential future attacks from the Silent Push - platform using a specific Feed UUID. It is designed to fetch threat intelligence - data, specifically Indicators of Compromise (IOCs) associated with threat rankings, - to assist in proactive security monitoring and defense strategies. + This action fetches indicators of potential future attacks from the Silent Push + platform using a provided Feed UUID. It retrieves threat intelligence data based + on the specified feed and pagination settings. - ### Parameters Description + ### Flow Description - | Parameter | Type | Mandatory | Description | + 1. **Configuration Extraction**: The action extracts the `Silent Push Server` + URL and `API Key` from the integration configuration. - | :--- | :--- | :--- | :--- | + 2. **Parameter Extraction**: The action extracts the `Feed UUID`, `Page No`, and + `Page Size` from the action parameters. - | Feed UUID | String | Yes | The unique identifier for the Silent Push threat - feed from which to retrieve indicators. | + 3. **Manager Initialization**: The `SilentPushManager` is initialized with the + server URL and API key. - | Page No | String | No | The page number for paginated results. Defaults to "1" - if not provided. | + 4. **Data Retrieval**: The action calls the `get_future_attack_indicators` method + of the `SilentPushManager` to fetch the threat ranking data. - | Page Size | String | No | The number of indicators to retrieve per page. Defaults - to "10000" if not provided. | + 5. **Result Output**: The retrieved indicators are returned as a JSON object in + the action results. - ### Flow Description + ### Parameters Description - 1. **Configuration Extraction**: The action retrieves the Silent Push Server URL - and API Key from the integration's global configuration. + | Parameter | Type | Mandatory | Description | - 2. **Input Parsing**: It extracts the `Feed UUID`, `Page No`, and `Page Size` - from the action parameters, ensuring default values are applied for pagination - if they are missing. + | :--- | :--- | :--- | :--- | - 3. **API Interaction**: The action makes a GET request to the Silent Push `/api/v2/iocs/threat-ranking/` - endpoint, passing the feed UUID and pagination details as query parameters. + | Feed UUID | string | Yes | Unique ID for the feed to fetch records for. | - 4. **Response Handling**: It processes the API response, extracting the list of - indicators from the returned JSON data. + | Page No | string | No | The page number to fetch results from (default: 1). + | - 5. **Output Generation**: The retrieved indicators are added to the action's JSON - result (`JsonResult`). If no indicators are found, the action reports a failure; - otherwise, it completes successfully with the fetched data. + | Page Size | string | No | The number of indicators to fetch per page (default: + 10000). | ### Additional Notes - - This action is parameter-driven and does not utilize or filter data based on - entities present in the Google SecOps case. While it iterates through target entities - for logging purposes, they do not influence the API query or the results. + If no indicators are found for the provided `Feed UUID`, the action will fail + and log an error message. capabilities: can_create_case_comments: false can_create_insight: false @@ -1083,8 +1433,16 @@ Get Future Attack Indicatiors: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to an external API to retrieve threat intelligence + data (future attack indicators). It does not modify any external systems or + internal SOAR data (entities, insights, comments). categories: enrichment: false + reasoning: >- + The action fetches data from an external source but does not operate on specific + entities or alerts to enrich them. It is a data retrieval task, not an enrichment + action as defined by the SOAR framework. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1100,59 +1458,80 @@ Get Future Attack Indicatiors: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not use `target_entities` to perform its task. It only iterates + over them for logging purposes, which does not constitute processing or filtering + entities. Get IPV4 Reputation: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves reputation history for an IPv4 address, which directly + matches the 'Enrich IOC' category. It does not perform any other operations + like updating alerts, tickets, or host containment. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description - - Retrieves historical reputation data for a specific IPv4 address using the Silent - Push threat intelligence platform. This action allows analysts to understand the - reputation score and history of an IP address, providing context on its past behavior - and potential risk levels. + Retrieves reputation information for an IPv4 address from the Silent Push platform. + This action fetches historical reputation data, including detailed calculation + explanations if requested, and returns the results as a JSON response. - ### Parameters Description + ### Parameters | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | | Nameserver | string | Yes | The IPv4 address for which reputation information - needs to be retrieved. Note: Despite the name 'Nameserver', the API expects an - IPv4 address. | - - | Explain | boolean | No | If set to true, the response will include the specific - information and logic used to calculate the reputation score. Defaults to false. - | - - | Limit | string | No | The maximum number of reputation history entries to retrieve - from the platform. | - + needs to be retrieved. | - ### Additional Notes - - - This action does not automatically process entities from the Google SecOps case; - it relies strictly on the provided 'Nameserver' parameter. + | Explain | boolean | No | If set to true, includes detailed information used + to calculate the reputation score. Defaults to false. | - - The action returns a JSON object containing the reputation history, which can - be used in downstream playbooks for decision-making. + | Limit | string | No | The maximum number of reputation history entries to retrieve. + | ### Flow Description - 1. **Configuration Extraction**: Retrieves the Silent Push Server URL and API - Key from the integration settings. + 1. The action extracts the integration configuration (Server URL, API Key) and + the action parameters (Nameserver, Explain, Limit). - 2. **Parameter Parsing**: Extracts the target IPv4 address (Nameserver), the explanation - flag, and the result limit from the action inputs. + 2. It initializes the `SilentPushManager` with the provided credentials. - 3. **API Interaction**: Calls the Silent Push `get_ipv4_reputation` endpoint using - the provided parameters. + 3. It calls the `get_ipv4_reputation` method of the `SilentPushManager` to fetch + the reputation history for the specified IPv4 address. - 4. **Response Validation**: Checks if reputation history data was returned. If - no history is found, the action reports a failure. + 4. If the reputation data is successfully retrieved, it is added to the action's + result JSON. - 5. **Result Output**: Adds the raw API response to the action's JSON results for - use in the SOAR platform. + 5. If no data is found or an error occurs during the API call, the action logs + the error and terminates with a failed status. capabilities: can_create_case_comments: false can_create_insight: false @@ -1163,8 +1542,16 @@ Get IPV4 Reputation: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action fetches data from an external API (Silent Push) using a GET request. + It does not mutate any external systems, nor does it modify internal Google + SecOps data (entities, insights, or comments). categories: - enrichment: false + enrichment: true + reasoning: >- + The action fetches data from an external source (Silent Push) to provide context + (reputation history) for an IPv4 address. It does not mutate external systems + or internal data, fulfilling the criteria for an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1180,15 +1567,53 @@ Get IPV4 Reputation: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action iterates over `siemplify.target_entities` only to print them, but + it does not use them to perform the reputation lookup. The lookup is performed + using the 'Nameserver' parameter provided by the user. Therefore, it does not + run on entities. Get Nameserver Reputation: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves reputation history for a nameserver, which is a form of + threat intelligence for an indicator. This aligns with the 'Enrich IOC' category. + It does not perform any other operations like ticket creation, host containment, + or alert updates. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - This action retrieves historical reputation data for a specified nameserver using - the Silent Push API. It provides reputation scores and can optionally include - detailed information about how those scores were calculated. The action is primarily - used for threat intelligence gathering and investigating the reputation of DNS - infrastructure. + This action retrieves historical reputation data for a specified nameserver from + the Silent Push platform. It provides insights into the nameserver's reputation + history, which can be used to assess the risk associated with specific DNS infrastructure. + The action supports optional parameters to include detailed calculation explanations + and to limit the number of history entries returned. ### Parameters Description @@ -1197,45 +1622,32 @@ Get Nameserver Reputation: | :--- | :--- | :--- | :--- | - | Nameserver | String | Yes | The specific nameserver name (e.g., `ns1.example.com`) - for which reputation history is being requested. | - - | Explain | String | No | If provided (e.g., "true"), the API will return the - specific data points and logic used to calculate the reputation score. | - - | Limit | String | No | The maximum number of historical reputation records to - retrieve. | + | Nameserver | string | Yes | The nameserver name for which reputation information + needs to be retrieved. | + | Explain | string | No | If provided, includes detailed information used to calculate + the reputation score. | - ### Additional Notes - - - The action does not automatically iterate over entities in the Google SecOps - environment. Instead, it relies on the `Nameserver` parameter provided by the - user or mapped from a playbook. - - - Dates in the returned reputation history are automatically parsed from the API's - integer format (YYYYMMDD) into ISO 8601 format for better readability. + | Limit | string | No | The maximum number of reputation history entries to retrieve. + | ### Flow Description - 1. **Configuration Extraction:** The action retrieves the Silent Push Server URL - and API Key from the integration settings. - - 2. **Parameter Retrieval:** It extracts the `Nameserver`, `Explain`, and `Limit` - values from the action inputs. + 1. **Configuration Extraction**: The action extracts the Silent Push server URL + and API key from the integration configuration. - 3. **API Interaction:** The `SilentPushManager` is initialized and calls the `explore/nsreputation/history/nameserver` - endpoint via a GET request. + 2. **Parameter Extraction**: It retrieves the `Nameserver`, `Explain`, and `Limit` + parameters provided by the user. - 4. **Data Processing:** The script iterates through the returned reputation history - list, converting integer-based dates into standard ISO strings. + 3. **API Request**: The action initializes the `SilentPushManager` and calls the + `get_nameserver_reputation` method to fetch data from the Silent Push API. - 5. **Validation:** If no valid reputation history is found, the action reports - a failure. + 4. **Data Processing**: It processes the returned reputation data, specifically + parsing date fields into ISO format. - 6. **Completion:** The action ends by returning the reputation data as a result - and providing a status message to the case wall. + 5. **Output**: The action logs the status and reputation data, then terminates + with the result. capabilities: can_create_case_comments: false can_create_insight: false @@ -1246,8 +1658,16 @@ Get Nameserver Reputation: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the Silent Push API to retrieve reputation + data for a nameserver. It does not modify any external systems, nor does it + modify any internal Google SecOps data (entities, insights, or case comments). categories: - enrichment: false + enrichment: true + reasoning: >- + The action is a read-only operation that fetches threat intelligence (reputation + data) from an external source (Silent Push). It does not mutate external or + internal data, satisfying the criteria for an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1263,53 +1683,90 @@ Get Nameserver Reputation: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action relies on the 'Nameserver' parameter provided in the action settings + to perform its task. Although the code iterates over `siemplify.target_entities` + to print them, it does not use these entities to perform the logic or filter + the request. Therefore, it does not run on entities. Get Subnet Reputation: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves reputation history for a subnet, which is a form of threat + intelligence for an indicator (IOC). This matches the 'Enrich IOC' category. + It does not perform any other actions like updating tickets, blocking IOCs, + or managing identities. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - Retrieves the reputation history for a specific IPv4 subnet from Silent Push. - This action allows security analysts to understand the historical risk profile - of a network range, including detailed scoring explanations if requested. - + This action retrieves the reputation history for a specific IPv4 subnet using + the Silent Push API. It allows analysts to gather historical threat intelligence + regarding a subnet to assess its risk profile. - ### Parameters - | Parameter | Type | Mandatory | Description | + ### Flow Description - | :--- | :--- | :--- | :--- | + 1. **Configuration Extraction**: The action retrieves the Silent Push server URL + and API key from the integration configuration. - | Subnet | String | Yes | The IPv4 subnet (e.g., 192.168.0.0/16) for which reputation - information needs to be retrieved. | + 2. **Parameter Extraction**: It extracts the `Subnet`, `Explain` (optional), and + `Limit` (optional) parameters provided by the user. - | Explain | String | No | Show the detailed information used to calculate the - reputation score. | + 3. **Data Retrieval**: The action initializes the `SilentPushManager` and performs + a GET request to the Silent Push API to fetch the reputation history for the specified + subnet. - | Limit | String | No | Maximum number of reputation history entries to retrieve. - | + 4. **Result Handling**: If data is found, it logs the reputation history. If no + data is found or the request fails, it logs an error and terminates the action + with a failed status. - ### Flow Description + ### Parameters Description - 1. **Configuration Extraction**: Retrieves the Silent Push Server URL and API - Key from the integration settings. + | Parameter | Type | Mandatory | Description | - 2. **Parameter Retrieval**: Extracts the target Subnet, Explain flag, and Limit - from the action inputs. + | :--- | :--- | :--- | :--- | - 3. **API Interaction**: Executes a GET request to the Silent Push `explore/ipreputation/history/subnet` - endpoint via the `SilentPushManager`. + | Subnet | string | Yes | The IPv4 subnet for which reputation information needs + to be retrieved. | - 4. **Response Processing**: Extracts the `subnet_reputation_history` from the - API response. + | Explain | string | No | A flag to show detailed information used to calculate + the reputation score. | - 5. **Completion**: Returns the reputation data as a JSON result and sets the action - status based on whether data was found. + | Limit | string | No | The maximum number of reputation history entries to retrieve. + | ### Additional Notes - This action does not automatically update entities or create insights; it provides - the raw reputation history in the action's JSON result. + This action does not perform any mutations on external systems or internal Google + SecOps data. It is a read-only operation designed for enrichment purposes. capabilities: can_create_case_comments: false can_create_insight: false @@ -1320,45 +1777,18 @@ Get Subnet Reputation: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the Silent Push API to retrieve reputation + data. It does not modify any external systems, nor does it update any internal + Google SecOps data (entities, insights, or comments). categories: enrichment: true + reasoning: >- + The action fetches reputation data from an external source (Silent Push) and + does not modify any external or internal state. This aligns with the definition + of an enrichment action. entity_usage: - entity_types: - - ADDRESS - - ALERT - - APPLICATION - - CHILDHASH - - CHILDPROCESS - - CLUSTER - - CONTAINER - - CREDITCARD - - CVE - - CVEID - - DATABASE - - DEPLOYMENT - - DESTINATIONDOMAIN - - DOMAIN - - EMAILSUBJECT - - EVENT - - FILEHASH - - FILENAME - - GENERICENTITY - - HOSTNAME - - IPSET - - MacAddress - - PARENTHASH - - PARENTPROCESS - - PHONENUMBER - - POD - - PROCESS - - SERVICE - - SOURCEDOMAIN - - THREATACTOR - - THREATCAMPAIGN - - THREATSIGNATURE - - DestinationURL - - USB - - USERUNIQNAME + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1372,14 +1802,50 @@ Get Subnet Reputation: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over `siemplify.target_entities` only to print their identifiers + for logging purposes. The actual logic for fetching reputation relies solely + on the `Subnet` parameter provided in the action settings, not on the entities + themselves. Therefore, the action does not run on entities. Get job status: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves the status of a job from an external service. It does not + match any of the specific categories like 'Enrich IOC', 'Enrich Asset', 'Create + Ticket', etc. It is a utility action for job monitoring. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - This action retrieves the current status or the final results of a previously - initiated job within the Silent Push platform using a specific Job ID. It is primarily - used to poll for the completion of asynchronous tasks such as deep scans or complex - infrastructure lookups. + This action retrieves the status of a running job or the results of a completed + job from the Silent Push platform. It is used to monitor the progress of asynchronous + tasks initiated by other Silent Push actions. ### Parameters Description @@ -1388,49 +1854,37 @@ Get job status: | :--- | :--- | :--- | :--- | - | **Job ID** | string | Yes | The unique identifier of the job returned by previous - Silent Push actions. | + | Job ID | string | Yes | The unique identifier of the job to retrieve status + for. | - | **Max Wait** | string | No | The number of seconds (0-25) the action should - wait for the job results before returning the current status. Defaults to 20 if - not provided. | + | Max Wait | string | No | The number of seconds to wait for results (0-25 seconds). + Defaults to 20 if not provided. | - | **Status Only** | boolean | No | If set to `true`, the action returns only the - job status information, even if the job has already completed and results are - available. | + | Status Only | boolean | No | If set to true, returns the job status even if + the job is already complete. | - | **Force Metadata On** | boolean | No | If set to `true`, the response will always - include query metadata, regardless of the original request configuration. | + | Force Metadata On | boolean | No | If set to true, always returns query metadata, + even if the original request did not include it. | - | **Force Metadata Off** | boolean | No | If set to `true`, the response will - never include query metadata, regardless of the original request configuration. - | - - - ### Additional Notes - - - The `Max Wait` parameter is capped at 25 seconds by the underlying API logic. - - - This action does not process or require specific SecOps entities; it operates - globally based on the provided `Job ID`. + | Force Metadata Off | boolean | No | If set to true, never returns query metadata, + even if the original request included it. | ### Flow Description - 1. **Configuration Extraction:** The action retrieves the Silent Push Server URL - and API Key from the integration settings. - - 2. **Parameter Parsing:** It extracts the `Job ID` and optional parameters like - `Max Wait` and status flags. + 1. **Configuration Extraction**: The action retrieves the Silent Push Server URL + and API Key from the integration configuration. - 3. **API Interaction:** The action initializes the `SilentPushManager` and performs - a GET request to the `explore/job/{job_id}` endpoint. + 2. **Parameter Extraction**: The action extracts the `Job ID`, `Max Wait`, `Status + Only`, `Force Metadata On`, and `Force Metadata Off` parameters. - 4. **Response Handling:** It checks if a valid job status was returned. If the - job status is missing, the action fails. + 3. **API Request**: The action calls the `get_job_status` method of the `SilentPushManager`, + which performs a GET request to the Silent Push API using the provided `Job ID` + and parameters. - 5. **Result Reporting:** The action outputs the raw JSON response containing the - job status or results and sets the execution state to completed. + 4. **Result Handling**: The action processes the API response. If the job status + is found, it returns the status information as the output message. If no status + is found or an error occurs, it logs the error and fails the action. capabilities: can_create_case_comments: false can_create_insight: false @@ -1441,8 +1895,18 @@ Get job status: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the Silent Push API to retrieve the status + of a job. It does not modify any external systems, nor does it perform any internal + mutations such as updating entities, creating insights, or adding case comments. + It simply fetches and returns data. categories: - enrichment: true + enrichment: false + reasoning: >- + The action fetches data (job status) but does not meet the criteria for an enrichment + action because it does not perform any of the allowed internal mutations (updating + entities, creating insights, or adding case comments). It is a utility action + for job monitoring. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1458,33 +1922,86 @@ Get job status: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over `siemplify.target_entities` only to print their identifiers, + but it does not use them in the API request or any logic. Therefore, it does + not run on entities. List Domain Information: - ai_description: "### General Description\nThe **List Domain Information** action\ - \ retrieves comprehensive metadata for a list of domains using the Silent Push\ - \ platform. It provides a consolidated view of domain attributes and can be configured\ - \ to include advanced security context such as risk scores and live WHOIS records.\ - \ This action is designed for bulk lookups and returns data in both Markdown format\ - \ for the case wall and structured JSON for playbook automation.\n\n### Parameters\ - \ Description\n| Parameter | Type | Mandatory | Description |\n| :--- | :--- |\ - \ :--- | :--- |\n| **Domains** | String | Yes | A comma-separated list of domain\ - \ names (e.g., `example.com, test.org`) to be queried. |\n| **Fetch Risk Score**\ - \ | Boolean | No | If set to `true`, the action retrieves the Silent Push risk\ - \ score and a detailed explanation for each domain. Default is `false`. |\n| **Fetch\ - \ Whois Info** | Boolean | No | If set to `true`, the action performs a live WHOIS\ - \ lookup to retrieve registration details for each domain. Default is `false`.\ - \ |\n\n### Flow Description\n1. **Initialization**: The action extracts the API\ - \ key and server URL from the integration configuration and parses the input domain\ - \ list from the action parameters.\n2. **Data Retrieval**: \n - The action\ - \ performs a bulk request to fetch general domain information (e.g., infrastructure\ - \ tags, IP diversity).\n - If enabled, it fetches risk scores for the provided\ - \ domains.\n - If enabled, it performs individual WHOIS lookups for each domain\ - \ in the list.\n3. **Processing**: The action aggregates the data from different\ - \ Silent Push endpoints into a unified structure for each domain.\n4. **Output**:\ - \ It generates a Markdown summary for the case wall and a structured JSON object\ - \ containing the full results for use in downstream playbook logic.\n\n### Additional\ - \ Notes\n- This action supports querying up to 100 domains in a single execution.\n\ - - While the script iterates over target entities for logging purposes, the core\ - \ logic is driven exclusively by the `Domains` input parameter." + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves reputation, risk scores, and WHOIS information for domains, + which aligns with the 'Enrich IOC' category. It does not perform any other actions + like ticket creation, containment, or alert updates. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: >- + ### General Description + + This action retrieves detailed domain information from the Silent Push platform. + It allows users to query multiple domains simultaneously and optionally fetch + associated risk scores and WHOIS information. The results are returned in both + Markdown format for readability and JSON format for further processing. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Domains | string | Yes | Comma-separated list of domains to query. | + + | Fetch Risk Score | boolean | No | Whether to fetch risk scores for the domains. + Defaults to false. | + + | Fetch Whois Info | boolean | No | Whether to fetch WHOIS information for the + domains. Defaults to false. | + + + ### Flow Description + + 1. **Configuration Extraction**: The action extracts the necessary integration + configuration, including the Silent Push Server URL and API Key. + + 2. **Parameter Extraction**: It retrieves the `Domains`, `Fetch Risk Score`, and + `Fetch Whois Info` parameters provided by the user. + + 3. **Manager Initialization**: The `SilentPushManager` is initialized with the + extracted configuration. + + 4. **Data Retrieval**: The action calls the `list_domain_information` method of + the `SilentPushManager` to fetch the requested data from the Silent Push API. + + 5. **Response Formatting**: The API response is formatted into a Markdown string + for display and a JSON object for the action result. + + 6. **Result Output**: The JSON response is added to the action result, and the + action completes successfully. capabilities: can_create_case_comments: false can_create_insight: false @@ -1495,8 +2012,15 @@ List Domain Information: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action fetches domain information (risk score, WHOIS) from the Silent Push + API. It does not modify any external or internal systems, nor does it update + entities or create insights. categories: - enrichment: false + enrichment: true + reasoning: >- + The action fetches data from an external source (Silent Push) and does not mutate + any external or internal state. It qualifies as an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1512,72 +2036,102 @@ List Domain Information: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action processes a comma-separated list of domains provided via the 'Domains' + parameter. Although the script iterates over `siemplify.target_entities` for + logging purposes, it does not perform any operations on these entities. Therefore, + it does not run on entities. List Domain Infratags: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves infrastructure tags for domains, which provides threat + intelligence and context about the domain's infrastructure. This aligns with + the 'Enrich IOC' category. It does not perform any other actions like ticket + creation, host containment, or alert modification. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - The **List Domain Infratags** action retrieves infrastructure tags (infratags) - for a specified list of domains from the Silent Push platform. Infratags provide - critical context about the infrastructure associated with a domain, such as hosting - providers, shared IP space, or specific technology stacks. This action is designed - for bulk lookups and can optionally cluster results to identify common infrastructure - patterns across multiple domains. + This action retrieves infrastructure tags (infratags) for a specified list of + domains from the Silent Push platform. It allows for optional clustering of results + and supports different lookup modes (e.g., live or padns) to provide detailed + infrastructure context for the provided domains. - ### Parameters Description + ### Flow Description - | Parameter | Type | Mandatory | Description | + 1. **Configuration Extraction**: The action extracts the necessary API credentials + and action parameters (Domain, Cluster, Mode, Match, As Of, Origin UID, Use Get) + from the integration configuration and action settings. - | :--- | :--- | :--- | :--- | + 2. **API Request**: It initializes the `SilentPushManager` and calls the `list_domain_infratags` + method, which performs a POST request to the Silent Push API to fetch infrastructure + tags for the provided domains. - | **Domain** | String | Yes | A comma-separated list of domains to query for infrastructure - tags. | + 3. **Response Processing**: The action parses the API response. If clustering + is enabled, it formats the tag clusters into a readable structure. - | **Mode** | String | No | The lookup mode to use. Options are `live` (current - data) or `padns` (historical passive DNS data). Defaults to `live`. | + 4. **Result Output**: The retrieved infratags and optional cluster data are added + to the action's result JSON for use in the SOAR platform. - | **Match** | String | No | Specifies the handling of self-hosted infrastructure. - Defaults to `self`. | - | **As Of** | String | No | A timestamp used when `Mode` is set to `padns` to - retrieve infrastructure data as it existed at a specific point in time. | + ### Parameters Description - | **Cluster** | Boolean | No | If set to `true`, the action will cluster the results - and provide a formatted summary of domain tag clusters. Defaults to `false`. | + | Parameter | Type | Mandatory | Description | - | **Origin UID** | String | No | An optional unique identifier for the request - origin. | + | :--- | :--- | :--- | :--- | - | **Use Get** | Boolean | No | A configuration flag; however, the underlying implementation - uses a POST request to support bulk domain processing. | + | Domain | string | Yes | A comma-separated list of domains to retrieve infrastructure + tags for. | + | Cluster | boolean | No | Whether to cluster the results. Defaults to false. + | - ### Flow Description + | Mode | string | No | Mode for lookup (live/padns). Defaults to "live". | - 1. **Initialization:** The action extracts the Silent Push API credentials and - the user-provided parameters, including the list of domains to be analyzed. + | Match | string | No | Handling of self-hosted infrastructure. Defaults to "self". + | - 2. **API Interaction:** It sends a POST request to the Silent Push `explore/bulk/domain/infratags` - endpoint. The request includes the domains, the selected mode (live/padns), and - other filtering criteria like the 'As Of' timestamp. + | As Of | string | No | Build infratags from padns data where the as_of timestamp + equivalent is between the first_seen and the last_seen timestamp. | - 3. **Data Processing:** The action parses the API response to extract infrastructure - tags. If the `Cluster` parameter is enabled, it also processes and formats the - `tag_clusters` data into a readable structure. + | Origin UID | string | No | Unique identifier for the API user. | - 4. **Result Delivery:** The retrieved infratags and optional cluster details are - attached to the action's JSON result. The action completes with a summary message - indicating the success or failure of the data retrieval. + | Use Get | boolean | No | Flag to indicate if GET should be used (though the + implementation defaults to POST). | ### Additional Notes - - This action operates independently of the entities currently present in the - Google SecOps case; it relies strictly on the domains provided in the **Domain** - input parameter. - - - The `Use Get` parameter is present in the configuration but is not used to change - the HTTP method, as the bulk lookup logic requires a POST request. + The action relies on the `Domain` parameter to perform the lookup. While it iterates + over `siemplify.target_entities` for logging purposes, it does not use these entities + to filter or drive the API request logic. capabilities: can_create_case_comments: false can_create_insight: false @@ -1588,8 +2142,17 @@ List Domain Infratags: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a POST request to the Silent Push API to retrieve infrastructure + tags for domains. It does not modify any external systems, nor does it update + internal SOAR entities, create insights, or modify alert data. It is a read-only + data retrieval operation. categories: - enrichment: false + enrichment: true + reasoning: >- + The action is designed to fetch contextual infrastructure data (infratags) for + domains. It does not mutate external systems or modify internal SOAR data (entities, + insights, comments). Therefore, it qualifies as an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1605,30 +2168,77 @@ List Domain Infratags: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action extracts the domains to query from the 'Domain' action parameter, + not from the `target_entities` list. Although the code iterates over `siemplify.target_entities` + for logging purposes, it does not use them to perform the lookup or filter the + results. Therefore, it does not run on entities. List IP Information: - ai_description: "### General Description\nThe **List IP Information** action retrieves\ - \ comprehensive Autonomous System Number (ASN) and network routing information\ - \ for a provided list of IPv4 and IPv6 addresses using the Silent Push platform.\ - \ This action is designed for bulk lookups, allowing security analysts to gather\ - \ context on multiple IP indicators simultaneously to identify ownership and network\ - \ reputation.\n\n### Parameters Description\n| Parameter | Type | Mandatory |\ - \ Description |\n| :--- | :--- | :--- | :--- |\n| Ips | String | Yes | A comma-separated\ - \ list of IPv4 or IPv6 addresses to investigate (e.g., \"142.251.188.102, 8.8.8.8\"\ - ). |\n\n### Flow Description\n1. **Configuration Extraction:** The action retrieves\ - \ the Silent Push Server URL and API Key from the integration's configuration\ - \ parameters.\n2. **Input Parsing:** It extracts the `Ips` string parameter and\ - \ splits it into a list of individual addresses.\n3. **Validation & Categorization:**\ - \ The action uses the `SilentPushManager` to validate each address and categorize\ - \ them into separate lists for IPv4 and IPv6.\n4. **Bulk Data Retrieval:** \n\ - \ - If IPv4 addresses are present, it performs a bulk POST request to the `explore/bulk/ip2asn/ipv4`\ - \ endpoint.\n - If IPv6 addresses are present, it performs a bulk POST request\ - \ to the `explore/bulk/ip2asn/ipv6` endpoint.\n5. **Result Aggregation:** The\ - \ action collects the ASN information (including ASN number, organization, and\ - \ routing details) for all valid IPs and returns the aggregated data as a JSON\ - \ result.\n\n### Additional Notes\n- The action supports a maximum of 100 IP addresses\ - \ per single execution.\n- Although the script iterates over the `target_entities`\ - \ in the environment for logging purposes, the actual lookup logic is driven exclusively\ - \ by the values provided in the `Ips` parameter." + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves reputation and threat intelligence (ASN data) for IP addresses, + which aligns with the 'Enrich IOC' category. It does not perform any other operations + like ticket creation, host containment, or alert modification. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: >- + Retrieves comprehensive IP information (such as ASN details) for a provided list + of IPv4 and IPv6 addresses using the Silent Push API. This action validates the + input IPs, categorizes them into IPv4 and IPv6, and queries the Silent Push platform + for ASN information. The gathered data is returned in the action output. + + + ### Parameters + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Ips | string | Yes | Comma-separated list of IP addresses to retrieve information + for. | + + + ### Flow Description + + 1. **Configuration Extraction**: The action retrieves the Silent Push server URL + and API key from the integration configuration. + + 2. **Input Processing**: The `Ips` parameter is extracted and split into a list + of individual IP addresses. + + 3. **Validation**: The action validates each IP address to determine if it is + IPv4 or IPv6 using the `SilentPushManager`. + + 4. **Data Retrieval**: The action queries the Silent Push API (`explore/bulk/ip2asn`) + for the validated IPv4 and IPv6 addresses. + + 5. **Output**: The gathered IP information is formatted and returned as the action + result. capabilities: can_create_case_comments: false can_create_insight: false @@ -1639,8 +2249,17 @@ List IP Information: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET/POST request to an external API to retrieve IP information + (enrichment). It does not modify the state of the external system (no blocking/quarantine), + nor does it modify internal Google SecOps data (no entity updates, insights, + or comments). categories: enrichment: true + reasoning: >- + The action fetches data from an external source (Silent Push) to provide context + (enrichment). It does not mutate external systems or modify internal data, satisfying + the criteria for an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1656,14 +2275,50 @@ List IP Information: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not use the `target_entities` list to perform its logic; it + relies solely on the `Ips` parameter provided in the action settings. The iteration + over `target_entities` in the code is for logging purposes only and does not + influence the action's execution or data processing. Live URL Scan: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves hosting metadata for a URL, which is an indicator of compromise + (IOC). This matches the 'Enrich IOC' category. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - The **Live URL Scan** action performs a real-time scan of a specified URL using - the Silent Push platform to retrieve comprehensive hosting metadata. This action - is designed to provide technical insights into how a URL is served across various - environments, including different platforms, operating systems, and browsers. + This action performs a live scan of a specified URL using the Silent Push platform + to retrieve detailed hosting metadata. It allows analysts to gather intelligence + on a URL by specifying the environment (platform, OS, browser, and region) in + which the scan should be executed. ### Parameters Description @@ -1672,51 +2327,37 @@ Live URL Scan: | :--- | :--- | :--- | :--- | - | **URL** | String | Yes | The target URL to be scanned for hosting metadata. - | - - | **Platform** | String | No | The device platform to simulate during the scan. - Supported values: `Desktop`, `Mobile`, `Crawler`. | - - | **Os** | String | No | The operating system to simulate during the scan. Supported - values: `Windows`, `Linux`, `MacOS`, `iOS`, `Android`. | - - | **Browser** | String | No | The web browser to simulate during the scan. Supported - values: `Firefox`, `Chrome`, `Edge`, `Safari`. | - - | **Region** | String | No | The geographic region from which the scan request - should originate. Supported values: `US`, `EU`, `AS`, `TOR`. | - + | URL | string | Yes | The URL to be scanned. | - ### Additional Notes + | Platform | string | No | The device platform to perform the scan with (e.g., + Desktop, Mobile, Crawler). | - - This action operates primarily on the provided **URL** parameter rather than - iterating through SecOps entities. + | Os | string | No | The operating system to perform the scan with (e.g., Windows, + Linux, MacOS, iOS, Android). | - - The action includes built-in validation for optional parameters; providing a - value outside the supported lists will result in an execution failure. + | Browser | string | No | The browser to perform the scan with (e.g., Firefox, + Chrome, Edge, Safari). | - - If the Silent Push API returns no scan data for the specified URL, the action - will terminate with a failure status. + | Region | string | No | The region from where the scan should be performed (e.g., + US, EU, AS, TOR). | ### Flow Description - 1. **Initialization:** The action extracts the integration configuration (Server - URL and API Key) and the user-provided action parameters. + 1. **Configuration Extraction**: The action retrieves the Silent Push server URL + and API key from the integration configuration. - 2. **Validation:** It validates the optional simulation parameters (Platform, - OS, Browser, Region) against allowed values to ensure a successful API request. + 2. **Parameter Extraction**: It extracts the URL and optional environment parameters + (Platform, OS, Browser, Region) provided by the user. - 3. **API Request:** The action sends a GET request to the Silent Push `scanondemand` - endpoint with the specified URL and simulation criteria. + 3. **Validation**: The action validates the provided environment parameters against + a predefined list of allowed values. - 4. **Data Processing:** It parses the API response to extract hosting metadata - and scan results. + 4. **API Interaction**: It calls the Silent Push `explore/tools/scanondemand` + endpoint to initiate the live URL scan. - 5. **Output Generation:** The retrieved scan data is formatted and added to the - action's result JSON, providing the user with a detailed summary of the URL's - hosting environment. + 5. **Result Processing**: The action formats the scan results and returns them + as a JSON object in the action output. capabilities: can_create_case_comments: false can_create_insight: false @@ -1727,8 +2368,15 @@ Live URL Scan: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the Silent Push API to retrieve scan data + for a URL. It does not modify any external or internal systems, nor does it + update entities or create insights. categories: enrichment: true + reasoning: >- + The action fetches data from an external source (Silent Push) and does not mutate + any external or internal state. It fits the definition of an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1744,52 +2392,77 @@ Live URL Scan: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not use entities to perform the scan; it uses the provided URL + parameter. The code iterates over `target_entities` only for logging purposes, + not for processing. Ping: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action is a connectivity test ('Ping') and does not perform any of the defined + functional operations such as enrichment, ticketing, containment, or alert management. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - The **Ping** action is a diagnostic tool used to verify the connectivity between - Google SecOps and the Silent Push API. It ensures that the provided configuration - parameters, such as the Server URL and API Key, are valid and that the network - path is open. + This action tests the connectivity to the Silent Push platform to ensure that + the provided API credentials and server URL are valid and functional. It performs + a lightweight API request to verify the connection, providing immediate feedback + on the integration's status. - ### Parameters Description + ### Parameters - | Parameter Name | Type | Mandatory | Description | + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Silent Push Server | String | Yes | The base URL of the Silent Push API instance - (Configuration Parameter). | - - | API Key | String | Yes | The API key used for authentication with Silent Push - (Configuration Parameter). | - - - ### Additional Notes - - * There are no action-specific parameters for this action; it relies entirely - on the integration's configuration. + | Silent Push Server | String | Yes | The base URL of the Silent Push API server. + | - * This action does not interact with or process any entities. + | API Key | String | Yes | The API key used for authenticating requests to the + Silent Push platform. | ### Flow Description - 1. **Parameter Extraction:** The action retrieves the 'Silent Push Server' and - 'API Key' from the integration configuration. + 1. **Configuration Extraction**: The action retrieves the `Silent Push Server` + URL and `API Key` from the integration configuration. - 2. **Manager Initialization:** It initializes the `SilentPushManager` with the - extracted credentials. + 2. **Initialization**: The `SilentPushManager` is initialized with the provided + credentials. - 3. **Connectivity Test:** It executes the `test_connection` method, which performs - a lightweight API call (a domain search with a limit of 1) to validate the credentials - and server reachability. + 3. **Connectivity Test**: The action calls the `test_connection` method, which + performs a sample API request (e.g., `search_domains`) to validate the connection. - 4. **Action Completion:** If the API call succeeds, the action completes with - a success message. If it fails (e.g., due to invalid credentials or network issues), - it reports the error and fails the execution. + 4. **Result Reporting**: Based on the response, the action logs the success or + failure of the connection and terminates with the appropriate status message. capabilities: can_create_case_comments: false can_create_insight: false @@ -1798,10 +2471,17 @@ Ping: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null - fetches_data: false + fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a connectivity test by making a GET request to the Silent + Push API. It does not modify external or internal data, nor does it interact + with entities or alerts. categories: enrichment: false + reasoning: >- + The action is a 'Ping' action, which is explicitly excluded from being categorized + as an enrichment action per the provided instructions. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1817,104 +2497,76 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with any entities; it is a global connectivity + test. Reverse Padns Lookup: - ai_description: >- - ### General Description - - This action performs a reverse Passive DNS (PADNS) lookup using the Silent Push - platform. While a forward DNS lookup resolves a hostname to an IP, a reverse PADNS - lookup identifies all domain names associated with a specific DNS record value - (the 'answer'). This allows analysts to find all domains pointing to a specific - Name Server (NS), Mail Server (MX), or IP address, which is critical for infrastructure - mapping and identifying related malicious assets. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Qtype | string | No | The DNS record type to search for (e.g., 'ns', 'a', 'mx', - 'aaaa'). Defaults to 'ns'. | - - | Qname | string | Yes | The DNS record value (the answer) to lookup (e.g., 'ns1.example.com'). - | - - | Netmask | string | No | A netmask to filter the lookup results. | - - | subdomain | string | No | A flag to include subdomains in the lookup results. - | - - | Regex | string | No | A regular expression to filter the returned DNS records. - | - - | Match | string | No | The type of match for the query (e.g., 'exact', 'partial'). - | - - | First Seen After | string | No | Filter results to include only records first - seen after this date (YYYY-MM-DD). | - - | First Seen Before | string | No | Filter results to include only records first - seen before this date (YYYY-MM-DD). | - - | Last Seen After | string | No | Filter results to include only records last - seen after this date (YYYY-MM-DD). | - - | Last Seen Before | string | No | Filter results to include only records last - seen before this date (YYYY-MM-DD). | - - | As Of | string | No | Retrieve DNS records as they existed at a specific point - in time. | - - | Sort | string | No | The field by which to sort the results (e.g., 'date'). - | - - | Output Format | string | No | The format for the returned results (e.g., 'JSON'). - | - - | Prefer | string | No | Preference for specific DNS servers or data sources. - | - - | With Metadata | string | No | Flag to include additional metadata in the DNS - records. | - - | Max Wait | string | No | Maximum seconds to wait for the API to return results. - | - - | Skip | string | No | Number of results to skip for pagination. | - - | Limit | string | No | Maximum number of results to return. | - - - ### Additional Notes - - Although the script iterates through the entities present in the Google SecOps - scope, it does not use the entity identifiers to perform the lookup. The search - is entirely driven by the `Qname` and `Qtype` action parameters provided by the - user or playbook. - - - ### Flow Description - - 1. **Initialization**: The action retrieves the Silent Push API key and Server - URL from the integration configuration. - - 2. **Parameter Extraction**: It extracts 18 potential search and filter parameters - from the action input, with `Qname` being the primary mandatory search term. - - 3. **API Request**: The action initializes the `SilentPushManager` and executes - a GET request to the reverse PADNS endpoint (`explore/padns/lookup/answer`). - - 4. **Data Processing**: It parses the JSON response from Silent Push, specifically - looking for the `records` list within the response object. - - 5. **Error Handling**: The script validates the response; if the API returns an - error or if no records are found for the given criteria, the action is marked - as failed. - - 6. **Finalization**: If successful, the DNS records are returned as a JSON result, - and the action completes. + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves Passive DNS records, which provides threat intelligence + and context for an indicator. This aligns with the 'Enrich IOC' category. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: "### General Description\nThis action performs a reverse Passive\ + \ DNS (PADNS) lookup using the Silent Push platform. It retrieves historical DNS\ + \ record associations for a given query name (`Qname`) and record type (`Qtype`),\ + \ allowing analysts to identify infrastructure linked to specific domains or IP\ + \ addresses. This provides valuable threat intelligence and context for investigations.\n\ + \n### Flow Description\n1. **Configuration Extraction**: The action retrieves\ + \ the Silent Push API key and server URL from the integration configuration.\n\ + 2. **Parameter Extraction**: It extracts the required `Qname` and `Qtype`, along\ + \ with optional filtering parameters (e.g., `Netmask`, `Regex`, `Date` filters,\ + \ `Limit`).\n3. **API Request**: The action sends a GET request to the Silent\ + \ Push `explore/padns/lookup/answer` endpoint with the specified parameters.\n\ + 4. **Response Handling**: \n - If records are found, the action returns the\ + \ data and marks the execution as completed.\n - If no records are found or\ + \ an API error occurs, the action logs the failure and terminates.\n\n### Parameters\ + \ Description\n| Parameter | Type | Mandatory | Description |\n| :--- | :--- |\ + \ :--- | :--- |\n| Qtype | string | No | DNS record type (e.g., 'ns', 'a', 'mx').\ + \ Defaults to 'ns'. |\n| Qname | string | Yes | The DNS record name to lookup.\ + \ |\n| Netmask | string | No | The netmask to filter the lookup results. |\n|\ + \ Subdomains | string | No | Flag to include subdomains in the lookup results.\ + \ |\n| Regex | string | No | Regular expression to filter the DNS records. |\n\ + | Match | string | No | Type of match for the query (e.g., exact, partial). |\n\ + | First Seen After | string | No | Filter results to include only records first\ + \ seen after this date. |\n| First Seen Before | string | No | Filter results\ + \ to include only records first seen before this date. |\n| Last Seen After |\ + \ string | No | Filter results to include only records last seen after this date.\ + \ |\n| Last Seen Before | string | No | Filter results to include only records\ + \ last seen before this date. |\n| As Of | string | No | Date or time to get the\ + \ DNS records as of a specific point in time. |\n| Sort | string | No | Sort the\ + \ results by the specified field (e.g., date, score). |\n| Output Format | string\ + \ | No | The format in which the results should be returned (e.g., JSON, XML).\ + \ |\n| Prefer | string | No | Preference for specific DNS servers or sources.\ + \ |\n| With Metadata | string | No | Flag to include metadata in the DNS records.\ + \ |\n| Max Wait | string | No | Maximum number of seconds to wait for results\ + \ before timing out. |\n| Skip | string | No | Number of results to skip for pagination\ + \ purposes. |\n| Limit | string | No | Maximum number of results to return. |" capabilities: can_create_case_comments: false can_create_insight: false @@ -1925,8 +2577,16 @@ Reverse Padns Lookup: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the Silent Push API to retrieve Passive + DNS data. It does not modify any external systems, nor does it update internal + SOAR data (entities, insights, or comments). categories: - enrichment: false + enrichment: true + reasoning: >- + The action fetches contextual threat intelligence (Passive DNS records) from + an external source without modifying any external or internal systems. It meets + all criteria for an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1942,65 +2602,68 @@ Reverse Padns Lookup: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not utilize entities to perform its lookup; it relies entirely + on the 'Qname' parameter provided in the action configuration. The loop over + 'target_entities' in the code is used only for logging purposes and does not + influence the API request logic. Run Threat check: - ai_description: >- - ### General Description - - The **Run Threat check** action queries the Silent Push Threat Check API to retrieve - intelligence on a specific indicator, such as an IP address or domain. It allows - users to verify if a value is present within a specific Silent Push data source - (e.g., 'iofa') and returns the associated threat data. This action is primarily - used for manual or automated lookups of indicators that may not be directly associated - with the current alert's entities. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | **Data** | string | Yes | The name of the Silent Push data source to query (e.g., - 'iofa'). | - - | **Query** | string | Yes | The specific value to check for threats, such as - an IP address or a domain name. | - - | **Type** | string | Yes | The type of the value being queried (e.g., 'ip', 'domain'). - | - - | **User Identifier** | string | Yes | A unique identifier for the user making - the request, used by Silent Push for tracking and auditing. | - - - ### Additional Notes - - - This action does not automatically process entities from the Google SecOps case; - it relies entirely on the manually provided **Query** parameter. - - - Although the underlying script attempts to extract `Feed UUID` and `ASN` parameters, - these are not defined in the action's metadata and are only used for error logging - purposes. - - - The action does not update entity attributes, create insights, or add case comments - within Google SecOps; it only returns the raw API result in the output message. - - - ### Flow Description - - 1. **Configuration Extraction:** Retrieves the Silent Push Server URL and API - Key from the integration's global configuration. - - 2. **Parameter Retrieval:** Extracts the data source, query value, query type, - and user identifier from the action's input parameters. - - 3. **API Interaction:** Executes a GET request to the Silent Push Threat Check - API endpoint (`https://api.threatcheck.silentpush.com/v1/`) using the provided - parameters. - - 4. **Result Processing:** If the API returns data, the action formats the response - into an output message. If no data is found or the request fails, the action terminates - with a failure status and logs the error. + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves threat intelligence (reputation/threat check) for a given + indicator (IP or domain) from the Silent Push platform. This matches the 'Enrich + IOC' category. It does not perform any containment, ticket creation, or alert + modification. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: "The 'Run Threat check' action retrieves threat intelligence for\ + \ a specified indicator (such as an IP address or domain) from the Silent Push\ + \ platform. This action is designed to provide context on potential threats by\ + \ querying the Silent Push API with user-provided parameters.\n\n### Flow Description\n\ + 1. **Configuration Extraction**: The action retrieves the Silent Push server URL\ + \ and API key from the integration configuration.\n2. **Parameter Extraction**:\ + \ It extracts the required input parameters: `Data`, `Type`, `User Identifier`,\ + \ and `Query`.\n3. **Threat Check Execution**: The action initializes the `SilentPushManager`\ + \ and calls the `run_threat_check` method, which performs a GET request to the\ + \ Silent Push API to fetch threat information.\n4. **Result Handling**: \n -\ + \ If the API returns data, the action logs the result and completes successfully.\n\ + \ - If the API fails or returns no data, the action logs an error and terminates\ + \ with a failed status.\n5. **Logging**: The action logs the status, result value,\ + \ and output message for audit purposes.\n\n### Parameters Description\n| Parameter\ + \ | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| Data |\ + \ string | Yes | The name of the data source to query (e.g., 'iofa'). |\n| Query\ + \ | string | Yes | The value to check for threats (e.g., an IP address or domain).\ + \ |\n| Type | string | Yes | The type of the value being queried (e.g., 'ip',\ + \ 'domain'). |\n| User Identifier | string | Yes | A unique identifier for the\ + \ user making the request. |\n\n### Additional Notes\nThis action does not perform\ + \ any operations on entities within the Google SecOps platform, despite iterating\ + \ over them for logging purposes. It relies entirely on the provided action parameters\ + \ to execute the threat check." capabilities: can_create_case_comments: false can_create_insight: false @@ -2011,8 +2674,16 @@ Run Threat check: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action fetches threat intelligence data from the Silent Push API using the + `run_threat_check` method. It does not perform any external or internal mutations, + nor does it update entities, create insights, or modify alert data. categories: - enrichment: false + enrichment: true + reasoning: >- + The action fetches threat intelligence data from the Silent Push API. It does + not mutate any external or internal data. It meets the criteria for an enrichment + action as it proactively fetches data and preserves system states. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -2028,14 +2699,51 @@ Run Threat check: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over `siemplify.target_entities` only to log their identifiers, + but does not perform any filtering or operations on the entities themselves. + The action relies on provided action parameters for its execution rather than + entity data. Screenshot URL: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action generates a screenshot of a URL and returns the URL of the screenshot. + It does not perform any of the defined actions such as enriching IOCs, updating + alerts, or containing hosts. Therefore, it does not match any of the product + categories. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - The **Screenshot URL** action generates a visual capture of a specified web address - using the Silent Push platform. This capability allows security analysts to safely - inspect the content of a URL without direct interaction, facilitating the investigation - of phishing, malware distribution, or suspicious landing pages. + Generates a screenshot of a specified URL using the Silent Push API. This action + retrieves a visual representation of the target URL, validates the screenshot's + accessibility, and returns the screenshot URL as a result. ### Parameters Description @@ -2044,35 +2752,25 @@ Screenshot URL: | :--- | :--- | :--- | :--- | - | URL | String | Yes | The full web address (e.g., https://example.com) to be - screenshotted. | - + | URL | string | Yes | The URL for the screenshot. | - ### Flow Description - 1. **Setup**: Extracts the Silent Push API credentials and the target URL from - the action parameters. + ### Additional Notes - 2. **Screenshot Generation**: Communicates with the Silent Push API's `scanondemand` - endpoint to request a live screenshot of the provided URL. + None. - 3. **Response Parsing**: Validates the API response to ensure a screenshot URL - was successfully generated and returned. - 4. **Image Verification**: Performs an HTTP GET request to the resulting image - URL to verify that the file is accessible and the capture was successful. + ### Flow Description - 5. **Completion**: Returns the URL of the generated screenshot as a JSON result - for use in subsequent playbook steps or manual review. + 1. Extract configuration (Server URL, API Key) and the `URL` parameter. + 2. Call the Silent Push API to generate the screenshot. - ### Additional Notes + 3. Validate the API response and ensure the screenshot URL is present. - - This action is driven by the `URL` input parameter and does not automatically - map or filter based on existing case entities. + 4. Download the image to verify it is accessible. - - Because the action involves downloading/verifying a file (the screenshot image), - it is not classified as a standard enrichment action. + 5. Return the screenshot URL in the action result JSON. capabilities: can_create_case_comments: false can_create_insight: false @@ -2083,8 +2781,16 @@ Screenshot URL: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action fetches data from the Silent Push API (fetches_data=true). It does + not mutate external data (no POST/PUT/DELETE). It does not mutate internal data + (no updates to entities, insights, or comments). categories: enrichment: false + reasoning: >- + The action fetches data (a screenshot URL) but does not update entities, create + insights, or add comments. It does not meet the criteria for an Enrichment Action + as defined. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -2100,64 +2806,89 @@ Screenshot URL: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over `siemplify.target_entities` but only to print them. It + does not use them to perform the action, relying instead on the `URL` parameter. + Therefore, it does not run on entities. Search Scan Data: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action searches scan data repositories using SPQL queries. This aligns with + the 'Search Events' category, which involves returning historical logs or telemetry + data matching specific search parameters. It does not match enrichment, ticket + management, or containment categories. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: true + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description + Searches Silent Push scan data repositories using SPQL queries. This action retrieves + raw scan data based on a provided query string and optional filtering parameters. - The **Search Scan Data** action enables users to search through Silent Push's - scan data repositories using SPQL (Silent Push Query Language) queries. This action - is primarily used for threat hunting and data discovery, allowing for complex - queries against raw scan data to identify infrastructure patterns or specific - assets. + ### Flow Description - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | **Query** | String | Yes | The SPQL query string used to filter scan data (e.g., - `tld=cool`). | + 1. **Configuration Extraction**: The action retrieves the Silent Push server URL + and API key from the integration configuration. - | **Fields** | String | No | Specifies which fields to return in the response. - Note: The script logic currently evaluates this as a boolean presence check. | + 2. **Parameter Extraction**: It extracts the SPQL query, fields, limit, skip, + and metadata settings from the action parameters. - | **sort** | String | No | Sorting criteria for the results. | + 3. **Data Retrieval**: It calls the Silent Push API to perform a search on scan + data repositories using the provided query and filters. - | **Skip** | String | No | The number of records to skip in the response, used - for pagination. | + 4. **Result Processing**: The action processes the API response. If scan data + is found, it logs the records and completes the action. If no data is found or + an error occurs, it logs the failure and terminates. - | **Limit** | String | No | The maximum number of records to return. | - | **With Metadata** | Boolean | No | Whether to include metadata in the response. - Defaults to `true`. | + ### Parameters Description + | Parameter | Type | Mandatory | Description | - ### Additional Notes + | :--- | :--- | :--- | :--- | - - This action is a standalone search tool and does not utilize or enrich entities - (IPs, Domains, etc.) currently present in the Google SecOps case. It relies entirely - on the manual `Query` input. + | Query | string | Yes | The SPQL query string used to search the scan data. | - - If the search returns no results, the action will terminate with a failure state. + | Fields | string | No | Specific fields to return in the response. | + | sort | string | No | Sorting criteria for the returned results. | - ### Flow Description + | Skip | string | No | The number of records to skip in the response. | - 1. **Configuration**: Retrieves the Silent Push Server URL and API Key from the - integration settings. + | Limit | string | No | The maximum number of results to return. | - 2. **Input Parsing**: Extracts the SPQL query and optional parameters (Limit, - Skip, Fields, Metadata) from the action configuration. + | With Metadata | boolean | No | Whether to include metadata in the response. + Defaults to true. | - 3. **API Execution**: Performs a POST request to the Silent Push `explore/scandata/search/raw` - endpoint with the provided query. - 4. **Response Handling**: Parses the `scandata_raw` results from the API response. + ### Additional Notes - 5. **Finalization**: Logs the number of records found and completes the execution. - If no records are found, it logs an error and fails the action. + This action does not perform any operations on entities, despite iterating over + them for logging purposes. It is strictly a search and retrieval action. capabilities: can_create_case_comments: false can_create_insight: false @@ -2168,8 +2899,17 @@ Search Scan Data: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a POST request to the Silent Push API to search for scan + data. It retrieves data (fetches_data=true) but does not modify any external + systems (can_mutate_external_data=false) or internal SecOps data (can_mutate_internal_data=false). + It does not update entities, create insights, or modify alert data. categories: enrichment: false + reasoning: >- + While the action fetches data, it is not an enrichment action because it does + not gather context about specific entities or alerts. It is a general search + operation against an external repository. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -2185,16 +2925,51 @@ Search Scan Data: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over `siemplify.target_entities` only to print their identifiers + for logging purposes. It does not use these entities to filter the search or + perform any logic, therefore it does not run on entities. search domains: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action searches for domains based on criteria and returns a list of records. + This aligns with the 'Search Events' category, which involves returning historical + logs or telemetry data matching specific search parameters. It does not enrich + a specific IOC, update alerts, or perform containment. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: true + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - This action searches for domains within the Silent Push platform using a wide - variety of filtering criteria. It allows security analysts to perform advanced - discovery of infrastructure by querying domain names, name servers, ASNs, registrars, - and SSL certificate issuers. The action is primarily used for threat hunting and - infrastructure mapping, returning a list of domain records that match the specified - search parameters. + The `search_domains` action allows analysts to query the Silent Push platform + for domains based on a wide range of filtering criteria. This action is useful + for threat hunting and intelligence gathering, enabling users to identify domains + associated with specific infrastructure, registrars, or risk profiles. ### Parameters Description @@ -2206,11 +2981,10 @@ search domains: | Domain | string | No | Name or wildcard pattern of domain names to search for. | - | Domain Regex | string | No | A valid RE2 regex pattern to match domains. If - provided, this typically overrides the standard domain argument. | + | Domain Regex | string | No | A valid RE2 regex pattern to match domains. | - | Name Server | string | No | Name server name or wildcard pattern used by the - domains. | + | Name Server | string | No | Name server name or wildcard pattern of the name + server used by domains. | | Asnum | string | No | Autonomous System (AS) number to filter domains. | @@ -2227,45 +3001,41 @@ search domains: | | Certificate Issuer | string | No | Filter domains that had SSL certificates - issued by the specified certificate issuer. Wildcards are supported. | + issued by the specified certificate issuer. | | Whois Date After | string | No | Filter domains with a WHOIS creation date after - this date (format: YYYY-MM-DD). | + this date (YYYY-MM-DD). | - | Skip | string | No | Number of results to skip in the search query (used for - pagination). | + | Skip | string | No | Number of results to skip in the search query. | - | Limit | string | No | Number of results to return. Defaults to the SilentPush - API's default behavior. | + | Limit | string | No | Number of results to return. | + | Start Date | string | No | Start date for domain search (YYYY-MM-DD). | - ### Additional Notes + | End Date | string | No | End date for domain search (YYYY-MM-DD). | - * The underlying Python script also attempts to extract parameters for `Start - Date`, `End Date`, `Risk Score Min`, and `Risk Score Max`, although these are - not explicitly defined in the provided YAML configuration. + | Risk Score Min | string | No | Minimum risk score filter. | - * The action returns the search results as a string representation of the records - list in the output message. + | Risk Score Max | string | No | Maximum risk score filter. | ### Flow Description - 1. **Initialization**: The action initializes the `SilentPushManager` using the - integration's Server URL and API Key. + 1. **Configuration Extraction**: The action retrieves the Silent Push server URL + and API key from the integration configuration. - 2. **Parameter Extraction**: It retrieves all search filters from the action - parameters, including domain patterns, regex, network identifiers (ASN), and registration - details. + 2. **Parameter Extraction**: It extracts all provided search filters from the + action parameters. - 3. **API Request**: It performs a GET request to the Silent Push `explore/domain/search` - endpoint, passing the filtered parameters as query arguments. + 3. **Initialization**: The `SilentPushManager` is initialized with the retrieved + credentials. - 4. **Response Processing**: The action parses the JSON response to extract the - list of domain records found. + 4. **Execution**: The action calls the `search_domains` method of the manager, + passing all filters to the Silent Push API. - 5. **Completion**: It sets the action's output message to include the retrieved - records and marks the execution as completed. + 5. **Result Processing**: The action processes the API response. If records are + found, they are returned in the output message; otherwise, a 'No domains found' + message is returned. capabilities: can_create_case_comments: false can_create_insight: false @@ -2276,8 +3046,17 @@ search domains: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the Silent Push API to search for domains + based on provided parameters. It does not modify any external systems, nor does + it update internal SOAR entities or case data. It is a read-only search operation. categories: enrichment: false + reasoning: >- + The action is a search/query tool that retrieves data from an external API. + It does not meet the criteria for an Enrichment Action because it does not operate + on specific entities to enrich them; rather, it performs a broad search based + on user-provided parameters. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -2293,3 +3072,7 @@ search domains: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over `siemplify.target_entities` only to print their identifiers + to the logs. It does not use these entities to filter the search or perform + any logic on them. Therefore, it does not run on entities. diff --git a/content/response_integrations/third_party/partner/silentpush/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/partner/silentpush/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..c1551fbb3 --- /dev/null +++ b/content/response_integrations/third_party/partner/silentpush/resources/ai/integration_ai_description.yaml @@ -0,0 +1,22 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: false + reasoning: >- + The Silent Push integration is a threat intelligence platform that provides proactive + threat detection and enrichment capabilities. Its primary functions include retrieving + reputation data, DNS records, ASN information, and infrastructure tags for indicators + such as IPs, domains, and ASNs. These capabilities directly align with the 'Threat + Intelligence' category, as the integration is used to enrich indicators and provide + context for security investigations. It does not perform SIEM log analysis, EDR + host-level actions, network security blocking at the gateway, or other operational + tasks like ITSM ticketing or IAM management. Therefore, it is classified solely + under Threat Intelligence. + siem: false + threat_intelligence: true + vulnerability_management: false diff --git a/content/response_integrations/third_party/partner/silverfort/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/partner/silverfort/resources/ai/actions_ai_description.yaml index 6a797b13d..c988d0218 100644 --- a/content/response_integrations/third_party/partner/silverfort/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/partner/silverfort/resources/ai/actions_ai_description.yaml @@ -1,11 +1,43 @@ Change Policy State: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action modifies the state of an authentication policy in Silverfort. None + of the provided categories (e.g., Update Identity, Update Alert, Contain Host) + specifically cover 'Update Policy'. Therefore, all flags are set to false. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - This action enables or disables an authentication policy in Silverfort. It allows - security analysts to quickly toggle the active state of a policy without needing - to modify its underlying configuration. This is useful for emergency containment - or temporary policy adjustments during an incident. + This action enables or disables an authentication policy within the Silverfort + platform. It allows analysts to quickly toggle a policy's active state without + modifying its underlying configuration, facilitating rapid response to security + events or policy adjustments. ### Parameters Description @@ -14,27 +46,26 @@ Change Policy State: | :--- | :--- | :--- | :--- | - | Policy ID | string | Yes | The unique identifier of the Silverfort policy to - be enabled or disabled. | + | Policy ID | string | Yes | The unique identifier of the policy to enable or + disable. | - | Enable Policy | boolean | Yes | Set to `true` to enable the policy or `false` - to disable it. | + | Enable Policy | boolean | Yes | Set to true to enable the policy, or false to + disable it. | ### Flow Description - 1. **Parameter Extraction**: The action retrieves the `Policy ID` and the desired - `Enable Policy` state from the user input. + 1. The action extracts the `Policy ID` and `Enable Policy` parameters from the + action configuration. - 2. **API Client Initialization**: It initializes the Silverfort Policy API client - using the configured integration credentials. + 2. It initializes the Silverfort Policy API client using the provided integration + credentials. - 3. **State Change Request**: The action sends a POST request to the Silverfort - `/v1/public/changePolicyState` endpoint with the policy ID and the target state. + 3. It sends a POST request to the Silverfort API endpoint `/v1/public/changePolicyState` + with the specified `policy_id` and `state`. - 4. **Result Processing**: Upon a successful API response, the action constructs - a JSON result containing the policy ID and its new status, and provides a success - message to the SOAR case wall. + 4. Upon a successful API response, it returns a success message indicating the + policy has been enabled or disabled. capabilities: can_create_case_comments: false can_create_insight: false @@ -43,13 +74,19 @@ Change Policy State: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - This action changes the 'enabled' or 'disabled' state of an authentication policy - within the Silverfort platform via a POST request to the /v1/public/changePolicyState - endpoint. + Changes the active state (enabled/disabled) of an authentication policy in the + Silverfort platform. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a POST request to the Silverfort API to change the state + of a policy. It does not fetch data, nor does it modify internal SOAR data or + entities. categories: enrichment: false + reasoning: >- + The action performs a state change on an external system (Silverfort) and does + not fetch data for enrichment. Therefore, it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -65,52 +102,82 @@ Change Policy State: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with SOAR entities. It operates based on parameters + provided in the action configuration. Get Entity Risk: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: true + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves risk scores, severity, and risk factors for a user or resource. + This matches the 'Enrich Asset' category, which involves returning contextual + metadata for a user or resource. It does not match 'Enrich IOC' as it targets + users/resources rather than indicators of compromise. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - This action retrieves detailed risk information for a specific user or resource - from the Silverfort Identity Security platform. It provides visibility into the - security posture of an entity by returning its current risk score, severity level - (e.g., Low, Medium, High, Critical), and specific risk factors identified by Silverfort's - analysis engine. + This action retrieves risk information for a user or resource from Silverfort. + It fetches the current risk score, severity, and risk factors associated with + the specified entity, providing valuable context for security investigations. - ### Parameters Description + ### Parameters | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | User Principal Name | String | No* | The User Principal Name (UPN) of the user - (e.g., user@domain.com). | + | User Principal Name | string | No | The user principal name (e.g., user@domain.com). + Either this or 'Resource Name' must be provided. | - | Resource Name | String | No* | The name of the resource for non-user entities. - | + | Resource Name | string | No | The resource name for non-user entities. Either + this or 'User Principal Name' must be provided. | - **Additional Notes:** Either the 'User Principal Name' or the 'Resource Name' - must be provided for the action to execute successfully. If both are missing, - the action will fail with a validation error. + ### Additional Notes + + Either 'User Principal Name' or 'Resource Name' must be configured for the action + to run successfully. If both are missing, the action will fail. ### Flow Description 1. **Parameter Extraction**: The action extracts the 'User Principal Name' and - 'Resource Name' from the input parameters. + 'Resource Name' from the action configuration. - 2. **Validation**: It validates that at least one of the two identifiers is provided - to ensure the API request has a target entity. + 2. **Validation**: It validates that at least one of the parameters is provided. - 3. **API Client Initialization**: The action initializes the Silverfort Risk API - client using the integration's configured credentials and API root. + 3. **API Interaction**: It initializes the Silverfort Risk API client and performs + a GET request to retrieve the risk data for the specified entity. - 4. **Data Retrieval**: It performs a GET request to the Silverfort `/v1/public/getEntityRisk` - endpoint using the provided identifier. - - 5. **Result Processing**: The action captures the risk score, severity, and risk - factors from the API response, stores them in the action's JSON results, and generates - a success message for the case wall. + 4. **Result Processing**: The retrieved risk information is set as the JSON result + for the action. capabilities: can_create_case_comments: false can_create_insight: false @@ -121,8 +188,17 @@ Get Entity Risk: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the Silverfort API to retrieve risk information + for a user or resource. It does not perform any write operations on external + systems, nor does it modify any internal SOAR data (such as updating entities + or creating insights). categories: enrichment: true + reasoning: >- + The action fetches contextual risk data for entities (users/resources) without + modifying any external or internal systems. This fits the definition of an enrichment + action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -138,14 +214,49 @@ Get Entity Risk: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over the `target_entities` list. It accepts parameters + directly from the action configuration to identify the user or resource. Get Policy: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves policy configuration from Silverfort. It does not match + any of the specific categories like enrichment, containment, or ticket management. + It is a read-only information retrieval action. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - The **Get Policy** action retrieves comprehensive configuration details for a - specific authentication policy within the Silverfort platform. It is used to inspect - policy settings, including associated users, groups, source/destination constraints, - and the specific security actions (e.g., MFA, Block) defined for that policy. + Retrieves detailed configuration information for a specific authentication policy + from Silverfort using its unique Policy ID. This action allows analysts to inspect + policy settings, including users, groups, sources, destinations, and action settings, + directly from the Silverfort platform. ### Parameters Description @@ -154,33 +265,22 @@ Get Policy: | :--- | :--- | :--- | :--- | - | **Policy ID** | String | Yes | The unique identifier of the Silverfort policy - to retrieve. | + | Policy ID | string | Yes | The unique identifier of the policy to retrieve. + | ### Flow Description - 1. **Parameter Extraction:** The action extracts the mandatory `Policy ID` from - the input parameters. - - 2. **Client Initialization:** It initializes an authenticated connection to the - Silverfort Policies API using the configured credentials. + 1. The action extracts the `Policy ID` parameter provided by the user. - 3. **Data Retrieval:** The action sends a GET request to the Silverfort API endpoint - `/v2/public/policies/{policy_id}` to fetch the policy details. + 2. It initializes the Silverfort Policy API client using the configured integration + credentials. - 4. **Result Processing:** The retrieved policy configuration is parsed into a - structured JSON object and returned as the action's result, providing visibility - into the policy's state and rules. + 3. It performs a GET request to the Silverfort API endpoint (`/v2/public/policies/{policy_id}`) + to fetch the policy details. - - ### Additional Notes - - - This action does not operate on SOAR entities; it requires a specific Policy - ID as input. - - - The returned data includes detailed configuration such as authentication types, - protocols, and destination services. + 4. The retrieved policy configuration is returned as a JSON result, and a success + message is generated. capabilities: can_create_case_comments: false can_create_insight: false @@ -191,8 +291,16 @@ Get Policy: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to retrieve policy details from the Silverfort + API. It does not modify any external systems or internal SOAR data (entities, + insights, etc.). categories: enrichment: false + reasoning: >- + The action retrieves policy configuration data. It does not enrich entities + or alerts, nor does it modify any state. Therefore, it is not an enrichment + action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -208,50 +316,75 @@ Get Policy: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not operate on entities. It takes a `Policy ID` as a direct + input parameter to fetch policy configuration. Get Service Account: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: true + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves detailed attributes for a service account, which is a resource. + This matches the 'Enrich Asset' category. It does not perform any mutations + or alert updates. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description - Retrieves detailed information about a specific service account from Silverfort - using its unique identifier (GUID). This action provides comprehensive attributes - for the account, including its risk score, predictability, protection status, - authentication counts, and privilege levels. It is primarily used for deep-dive - investigation into service account behavior and security posture within the Silverfort - environment. + by its GUID. The action extracts the GUID from the input parameters, queries the + Silverfort API, and returns the account's attributes, including risk, predictability, + and protection status. - ### Parameters Description + ### Flow Description - | Parameter | Type | Mandatory | Description | + 1. The action extracts the `Service Account GUID` parameter provided by the user. - | :--- | :--- | :--- | :--- | + 2. It initializes the `ServiceAccountApiClient` to communicate with the Silverfort + API. - | Service Account GUID | String | Yes | The unique identifier (GUID) of the service - account to retrieve from Silverfort. | + 3. It performs a GET request to the Silverfort API using the provided GUID to + retrieve the service account details. + 4. The retrieved service account data is returned as a JSON result. - ### Additional Notes - This action does not automatically iterate over entities in the Google SecOps - case. It requires the specific GUID of the service account to be provided as an - input parameter. The results are returned as a JSON object for use in downstream - playbook logic. + ### Parameters Description + | Parameter | Type | Mandatory | Description | - ### Flow Description + | :--- | :--- | :--- | :--- | - 1. **Parameter Extraction**: The action extracts the mandatory `Service Account - GUID` from the input parameters. + | Service Account GUID | string | Yes | The unique identifier of the service account + to retrieve. | - 2. **Client Initialization**: It initializes the Silverfort Service Account API - client using the configured integration credentials and an authenticated JWT session. - 3. **Data Retrieval**: The action performs a GET request to the Silverfort API - endpoint `/v1/public/serviceAccounts/{guid}` to fetch the account's metadata. + ### Additional Notes - 4. **Result Processing**: The retrieved service account data is converted to a - JSON format and attached to the action's results. A success message is generated - containing the account's display name or UPN. + There are no additional notes for this action. capabilities: can_create_case_comments: false can_create_insight: false @@ -262,8 +395,16 @@ Get Service Account: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to retrieve service account details from the + Silverfort API. It does not mutate any external or internal data, nor does it + update entities or create insights. categories: - enrichment: true + enrichment: false + reasoning: >- + The action fetches data from an external system but does not operate on or update + any SOAR entities or alerts. Therefore, it does not meet the criteria for an + Enrichment Action, which requires gathering context about alerts or entities. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -279,61 +420,72 @@ Get Service Account: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code does not iterate over `siemplify.target_entities` or use entity-specific + identifiers from the SOAR entity model. It retrieves a service account GUID + via a parameter, so it does not run on entities. List Policies: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action lists policies from Silverfort. It does not match any of the defined + product categories. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description + Lists all authentication policies from Silverfort with optional field filtering. + This action retrieves a list of policies and their configurations from the Silverfort + API. - This action retrieves a comprehensive list of authentication policies from the - Silverfort Identity Security platform. It allows users to fetch all configured - policies or filter the response to include only specific fields of interest, such - as policy names, status, authentication types, and protocols. This is primarily - used for auditing, configuration review, or as a helper step in automation playbooks - to identify existing security controls. + ### Flow - ### Parameters Description + 1. Extract the optional 'Fields' parameter from the action configuration. - | Parameter | Description | Type | Mandatory | + 2. Validate the provided fields against the allowed list of policy fields. - | :--- | :--- | :--- | :--- | + 3. Call the Silverfort API to retrieve the list of policies. - | Fields | A comma-separated list of specific policy attributes to include in - the response (e.g., `enabled, policyName, action`). If left empty, all available - fields are returned. Valid fields include: `enabled`, `policyName`, `authType`, - `protocols`, `policyType`, `allUsersAndGroups`, `usersAndGroups`, `allDevices`, - `sources`, `allDestinations`, `destinations`, `action`, `MFAPrompt`, `all`, `bridgeType`. - | String | No | + 4. Return the retrieved policies as a JSON result. - ### Additional Notes - - - If invalid fields are provided in the `Fields` parameter, the action will log - a warning and ignore the invalid entries while continuing to process the valid - ones. - - - This action does not require or interact with any specific entities (like IPs - or Users) from the Google SecOps case; it performs a global query against the - Silverfort environment. - + ### Parameters - ### Flow Description + | Parameter | Type | Mandatory | Description | - 1. **Parameter Extraction:** The action retrieves the `Fields` input provided - by the user. + | :--- | :--- | :--- | :--- | - 2. **Field Validation:** If fields are specified, the script parses the comma-separated - string and validates each field against the supported Silverfort policy schema. - Invalid fields are logged as warnings. + | Fields | string | No | Comma-separated list of fields to include in the response. + If not specified, all fields are returned. | - 3. **API Client Initialization:** The action initializes a `PolicyApiClient` using - the integration's configured API Root and credentials (JWT-based authentication). - 4. **Data Retrieval:** The action sends a request to the Silverfort `/v2/public/policies/index` - endpoint to fetch the policy data. + ### Additional Notes - 5. **Result Processing:** The retrieved list of policies is converted into a JSON - format and attached to the action's results. A success message indicating the - total count of policies found is generated. + - The action does not require any entities to run. capabilities: can_create_case_comments: false can_create_insight: false @@ -344,8 +496,14 @@ List Policies: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action fetches a list of policies from the Silverfort API. It does not mutate + any external or internal data, nor does it update entities or create insights. categories: enrichment: false + reasoning: >- + The action fetches data but does not enrich alerts or entities, so it is not + an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -361,64 +519,85 @@ List Policies: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not operate on any entities. List Service Accounts: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: true + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves a list of service accounts and their attributes from Silverfort. + This provides contextual metadata about these resources, which aligns with the + 'Enrich Asset' category. It does not perform any mutations or specific alert + updates. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description + Lists service accounts from the Silverfort system with optional pagination and + field filtering. This action retrieves a list of service accounts and their associated + attributes, such as GUID, display name, risk level, and ownership information. - The **List Service Accounts** action retrieves a paginated list of service accounts - from the Silverfort platform. This action is primarily used for discovery and - auditing of service accounts within the environment, providing details such as - risk levels, protection status, and authentication patterns. It allows security - analysts to query the Silverfort inventory without targeting specific entities - in a case. + ### Flow Description - ### Parameters Description + 1. **Parameter Extraction**: The action extracts the `Page Size`, `Page Number`, + and `Fields` parameters from the configuration. - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | + 2. **Field Validation**: If specific fields are requested, the action validates + them against a predefined list of valid service account fields. Invalid fields + are ignored, and a warning is logged. - | **Page Size** | String | No | The number of results to return per page (range - 1-100). Defaults to 50. | + 3. **API Interaction**: The action initializes the `ServiceAccountApiClient` and + makes a POST request to the Silverfort `/v1/public/serviceAccounts/index` endpoint + to retrieve the service accounts. - | **Page Number** | String | No | The specific page number of results to retrieve. - Defaults to 1. | + 4. **Result Processing**: The retrieved service account data is parsed and returned + as a JSON result, and an output message is generated indicating the number of + accounts retrieved. - | **Fields** | String | No | A comma-separated list of specific service account - attributes to include in the response (e.g., `guid`, `risk`, `upn`). If left empty, - all available fields are returned. | + ### Parameters Description - ### Flow Description + | Parameter | Type | Mandatory | Description | - 1. **Parameter Extraction**: The action retrieves the user-provided pagination - settings (Page Size and Page Number) and the list of requested fields. + | :--- | :--- | :--- | :--- | - 2. **Field Validation**: If specific fields are requested, the action validates - them against a predefined list of supported Silverfort service account attributes - (e.g., `guid`, `display_name`, `risk`). Invalid fields are logged as warnings - and ignored. + | Page Size | string | No | Number of results per page (1-100). Defaults to 50. + | - 3. **API Request**: The action initializes a connection to the Silverfort Service - Accounts API and sends a POST request to the `/v1/public/serviceAccounts/index` - endpoint to fetch the data based on the pagination and field filters. + | Page Number | string | No | Page number to retrieve. Defaults to 1. | - 4. **Result Processing**: The retrieved list of service accounts is formatted - into a JSON result, and a summary message is generated indicating the number of - accounts found on the requested page. + | Fields | string | No | Comma-separated list of fields to include in the response. + If not specified, all fields are returned. | ### Additional Notes - - This action does not operate on specific entities within the SOAR case; it performs - a global query against the Silverfort environment. - - - Valid fields for the **Fields** parameter include: `guid`, `display_name`, `sources_count`, - `destinations_count`, `number_of_authentications`, `risk`, `predictability`, `protected`, - `upn`, `dn`, `spn`, `comment`, `owner`, `type`, `domain`, `category`, `creation_date`, - `highly_privileged`, `interactive_login`, `broadly_used`, `suspected_brute_force`, - `repetitive_behavior`. + This action is a read-only operation that fetches data from the Silverfort API. + It does not modify any external system state or internal SOAR case data. capabilities: can_create_case_comments: false can_create_insight: false @@ -429,8 +608,19 @@ List Service Accounts: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a POST request to the Silverfort API to list service accounts. + It fetches data (fetches_data=true) but does not modify any external system + state (can_mutate_external_data=false). It does not update entities, create + insights, or modify case data (all other flags=false). categories: enrichment: false + reasoning: >- + The action retrieves a list of service accounts from an external system. While + it fetches data, it does not perform enrichment on specific entities (it lists + all accounts), and it does not meet the criteria for an Enrichment Action as + defined (it does not operate on target entities). Therefore, it is not classified + as an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -446,69 +636,76 @@ List Service Accounts: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over `target_entities` or use entity-specific identifiers. + It is a standalone action that lists service accounts from the Silverfort system. Ping: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action is a connectivity test (Ping) and does not perform any of the defined + product category operations like enrichment, ticketing, or containment. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description - - The **Ping** action is used to verify the connectivity between Google SecOps and - the Silverfort API. It ensures that the provided **External API Key** is valid - and tests the connection for each specific Silverfort module (Risk, Service Accounts, - and Policies) that has been configured with credentials. + Tests connectivity to the Silverfort API. This action validates the configuration + of the External API Key and tests connectivity for each configured API (Risk, + Service Accounts, Policies) by attempting to connect to their respective endpoints. + It returns a success or failure message based on the connectivity results. - ### Parameters Description + ### Parameters | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | **API Root** | String | Yes | The base URL of the Silverfort API instance. | - - | **External API Key** | String | Yes | The primary API key used for authentication - across all Silverfort services. | + | is_success | boolean | No | The script result name indicating if the ping was + successful. | - | **Verify SSL** | Boolean | No | If enabled, the action will verify the SSL certificate - of the Silverfort API. Defaults to `True`. | - | **Risk App User ID / Secret** | String | No | Credentials required to test connectivity - specifically for the Risk API. | - - | **Service Accounts App User ID / Secret** | String | No | Credentials required - to test connectivity specifically for the Service Accounts API. | - - | **Policies App User ID / Secret** | String | No | Credentials required to test - connectivity specifically for the Policies API. | + ### Flow Description + 1. The action retrieves the integration parameters (API Root, API Key, and credentials + for Risk, Service Accounts, and Policies). - ### Additional Notes + 2. It identifies which API types have credentials configured. - - At least one set of API credentials (Risk, Service Accounts, or Policies) must - be configured in the integration settings for the action to perform specific module - tests. + 3. For each configured API type, it initializes the corresponding client and calls + the `test_connectivity` method. - - If no module-specific credentials are provided, the action will raise an error - indicating that no credentials are configured. + 4. It collects the results (success or failure) for each API. + 5. If no APIs are configured, it raises an error. - ### Flow Description + 6. If all connectivity tests fail, it raises an error. - 1. **Configuration Retrieval:** The action fetches the integration parameters, - including the API Root and various credentials. - - 2. **API Identification:** It determines which Silverfort APIs (Risk, Service - Accounts, Policies) are configured based on the presence of User IDs and Secrets. - - 3. **Connectivity Testing:** For each configured API, the action performs a lightweight - request: - - **Risk API:** Attempts a GET request to the `getEntityRisk` endpoint. - - **Service Accounts API:** Attempts a POST request to the `list_service_accounts` - endpoint with a page size of 1. - - **Policies API:** Attempts a GET request to the `get_rules_names_and_ids` - endpoint. - 4. **Result Aggregation:** The action collects the results. If all configured - APIs connect, it returns a success message. If some fail, it returns a partial - success message listing the failed modules. If all fail or none are configured, - it returns an error. + 7. If some or all tests succeed, it updates the output message with the status + of each API and completes. capabilities: can_create_case_comments: false can_create_insight: false @@ -519,8 +716,15 @@ Ping: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a connectivity test (Ping) against the Silverfort API endpoints. + It does not fetch contextual data about alerts or entities, nor does it mutate + any external or internal data. It is a diagnostic action. categories: enrichment: false + reasoning: >- + The action is a 'Ping' action, which is explicitly excluded from being an enrichment + action per the instructions. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -536,14 +740,47 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not process any entities; it is a global connectivity test. Update Entity Risk: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action updates the risk level of a user in Silverfort. This modifies account + metadata, which aligns with the 'Update Identity' category. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: true + update_ticket: false ai_description: >- ### General Description - Updates risk information for a specific user in Silverfort. This action allows - security analysts to manually or automatically adjust a user's risk profile (type, - severity, and duration) based on external intelligence or observed behavior within - the Silverfort platform. + This action updates the risk information for a specific user within the Silverfort + platform. By providing a user principal name and specifying the risk type, severity, + and duration, analysts can proactively adjust the risk profile of an identity + in Silverfort based on external threat intelligence or security events. ### Parameters Description @@ -552,45 +789,38 @@ Update Entity Risk: | :--- | :--- | :--- | :--- | - | User Principal Name | String | Yes | The user principal name (e.g., user@domain.com) - of the user whose risk profile is being updated. | - - | Risk Type | DDL | Yes | The specific category of risk to update. Options include: - `activity_risk`, `malware_risk`, `data_breach_risk`, or `custom_risk`. | - - | Severity | DDL | Yes | The severity level to assign to the risk indicator. Options - include: `low`, `medium`, `high`, or `critical`. | + | User Principal Name | string | Yes | The user principal name (e.g., user@domain.com) + to update risk for. | - | Valid For Hours | String | Yes | The duration (in hours) for which this risk - indicator should remain valid. This must be a positive integer. | - - | Description | String | Yes | A descriptive text providing context or a reason - for the risk update. | + | Risk Type | ddl | Yes | The type of risk to update (activity_risk, malware_risk, + data_breach_risk, custom_risk). | + | Severity | ddl | Yes | The severity level of the risk (low, medium, high, critical). + | - ### Additional Notes + | Valid For Hours | string | Yes | How long (in hours) the risk indicator should + be valid. | - This action performs a state-changing operation in the external Silverfort system. - It does not automatically iterate over entities in the Google SecOps case; instead, - it relies on the provided `User Principal Name` parameter. + | Description | string | Yes | Description of the risk indicator. | ### Flow Description - 1. **Parameter Extraction:** The action retrieves the UPN, risk type, severity, - duration, and description from the input parameters. + 1. **Extraction**: The action extracts the provided parameters (User Principal + Name, Risk Type, Severity, Valid For Hours, Description) from the SOAR action + configuration. - 2. **Validation:** It validates that the `Risk Type` and `Severity` match supported - Silverfort values and ensures the `Valid For Hours` is a positive integer. + 2. **Validation**: The action validates that the Risk Type and Severity are within + the allowed values and that the 'Valid For Hours' is a positive integer. - 3. **API Client Initialization:** Initializes the Silverfort Risk API client using - the configured integration credentials. + 3. **API Interaction**: The action initializes the Silverfort Risk API client + and constructs a `RiskUpdate` object. - 4. **Risk Update Execution:** Constructs a risk update payload and sends a POST - request to the Silverfort `/v1/public/updateEntityRisk` endpoint. + 4. **Execution**: The action performs a POST request to the Silverfort API (`/v1/public/updateEntityRisk`) + to apply the risk update for the specified user. - 5. **Result Reporting:** Captures the API response and updates the action's output - message and JSON results to reflect the success of the operation. + 5. **Completion**: The action returns a success message indicating the risk update + was applied. capabilities: can_create_case_comments: false can_create_insight: false @@ -599,12 +829,18 @@ Update Entity Risk: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates the risk level, risk type, and duration for a specific user principal - name in the Silverfort platform via a POST request. + Updates the risk level for a user entity in the Silverfort platform. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a POST request to the Silverfort API to update the risk + level of a user. It does not fetch data or modify internal SOAR data (entities, + insights, or comments). categories: enrichment: false + reasoning: >- + The action is a mutation action (updates external risk data) and does not fetch + data, so it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -620,74 +856,99 @@ Update Entity Risk: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action uses a string parameter 'User Principal Name' provided by the user + input, not the `siemplify.target_entities` list. Therefore, it does not run + on entities. Update Policy: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action updates an authentication policy in Silverfort. It does not match + any of the provided categories (e.g., Enrich IOC, Update Alert, Update Ticket, + etc.). + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - Updates an existing authentication policy in Silverfort. This action allows for - the modification of a policy's operational state (enabled or disabled) and provides - granular control over the policy's scope by adding or removing specific users, - groups, network sources, and destinations. + Updates an authentication policy in Silverfort. This action allows administrators + to modify the enabled state of a policy and dynamically update the lists of users, + groups, sources, and destinations associated with that policy. - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | + ### Flow Description - | Policy ID | String | Yes | The unique identifier of the Silverfort policy to - update. | + 1. **Parameter Extraction**: The action extracts the `Policy ID` (mandatory) and + optional parameters such as `Enabled` state, and JSON-formatted strings for adding/removing + users, groups, sources, and destinations. - | Enabled | Boolean | No | Sets the policy to enabled (true) or disabled (false). - | + 2. **Parsing**: The action parses the provided JSON strings into structured objects + (identifiers and destinations) required by the Silverfort API. - | Add Users and Groups | String | No | A JSON array of user/group objects to add - to the policy scope. Format: `[{"identifierType": "upn", "identifier": "user@domain.com"}]`. - | + 3. **API Interaction**: The action initializes the Silverfort Policy API client + and sends a PATCH request to update the specified policy with the provided changes. - | Remove Users and Groups | String | No | A JSON array of user/group objects to - remove from the policy scope. | + 4. **Result**: The action returns a success message indicating the policy has + been updated. - | Add Sources | String | No | A JSON array of source objects (e.g., IP addresses) - to add to the policy. Format: `[{"identifierType": "ip", "identifier": "10.0.0.1"}]`. - | - | Remove Sources | String | No | A JSON array of source objects to remove from - the policy. | + ### Parameters Description - | Add Destinations | String | No | A JSON array of destination objects to add. - Format: `[{"identifierType": "hostname", "identifier": "server.com", "services": - ["rdp"]}]`. | + | Parameter | Type | Mandatory | Description | - | Remove Destinations | String | No | A JSON array of destination objects to remove - from the policy. | + | :--- | :--- | :--- | :--- | + | Policy ID | string | Yes | The unique identifier of the policy to update. | - ### Additional Notes + | Enabled | boolean | No | Enable or disable the policy. | - - The action expects JSON-formatted strings for all 'Add' and 'Remove' parameters. - Incorrectly formatted JSON will result in a validation error. + | Add Users and Groups | string | No | JSON array of users/groups to add to the + policy. | - - This action utilizes the Silverfort Policies API v2. + | Remove Users and Groups | string | No | JSON array of users/groups to remove + from the policy. | + | Add Sources | string | No | JSON array of sources to add to the policy. | - ### Flow Description + | Remove Sources | string | No | JSON array of sources to remove from the policy. + | - 1. **Parameter Extraction**: The action extracts the mandatory Policy ID and optional - configuration parameters from the SOAR environment. + | Add Destinations | string | No | JSON array of destinations to add to the policy. + | - 2. **JSON Parsing**: Input strings for users, groups, sources, and destinations - are parsed from JSON into structured data models (`PolicyIdentifier` and `PolicyDestination`). + | Remove Destinations | string | No | JSON array of destinations to remove from + the policy. | - 3. **Client Initialization**: The action initializes a `PolicyApiClient` using - the integration's configured credentials and API root. - 4. **API Execution**: A PATCH request is sent to the Silverfort `/v2/public/policies/{policy_id}` - endpoint with the constructed payload containing the updates. + ### Additional Notes - 5. **Result Processing**: The action confirms the update status and returns a - success message along with the updated policy ID in the JSON results. + This action performs a direct mutation on the Silverfort platform. Ensure the + `Policy ID` is correct before execution. capabilities: can_create_case_comments: false can_create_insight: false @@ -696,12 +957,19 @@ Update Policy: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates the configuration, membership, and enabled status of an authentication - policy within the Silverfort platform via a PATCH request. + Updates an authentication policy in Silverfort by modifying its enabled state + and updating the lists of users, groups, sources, and destinations. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a PATCH request to the Silverfort API to update an existing + policy. It does not fetch data for enrichment, nor does it modify any internal + SOAR case data or entities. categories: enrichment: false + reasoning: >- + The action is a configuration update (mutation) and does not fetch data for + enrichment purposes. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -717,51 +985,107 @@ Update Policy: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action operates on a specific Policy ID provided as a parameter and does + not iterate over or process SOAR entities. Update SA Policy: - ai_description: "### General Description\nUpdates the protection policy for a specific\ - \ service account within the Silverfort Identity Security platform. This action\ - \ allows for granular control over how a service account is protected, including\ - \ its operational state, enforcement actions (blocking), and logging configurations.\ - \ It is primarily used to tune security policies or respond to identified risks\ - \ by modifying allowlists and protocol restrictions.\n\n### Parameters Description\n\ - | Parameter | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n\ - | **Service Account GUID** | string | Yes | The unique identifier (GUID) of the\ - \ service account in Silverfort that you wish to update. |\n| **Enabled** | boolean\ - \ | No | If set to true, the policy is active. If false, the policy is disabled.\ - \ |\n| **Block** | boolean | No | If set to true, Silverfort will block authentication\ - \ attempts that violate the policy. |\n| **Send to SIEM** | boolean | No | If\ - \ set to true, policy violation events will be forwarded to the configured SIEM.\ - \ |\n| **Risk Level** | ddl | No | Sets the risk level threshold for the policy.\ - \ Supported values: `low`, `medium`, `high`. |\n| **Allow All Sources** | boolean\ - \ | No | If true, the policy will allow authentications from any source, ignoring\ - \ the specific allowed sources list. |\n| **Allow All Destinations** | boolean\ - \ | No | If true, the policy will allow authentications to any destination, ignoring\ - \ the specific allowed destinations list. |\n| **Protocols** | string | No | A\ - \ comma-separated list of protocols to allow (e.g., `Kerberos, ldap, ntlm`). |\n\ - | **Add Allowed Sources** | string | No | A JSON array of source objects to add\ - \ to the allowlist. Format: `[{\"key\": \"10.0.0.1\", \"key_type\": \"ip\"}]`.\ - \ |\n| **Remove Allowed Sources** | string | No | A JSON array of source objects\ - \ to remove from the allowlist. Format: `[{\"key\": \"10.0.0.1\", \"key_type\"\ - : \"ip\"}]`. |\n| **Add Allowed Destinations** | string | No | A JSON array of\ - \ destination objects to add to the allowlist. Format: `[{\"key\": \"10.0.0.1\"\ - , \"key_type\": \"ip\"}]`. |\n| **Remove Allowed Destinations** | string | No\ - \ | A JSON array of destination objects to remove from the allowlist. Format:\ - \ `[{\"key\": \"10.0.0.1\", \"key_type\": \"ip\"}]`. |\n\n### Additional Notes\n\ - - The `Add/Remove` parameters for sources and destinations require a specific\ - \ JSON format containing `key` and `key_type` fields. \n- Valid `key_type` values\ - \ typically include `ip`, `hostname`, or `dn` depending on the Silverfort API\ - \ version.\n- If `Allow All Sources` or `Allow All Destinations` is set to true,\ - \ the respective allowlists are effectively bypassed.\n\n### Flow Description\n\ - 1. **Parameter Extraction:** The action retrieves the Service Account GUID and\ - \ all optional policy configuration parameters from the user input.\n2. **Validation:**\ - \ It validates that the `Risk Level` and `Protocols` (if provided) match the allowed\ - \ enums defined in the Silverfort integration.\n3. **JSON Parsing:** It parses\ - \ the JSON strings for adding or removing sources and destinations into structured\ - \ `AllowedEndpoint` objects.\n4. **API Interaction:** The action uses the Silverfort\ - \ Service Account API client to send a POST request to the `/v1/public/serviceAccounts/policy/{guid}`\ - \ endpoint with the updated configuration payload.\n5. **Result Handling:** Upon\ - \ a successful API response, it generates a success message and returns a JSON\ - \ result indicating the GUID and the updated status." + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action updates the policy configuration for a service account in Silverfort. + This aligns with the 'Update Identity' category, as it modifies account protection + settings. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: true + update_ticket: false + ai_description: >- + ### General Description + + Updates the protection policy for a specific service account within the Silverfort + platform. This action allows administrators to modify security configurations, + including enabling/disabling the policy, toggling blocking, configuring SIEM logging, + setting risk level thresholds, and managing allowed sources and destinations. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Service Account GUID | string | Yes | The unique identifier (GUID) of the service + account to update. | + + | Enabled | boolean | No | Enable or disable the policy. | + + | Block | boolean | No | Enable or disable blocking for policy violations. | + + | Send to SIEM | boolean | No | Enable or disable SIEM logging. | + + | Risk Level | ddl | No | Risk level threshold for the policy (low, medium, high). + | + + | Allow All Sources | boolean | No | If true, ignores specific allowed sources + list. | + + | Allow All Destinations | boolean | No | If true, ignores specific allowed destinations + list. | + + | Protocols | string | No | Comma-separated list of protocols to allow (Kerberos, + ldap, ntlm). | + + | Add Allowed Sources | string | No | JSON array of sources to add to the allowlist. + Format: [{"key": "10.0.0.1", "key_type": "ip"}] | + + | Remove Allowed Sources | string | No | JSON array of sources to remove from + the allowlist. Format: [{"key": "10.0.0.1", "key_type": "ip"}] | + + | Add Allowed Destinations | string | No | JSON array of destinations to add to + the allowlist. Format: [{"key": "10.0.0.1", "key_type": "ip"}] | + + | Remove Allowed Destinations | string | No | JSON array of destinations to remove + from the allowlist. Format: [{"key": "10.0.0.1", "key_type": "ip"}] | + + + ### Flow Description + + 1. **Parameter Extraction**: The action extracts all provided parameters from + the SOAR action configuration. + + 2. **Validation**: It validates the provided 'Risk Level' and 'Protocols' against + allowed values. + + 3. **Parsing**: It parses the JSON strings provided for allowed sources and destinations + into structured objects. + + 4. **API Interaction**: It initializes the Silverfort Service Account client and + sends a POST request to the Silverfort API to update the policy for the specified + service account GUID. + + 5. **Result**: It returns a success message indicating the policy update status. capabilities: can_create_case_comments: false can_create_insight: false @@ -770,13 +1094,19 @@ Update SA Policy: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - This action modifies the security policy configuration for a service account - in the Silverfort platform, which can change the enforcement state (e.g., enabling - blocking) and network access controls (allowlists). + Updates the protection policy for a service account in Silverfort, including + settings like blocking, SIEM logging, risk levels, and allowed sources/destinations. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a POST request to update a service account policy in the + external Silverfort system. It does not fetch data for enrichment, nor does + it modify any internal SOAR entities or case data. categories: enrichment: false + reasoning: >- + The action is a mutation action that updates external policy configurations. + It does not fetch data for enrichment purposes. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -792,3 +1122,6 @@ Update SA Policy: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action operates on a Service Account GUID provided as a parameter and does + not iterate over or filter SOAR target entities. diff --git a/content/response_integrations/third_party/partner/silverfort/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/partner/silverfort/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..0b993c80c --- /dev/null +++ b/content/response_integrations/third_party/partner/silverfort/resources/ai/integration_ai_description.yaml @@ -0,0 +1,24 @@ +product_categories: + asset_inventory: true + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: true + itsm: false + network_security: false + reasoning: >- + The Silverfort integration is an identity security platform that provides capabilities + to manage and monitor identity-related security. It includes actions to retrieve + and update risk levels for users and service accounts (e.g., 'Get Entity Risk', + 'Update Entity Risk', 'Update SA Policy'), which directly aligns with the 'IAM + & Identity Management' category. Furthermore, the integration provides visibility + into service accounts by retrieving their detailed attributes and configurations + (e.g., 'Get Service Account', 'List Service Accounts'), which qualifies it for + the 'Asset Inventory' category as these service accounts are critical internal + assets. The integration does not perform log analysis (SIEM), host-level process + inspection (EDR), network traffic blocking (Network Security), or external indicator + reputation checks (Threat Intelligence). + siem: false + threat_intelligence: false + vulnerability_management: false diff --git a/content/response_integrations/third_party/partner/spycloud/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/partner/spycloud/resources/ai/actions_ai_description.yaml index 46ae8e2da..f0c70cba2 100644 --- a/content/response_integrations/third_party/partner/spycloud/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/partner/spycloud/resources/ai/actions_ai_description.yaml @@ -1,71 +1,93 @@ List Catalogs: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves a list of catalogs from SpyCloud. It does not match any + of the specific operational categories like enrichment, containment, or ticket + management. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - The **List Catalogs** action retrieves a list of available breach catalogs from - SpyCloud based on specified timeframes and filtering criteria. This action is - primarily used for discovery and auditing purposes, allowing users to see which - data sources or breach collections are available within the SpyCloud platform - for a given period. + This action retrieves a list of available breach catalogs from the SpyCloud platform. + It allows users to filter catalogs based on specific criteria and time frames, + providing visibility into available breach data sources. - ### Parameters Description + ### Parameters | Parameter | Type | Mandatory | Description | - | :--- | :--- | :--- | :--- | + | --- | --- | --- | --- | - | Filter Logic | DDL | No | Determines the matching logic for the filter. Options - are 'Equal' (exact match on title) or 'Contains' (substring match across all fields). - Defaults to 'Equal'. | + | Filter Logic | ddl | No | Specifies the filter logic to apply (Equal or Contains). + | - | Filter Value | String | No | The string value to search for. If 'Equal' is selected, - the action filters results locally by title. If 'Contains' is selected, the value - is passed to the API query. | + | Filter Value | string | No | The value to use for filtering. "Equal" matches + the title, while "Contains" searches all values. | - | Time Frame | DDL | Yes | The temporal scope of the search. Options include 'Last - Week', 'Last Month', 'Last Year', or 'Custom'. | + | Time Frame | ddl | Yes | The time range for the search (Last Week, Last Month, + Last Year, or Custom). | - | Start Time | String | No* | The start date/time for the search in ISO 8601 format. - This is **mandatory** if 'Time Frame' is set to 'Custom'. | + | Start Time | string | No | The start time for the search in ISO 8601 format. + Mandatory if "Custom" is selected for Time Frame. | - | End Time | String | No | The end date/time for the search in ISO 8601 format. - If omitted while using 'Custom' timeframe, it defaults to the current time. | + | End Time | string | No | The end time for the search in ISO 8601 format. Defaults + to current time if not provided when "Custom" is selected. | - | Max Catalogs To Return | String | No | Limits the number of catalog records - returned in the output. Defaults to 50. | + | Max Catalogs To Return | string | No | The maximum number of catalogs to return. + Default is 50. | ### Additional Notes - - If the **Time Frame** is set to 'Custom', the **Start Time** parameter must - be provided, otherwise the action will fail. + - If "Custom" is selected for the "Time Frame" parameter, the "Start Time" parameter + must be provided. - - The action performs client-side filtering when the 'Equal' logic is selected - to ensure exact title matches. + - The action performs local filtering if "Equal" logic is selected. ### Flow Description - 1. **Parameter Initialization**: Extracts API credentials and action parameters, - validating that the result limit is a positive integer. + 1. Extract configuration parameters (API Root, API Key, Verify SSL) and action + parameters. - 2. **Timeframe Calculation**: Determines the start and end timestamps based on - the selected 'Time Frame' or custom inputs. + 2. Calculate the start and end timestamps based on the selected "Time Frame" and + provided start/end time strings. - 3. **Data Retrieval**: Connects to the SpyCloud API and fetches catalog data from - the `/enterprise-v1/breach/catalog` endpoint, handling pagination automatically - to retrieve all relevant records. + 3. Initialize the SpyCloudManager and query the SpyCloud API for catalogs using + the calculated time range and filter value. - 4. **Filtering**: Applies the 'Equal' filter logic if specified, narrowing the - results to catalogs whose titles exactly match the 'Filter Value'. + 4. Apply local filtering to the results if "Equal" logic is specified. - 5. **Result Processing**: Slices the result list based on the 'Max Catalogs To - Return' parameter. + 5. Truncate the results list to the specified "Max Catalogs To Return" limit. - 6. **Output Generation**: Populates the action's JSON result with the raw catalog - data and creates a formatted data table named 'Available Catalogs' for the case - wall. + 6. Output the results as a JSON object and a formatted data table for the user. capabilities: can_create_case_comments: false can_create_insight: false @@ -76,8 +98,17 @@ List Catalogs: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the SpyCloud API to fetch catalog data. + It does not modify any external systems, nor does it modify internal SOAR case + data, entities, or alerts. It simply outputs the retrieved data to the action + results. categories: enrichment: false + reasoning: >- + The action fetches data from an external source (SpyCloud) but does not enrich + specific entities or alerts within the SOAR platform. It is a utility action + for listing available catalogs, not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -93,74 +124,93 @@ List Catalogs: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with or iterate over any entities in the SOAR case. + It operates independently of the entity model. List Entity Breaches: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: true + enrich_ioc: true + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves breach data, which provides threat intelligence (Enrich + IOC) and contextual metadata for users and domains (Enrich Asset). It does not + perform any containment or ticket management actions. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description - - This action retrieves breach information from SpyCloud for specific entities including - IP Addresses, Usernames, Email Addresses, and Domains. It identifies if an entity - has been compromised in known data breaches and provides details such as the source - of the breach, severity, and obfuscated credentials if available. + Retrieves breach information for entities (IPs, Users/Emails, Domains) from SpyCloud. + This action enriches entities with threat intelligence regarding known breaches, + helping analysts identify compromised assets. - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | + ### Flow Description - | Catalog Filter | String | No | Specify the name of a specific SpyCloud category/catalog - to search within. If provided, the action validates the catalog exists before - searching. | + 1. **Configuration & Parameter Extraction**: The action retrieves API credentials + and action-specific parameters (Time Frame, Catalog Filter, etc.). - | Time Frame | DDL | Yes | Defines the temporal scope of the search. Options include - 'Last Week', 'Last Month', 'Last Year', or 'Custom'. | + 2. **Entity Filtering**: It filters the provided target entities to include only + supported types: IP Address, User/Email, and URL (Domain). - | Start Time | String | No | Mandatory only if 'Time Frame' is set to 'Custom'. - Expects an ISO 8601 formatted string. | + 3. **Breach Querying**: For each valid entity, it determines the appropriate breach + type (IPs, Emails, Usernames, or Domains) and queries the SpyCloud API for breach + records within the specified time frame. - | End Time | String | No | Used when 'Time Frame' is 'Custom'. If omitted, the - current time is used. Expects an ISO 8601 formatted string. | + 4. **Enrichment**: If breaches are found, the action updates the entity's `additional_properties` + with the breach data and marks the entity as enriched. - | Max Breaches To Return | String | No | Limits the number of breach records returned - per entity. Default is 1, maximum is 1000. | + 5. **Result Reporting**: The action updates the entities in the SOAR platform + and returns the breach details as a JSON result. - ### Additional Notes + ### Parameters - - **Entity Mapping:** Email addresses are handled as `USERUNIQNAME` entities that - match an email regex. Domains are extracted from `DestinationURL` entities. + | Parameter | Type | Mandatory | Description | - - **Data Privacy:** Passwords returned in the JSON results are automatically obfuscated - by the integration logic (e.g., `p****rd`). + | :--- | :--- | :--- | :--- | - - **Timeframe Logic:** If 'Custom' is selected, 'Start Time' must be provided, - otherwise the action will fail. + | Catalog Filter | String | No | Specify the name of the category in which you + want to search for breaches. | + | Time Frame | DDL | Yes | Specify a time frame for the search (Last Week, Last + Month, Last Year, Custom). | - ### Flow Description + | Start Time | String | No | Start time for the search. Mandatory if "Custom" + is selected for "Time Frame". Format: ISO 8601. | - 1. **Initialization:** Extracts API configuration and action parameters, validating - that the 'Max Breaches To Return' is a positive integer. + | End Time | String | No | End time for the search. Format: ISO 8601. If not provided + for "Custom", defaults to current time. | - 2. **Timeframe Calculation:** Converts the selected 'Time Frame' or 'Custom' timestamps - into date objects for the API request. + | Max Breaches To Return | String | No | Specify how many breaches to return per + entity. Default: 1. Maximum: 1000. | - 3. **Catalog Resolution:** If a 'Catalog Filter' is provided, the action fetches - available catalogs from SpyCloud to find the corresponding internal ID. - 4. **Entity Processing:** Iterates through supported entities (`ADDRESS`, `USERUNIQNAME`, - `DestinationURL`): - - Determines the SpyCloud breach type (ips, emails, usernames, or domains). - - Normalizes the identifier (e.g., extracting the domain from a URL). - - Queries the SpyCloud API for breach data associated with the entity and - timeframe. - 5. **Enrichment:** For entities with found breaches, it updates the entity's `additional_properties` - with a `was_breached` flag and marks the entity as enriched. + ### Additional Notes - 6. **Finalization:** Updates the entities in the Google SecOps case, attaches - the full breach details as a JSON result, and provides a summary message of successful - and failed lookups. + - If "Custom" is selected for the "Time Frame" parameter, the "Start Time" parameter + must be provided. capabilities: can_create_case_comments: false can_create_insight: false @@ -171,10 +221,18 @@ List Entity Breaches: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - The action updates entity attributes by adding enrichment data (was_breached - flag) and setting the 'is_enriched' status to true. + The action updates entity properties (additional_properties) and marks entities + as enriched within the SOAR platform. + reasoning: >- + The action fetches breach data from an external API (SpyCloud) and updates the + entity's additional properties within the SOAR platform. It does not mutate + external systems or modify alert data/case comments. categories: enrichment: true + reasoning: >- + The action is an enrichment action. It fetches data from an external source + (SpyCloud) and updates internal entity data without mutating external systems + or performing unauthorized internal mutations. entity_usage: entity_types: - ADDRESS @@ -193,60 +251,80 @@ List Entity Breaches: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code filters `siemplify.target_entities` using `SUPPORTED_ENTITY_TYPES`, + which includes ADDRESS, USER, and URL (mapped to DestinationURL). Ping: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action is a connectivity test ('Ping'). It does not perform any of the defined + actions like enriching IOCs, updating tickets, or blocking hosts. Therefore, + it does not match any of the provided product categories. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description + Tests connectivity to the SpyCloud API to ensure the integration is configured + correctly. This action validates the connection parameters by sending a request + to the SpyCloud server. - The Ping action is a diagnostic tool designed to verify the connectivity between - Google SecOps and the SpyCloud API. It ensures that the provided integration configuration - parameters, such as the API Root and API Key, are correct and that the network - path is open. + ### Flow Description - ### Parameters Description - - This action does not take any dynamic input parameters during execution. It relies - entirely on the configuration parameters defined at the integration level: - - - | Parameter Name | Expected Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | API Root | String | Yes | The base URL of the SpyCloud instance. | + 1. The action extracts the required configuration parameters: API Root, API Key, + and Verify SSL. - | API Key | String | Yes | The API key used to authenticate requests to SpyCloud. - | + 2. It initializes the SpyCloudManager with these parameters. - | Verify SSL | Boolean | Yes | If enabled, the action will verify the SSL certificate - of the SpyCloud server. | + 3. It executes a connectivity test by sending a GET request to the SpyCloud ping + endpoint. + 4. If the request is successful, it returns a success message; otherwise, it returns + a failure message with the error details. - ### Additional Notes - * This action is typically used during the initial setup of the integration or - for troubleshooting connection issues. + ### Parameters Description - * As per standard SOAR practices, Ping actions are not classified as enrichment - actions. + | Parameter | Type | Mandatory | Description | + | --- | --- | --- | --- | - ### Flow Description + | API Root | String | Yes | The base URL for the SpyCloud API. | - 1. **Parameter Extraction:** The action retrieves the API Root, API Key, and SSL - verification settings from the integration's configuration. + | API Key | String | Yes | The authentication key for the SpyCloud API. | - 2. **Manager Initialization:** It initializes the `SpyCloudManager` with the retrieved - credentials. + | Verify SSL | Boolean | Yes | Whether to verify the SSL certificate for the connection. + | - 3. **Connectivity Test:** The manager executes a `GET` request to a specific SpyCloud - endpoint (`/enterprise-v1/breach/catalog/1`). - 4. **Response Validation:** The action checks if the API returns a successful - status code. + ### Additional Notes - 5. **Final Status:** If the request is successful, the action completes with a - success message; otherwise, it catches the exception and reports a failure. + This action is a connectivity test and does not perform any data enrichment or + system modifications. capabilities: can_create_case_comments: false can_create_insight: false @@ -255,10 +333,18 @@ Ping: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null - fetches_data: true + fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a connectivity test by sending a GET request to the SpyCloud + API. It does not fetch contextual data about alerts or entities, nor does it + modify any external or internal data. categories: enrichment: false + reasoning: >- + The action is a 'Ping' action. Per the instructions, 'Actions named Ping must + not be categorized as enrichment actions.' It does not perform any enrichment + or data retrieval for entities. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -274,3 +360,5 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with any entities. diff --git a/content/response_integrations/third_party/partner/spycloud/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/partner/spycloud/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..7c3fb6eec --- /dev/null +++ b/content/response_integrations/third_party/partner/spycloud/resources/ai/integration_ai_description.yaml @@ -0,0 +1,22 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: true + itsm: false + network_security: false + reasoning: >- + The SpyCloud integration is primarily categorized as Threat Intelligence because + its core functionality involves enriching entities (IPs, Domains, Usernames/Emails) + with breach data to determine if they have been compromised, which serves as a + critical step in verifying the reputation of indicators. It is also categorized + as IAM & Identity Management because the integration specifically targets account + takeover prevention and the remediation of exposed passwords, allowing security + teams to identify and address compromised user identities. It does not perform + SIEM log analysis, EDR host containment, network security blocking, or ITSM ticket + management. + siem: false + threat_intelligence: true + vulnerability_management: false diff --git a/content/response_integrations/third_party/partner/stairwell/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/partner/stairwell/resources/ai/actions_ai_description.yaml index 48552d161..a33c8d6fe 100644 --- a/content/response_integrations/third_party/partner/stairwell/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/partner/stairwell/resources/ai/actions_ai_description.yaml @@ -1,66 +1,59 @@ Enrich Hash: - ai_description: >- - ### General Description - - Enriches File Hash entities using threat intelligence data from Stairwell. This - action retrieves comprehensive file metadata, including size, entropy, multiple - hash types (SHA256, SHA1, MD5, Imphash, TLSH), and file magic/MIME types. It also - evaluates the file's reputation based on Stairwell's malicious probability scores - and verdicts, updating the entity's status and providing detailed insights for - security analysts. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | API Root | String | Yes | The base URL of the Stairwell API instance. | - - | API Key | String | Yes | The API key used for authentication with Stairwell. - | - - | Organization ID | String | No | The specific Organization ID to include in the - request headers for multi-tenant environments. | - - | User ID | String | No | The specific User ID to include in the request headers - if required by the API configuration. | - - - ### Additional Notes - - - The action specifically targets `FILEHASH` entities. - - - If a file is determined to be suspicious (based on the `MALICIOUS` verdict or - high malicious probability), an entity insight is automatically generated. - - - Detailed reports are attached to the case as data tables. - - - ### Flow Description - - 1. **Initialization**: Retrieves connection details (API Root, API Key) and optional - identifiers (Org ID, User ID) from the integration configuration. - - 2. **Entity Filtering**: Identifies all `FILEHASH` entities within the current - alert context. - - 3. **Data Retrieval**: For each hash, it queries the Stairwell API to fetch the - file's enrichment report. - - 4. **Enrichment**: Updates the entity's additional properties with metadata such - as file size, entropy, and alternative hashes. - - 5. **Risk Assessment**: Evaluates the file's verdict. If the file is flagged as - malicious or has a high malicious probability, the entity is marked as suspicious. - - 6. **Insight & Reporting**: Generates a formatted insight for suspicious files - and attaches a detailed CSV-style data table to the case wall for each processed - entity. - - 7. **Finalization**: Updates the entities in Google SecOps and returns a summary - of successful and failed enrichments. + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves threat intelligence (reputation, prevalence, etc.) for + a file hash, which matches the 'Enrich IOC' category. It does not perform any + other actions like ticketing, blocking, or host containment. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: "### General Description\nEnriches file hash entities using the\ + \ Stairwell platform. This action retrieves comprehensive threat intelligence,\ + \ including file metadata, prevalence, and malicious probability scores, to assist\ + \ analysts in evaluating the risk associated with specific file hashes.\n\n###\ + \ Flow Description\n1. **Initialization**: Extracts configuration parameters (API\ + \ Root, API Key, Organization ID, and User ID) required for authentication and\ + \ API communication.\n2. **Filtering**: Identifies and filters target entities\ + \ within the case to process only those of type `FILEHASH`.\n3. **Enrichment**:\ + \ For each valid file hash, the action queries the Stairwell API to retrieve detailed\ + \ file intelligence.\n4. **Data Processing**: \n - Updates the entity's `additional_properties`\ + \ with the retrieved enrichment data.\n - Sets the `is_enriched` flag to true.\n\ + \ - Evaluates the file's suspicious status based on the retrieved verdict and\ + \ malicious probability.\n5. **Reporting**: \n - If the file is deemed suspicious,\ + \ it generates an entity insight.\n - Adds a data table containing the enrichment\ + \ results to the case.\n - Updates the entities within the SOAR platform.\n\ + \n### Parameters Description\n| Parameter | Type | Mandatory | Description |\n\ + | :--- | :--- | :--- | :--- |\n| API Root | String | Yes | The base URL for the\ + \ Stairwell API. |\n| API Key | String | Yes | The API key used for authentication\ + \ with the Stairwell service. |\n| Organization ID | String | No | The Organization\ + \ ID to include in the API request headers. |\n| User ID | String | No | The User\ + \ ID to include in the API request headers. |\n\n### Additional Notes\n- This\ + \ action is strictly for enrichment and does not perform any modifications on\ + \ external systems. \n- It only processes entities of type `FILEHASH`." capabilities: can_create_case_comments: false can_create_insight: true @@ -71,11 +64,18 @@ Enrich Hash: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - The action updates entity additional properties with enrichment data, sets the - 'is_suspicious' and 'is_enriched' flags, creates entity insights, and adds data - tables to the case wall. + Updates entity properties, sets suspicious status, adds entity insights, and + adds data tables to the case. + reasoning: >- + The action fetches threat intelligence data from the Stairwell API (GET). It + updates internal entity properties, sets the suspicious flag, and creates insights + within the SOAR platform. It does not modify external systems. categories: enrichment: true + reasoning: >- + The action fetches data (Enrichment) and does not mutate external systems. It + performs allowed internal mutations (updating entities, creating insights). + It is not a Ping or download action. entity_usage: entity_types: - FILEHASH @@ -92,65 +92,63 @@ Enrich Hash: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code filters `siemplify.target_entities` specifically for `FILEHASH` entities. Enrich Hostname: - ai_description: >- - ### General Description - - Enriches Hostname entities with threat intelligence data from Stairwell. This - action retrieves detailed host information, including community opinions, comments, - and DNS records (A, AAAA, MX), to provide context for security investigations. - It helps analysts determine the reputation and history of a host within the Stairwell - platform. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | API Root | String | Yes | The base URL of the Stairwell API instance. | - - | API Key | String | Yes | The API key used for authentication with Stairwell. - | - - | Organization ID | String | No | The specific Stairwell Organization ID to scope - the request. | - - | User ID | String | No | The specific Stairwell User ID to associate with the - request. | - - - ### Additional Notes - - - The action uses the `OriginalIdentifier` of the entity if available; otherwise, - it defaults to the standard entity identifier. - - - Enrichment data is prefixed with `SW` in the entity's additional properties. - - - If no Hostname entities are found in the context, the action will complete with - a 'No entities were enriched' message. - - - ### Flow Description - - 1. **Parameter Extraction:** Retrieves API credentials and configuration from - the integration settings. - - 2. **Entity Filtering:** Identifies all Hostname entities within the target scope. - - 3. **Data Retrieval:** For each hostname, it queries the Stairwell API's enrichment - endpoint (`/labs/appapi/enrichment/v1/hostname_event/{hostname}`). - - 4. **Entity Enrichment:** Updates the entity's additional properties with the - retrieved data and marks the entity as enriched. - - 5. **Risk Assessment:** Evaluates the host's verdict. If the verdict is 'MALICIOUS', - it marks the entity as suspicious and creates a detailed insight containing the - verdict. - - 6. **Reporting:** Adds a formatted data table to the case wall for each host and - attaches the raw JSON response to the action results. + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: true + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves contextual metadata for a hostname (asset) from Stairwell. + This matches the 'Enrich Asset' category. It does not perform IOC enrichment + (IP/Hash), nor does it perform containment or ticketing actions. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: "### General Description\nThis action enriches Hostname entities\ + \ by retrieving threat intelligence and contextual data from the Stairwell platform.\ + \ It helps analysts understand the reputation and associated records of a host\ + \ within their environment.\n\n### Flow Description\n1. **Configuration Extraction**:\ + \ The action retrieves the API Root, API Key, Organization ID, and User ID from\ + \ the integration configuration.\n2. **Entity Filtering**: It iterates through\ + \ the target entities in the case, filtering specifically for those with the type\ + \ `HOSTNAME`.\n3. **Data Retrieval**: For each valid hostname, it queries the\ + \ Stairwell API to fetch host-specific reports.\n4. **Enrichment**: \n - Updates\ + \ the entity's `additional_properties` with the retrieved data.\n - Marks the\ + \ entity as enriched.\n - Evaluates the host's suspicious status based on the\ + \ Stairwell verdict.\n5. **Reporting**: \n - If the host is deemed suspicious,\ + \ it creates a case insight.\n - Adds a data table to the case results containing\ + \ the detailed host report.\n - Updates the entities within the SecOps platform.\n\ + \n### Parameters Description\n| Parameter | Type | Mandatory | Description |\n\ + | :--- | :--- | :--- | :--- |\n| API Root | String | Yes | The base URL for the\ + \ Stairwell API. |\n| API Key | String | Yes | The API key used for authentication\ + \ with Stairwell. |\n| Organization ID | String | No | The Organization ID to\ + \ include in API headers. |\n| User ID | String | No | The User ID to include\ + \ in API headers. |\n\n### Additional Notes\n- The action requires at least one\ + \ Hostname entity to be present in the case to perform any operations.\n- If the\ + \ execution deadline is reached, the action will terminate gracefully." capabilities: can_create_case_comments: false can_create_insight: true @@ -161,11 +159,19 @@ Enrich Hostname: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - The action updates entity attributes with enrichment data, sets the suspicious - flag, creates entity insights for malicious findings, and adds data tables to - the case wall. + Updates entity properties, adds insights, and adds data tables to the case. + reasoning: >- + The action fetches host data from the Stairwell API (fetches_data=true). It + does not modify external systems (can_mutate_external_data=false). It performs + internal mutations by updating entity properties, adding insights, and adding + data tables to the case (can_mutate_internal_data=true). categories: enrichment: true + reasoning: >- + The action fetches data from an external source (Stairwell) to enrich entities. + It does not mutate external systems. It performs allowed internal mutations + (updating entities, creating insights). Therefore, it is classified as an enrichment + action. entity_usage: entity_types: - HOSTNAME @@ -182,36 +188,64 @@ Enrich Hostname: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over `siemplify.target_entities` and filters specifically + for `EntityTypes.HOSTNAME`. Enrich IP: - ai_description: "### General Description\nEnriches IP Address entities with threat\ - \ intelligence data retrieved from the Stairwell platform. This action provides\ - \ security analysts with context regarding an IP's reputation, including verdicts\ - \ (e.g., MALICIOUS), community opinions, and historical comments. It automates\ - \ the process of identifying high-risk entities by marking them as suspicious\ - \ and generating detailed insights directly within the case.\n\n### Parameters\ + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves threat intelligence (reputation, verdict) for an IP address + from Stairwell. This matches the 'Enrich IOC' category. It does not perform + any other actions like blocking, ticketing, or alert management. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: "### General Description\nEnriches IP Address entities using the\ + \ Stairwell API. This action retrieves threat intelligence, including verdicts\ + \ and opinions, for specified IP addresses. It updates the entity's profile with\ + \ this information, marks the entity as enriched, and flags it as suspicious if\ + \ the verdict is malicious. Additionally, it generates insights and data tables\ + \ for the case wall to assist analysts in their investigation.\n\n### Parameters\ \ Description\n| Parameter | Type | Mandatory | Description |\n| :--- | :--- |\ - \ :--- | :--- |\n| API Root | String | Yes | The base URL of the Stairwell API\ - \ instance used for requests. |\n| API Key | String | Yes | The authentication\ - \ key required to access Stairwell services. |\n| Organization ID | String | No\ - \ | An optional identifier to scope requests to a specific Stairwell organization.\ - \ |\n| User ID | String | No | An optional identifier to associate requests with\ - \ a specific Stairwell user. |\n\n### Additional Notes\n- This action specifically\ - \ targets entities of type **ADDRESS**.\n- If an IP is found to have a 'MALICIOUS'\ - \ verdict in Stairwell, the action automatically flags the entity as suspicious\ - \ in Google SecOps.\n- A detailed report table is added to the case wall for every\ - \ successfully enriched entity.\n\n### Flow Description\n1. **Initialization**:\ - \ Extracts API configuration (Root, Key, Org ID, User ID) and initializes the\ - \ Stairwell API manager.\n2. **Entity Filtering**: Identifies all IP Address entities\ - \ in the current scope for processing.\n3. **Data Retrieval**: For each IP, the\ - \ action performs a GET request to the Stairwell enrichment endpoint to fetch\ - \ event data.\n4. **Enrichment & Analysis**: \n - Updates the entity's additional\ - \ properties with the retrieved intelligence.\n - Evaluates the 'verdict' field;\ - \ if it matches 'MALICIOUS', the entity is marked as suspicious.\n5. **Internal\ - \ Updates**: \n - Creates an Entity Insight for suspicious IPs containing the\ - \ verdict summary.\n - Generates a data table on the case wall with a flat\ - \ representation of the Stairwell report.\n6. **Finalization**: Updates the entities\ - \ in the Google SecOps platform and returns a summary of successful and failed\ - \ enrichments." + \ :--- | :--- |\n| API Root | String | Yes | The base URL for the Stairwell API.\ + \ |\n| API Key | String | Yes | The API key used for authentication with the Stairwell\ + \ service. |\n| Organization ID | String | No | The Organization ID to include\ + \ in the API request headers. |\n| User ID | String | No | The User ID to include\ + \ in the API request headers. |\n\n### Flow Description\n1. **Initialization**:\ + \ Extracts configuration parameters (API Root, API Key, Organization ID, User\ + \ ID).\n2. **Filtering**: Filters the target entities to process only those of\ + \ type `ADDRESS`.\n3. **Enrichment**: For each IP address, queries the Stairwell\ + \ API to retrieve threat intelligence data.\n4. **Internal Update**: \n - Updates\ + \ the entity's `additional_properties` with the retrieved data.\n - Sets the\ + \ entity's `is_enriched` flag to true.\n - Evaluates the verdict to set the\ + \ `is_suspicious` flag.\n - If the entity is suspicious, creates an entity\ + \ insight.\n - Adds a data table to the action results containing the enrichment\ + \ details.\n5. **Finalization**: Updates the entities in the SOAR platform and\ + \ returns the final status and output message." capabilities: can_create_case_comments: false can_create_insight: true @@ -222,11 +256,19 @@ Enrich IP: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates entity attributes (additional properties), sets the 'is_suspicious' - and 'is_enriched' flags, creates entity insights, and adds data tables to the - case wall. + Updates entity additional properties, marks entities as enriched/suspicious, + adds entity insights, and adds data tables to the case. + reasoning: >- + The action fetches IP reputation data from the Stairwell API (fetches_data=true). + It does not modify external systems (can_mutate_external_data=false). It updates + internal SOAR entities with enrichment data and creates insights for suspicious + entities (can_mutate_internal_data=true, can_update_entities=true, can_create_insight=true). categories: enrichment: true + reasoning: >- + The action fetches data from an external source (Stairwell) to enrich entities. + It does not mutate external systems. It performs allowed internal mutations + (updating entities, creating insights). Therefore, it is an enrichment action. entity_usage: entity_types: - ADDRESS @@ -243,58 +285,80 @@ Enrich IP: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over `siemplify.target_entities` and filters using `entity.entity_type + == EntityTypes.ADDRESS`. This means it targets ADDRESS entities, filtering by + entity_type. Ping: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action is a connectivity test (Ping) and does not perform any of the defined + product category operations like enrichment, containment, or ticket management. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - Tests the connectivity to the Stairwell API to ensure that the integration can - successfully communicate with the service. This action is typically used during - the initial setup or for troubleshooting purposes to verify that the provided - credentials and API endpoint are valid. + This action tests the connectivity between the Google SecOps SOAR platform and + the Stairwell API. It verifies that the provided API credentials and configuration + settings are valid by attempting to reach a test endpoint. ### Parameters Description - There are no action-specific parameters for this action. It utilizes the global - integration configuration parameters to perform the connectivity test: - - | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | | API Root | String | Yes | The base URL of the Stairwell API. | - | API Key | String | Yes | The API key used for authentication. | - - | Organization ID | String | No | The specific Organization ID associated with - the account. | - - | User ID | String | No | The specific User ID associated with the account. | - + | API Key | String | Yes | The API key used for authentication with the Stairwell + service. | - ### Additional Notes + | Organization ID | String | No | The Organization ID to include in the API request + headers. | - This action performs a read-only request to a dummy hostname to verify API access - and does not process any entities from the current context. + | User ID | String | No | The User ID to include in the API request headers. | ### Flow Description - 1. **Parameter Extraction**: The action retrieves the API Root, API Key, Organization - ID, and User ID from the integration's configuration settings. + 1. The action initializes the `StairwellManager` using the provided configuration + parameters (API Root, API Key, Organization ID, User ID). - 2. **Manager Initialization**: A `StairwellManager` instance is created using - the extracted configuration and credentials. + 2. It executes a connectivity test by calling `manager.test_connectivity()`, which + performs a GET request to a dummy endpoint on the Stairwell API. - 3. **Connectivity Check**: The action executes the `test_connectivity` method, - which sends a GET request to the Stairwell API for a dummy hostname (`www.google.com`) - to verify the connection. + 3. If the request is successful, the action completes with a success status and + an output message indicating that the connection was established. - 4. **Completion**: If the API responds successfully, the action completes with - a success status and a 'Connection Established' message. If the request fails - (e.g., due to invalid credentials or network issues), it catches the exception - and returns a failure status with the error details. + 4. If an error occurs (e.g., invalid credentials, network issues), the action + catches the exception, logs the error, and fails the execution. capabilities: can_create_case_comments: false can_create_insight: false @@ -305,8 +369,15 @@ Ping: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to verify connectivity to the Stairwell API. + It does not modify any external or internal data, nor does it update entities, + create insights, or modify alert data. categories: enrichment: false + reasoning: >- + The action is a 'Ping' action, which is explicitly excluded from being an enrichment + action per the provided instructions. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -322,3 +393,6 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not process any entities from the SOAR platform; it uses a hardcoded + dummy hostname to test connectivity. diff --git a/content/response_integrations/third_party/partner/stairwell/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/partner/stairwell/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..160009014 --- /dev/null +++ b/content/response_integrations/third_party/partner/stairwell/resources/ai/integration_ai_description.yaml @@ -0,0 +1,23 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: false + reasoning: "The Stairwell integration is primarily designed to provide threat intelligence\ + \ and malware analysis. Its core actions\u2014Enrich Hash, Enrich IP, and Enrich\ + \ Hostname\u2014are dedicated to enriching indicators of compromise (IOCs) and\ + \ hostnames with reputation data, verdicts, and malicious probability scores.\ + \ This aligns directly with the 'Threat Intelligence' category, which is used\ + \ for the first step of enrichment for external indicators to determine their\ + \ reputation. The integration does not perform SIEM log searching, EDR host containment,\ + \ network blocking, or ITSM ticketing. While it enriches hostnames, it provides\ + \ threat intelligence and malware analysis rather than asset inventory data (such\ + \ as owner, department, or business criticality), so it does not qualify for the\ + \ 'Asset Inventory' category." + siem: false + threat_intelligence: true + vulnerability_management: false diff --git a/content/response_integrations/third_party/partner/thinkst_canary/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/partner/thinkst_canary/resources/ai/actions_ai_description.yaml index 9b2086401..3e0aa9725 100644 --- a/content/response_integrations/third_party/partner/thinkst_canary/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/partner/thinkst_canary/resources/ai/actions_ai_description.yaml @@ -1,48 +1,83 @@ Acknowledge Console Alert: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action acknowledges an incident on the external Canary Console. It does + not modify the alert status within the SecOps platform (which is the requirement + for 'Update Alert'), nor does it perform any of the other listed actions (e.g., + ticket creation, IOC management, host containment). Therefore, it does not match + any of the defined product categories. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description + The Acknowledge Console Alert action is used to mark an incident as acknowledged + on the Thinkst Canary Console. This action helps synchronize the state of an incident + between the Canary Console and the SOAR platform, ensuring that acknowledged alerts + are tracked appropriately in the external system. - Acknowledges an alert on the Thinkst Canary console. This action allows analysts - to programmatically mark Canary incidents as acknowledged directly from the Google - SecOps interface, ensuring synchronization between the SOAR and the Canary platform. + ### Flow Description - ### Parameters Description + 1. **Configuration Extraction**: The action retrieves the required `API Key`, + `Console Hash`, and `Verify SSL` settings from the integration configuration. + 2. **Validation**: It verifies that the `API Key` and `Console Hash` are not set + to their default values. If they are, the action fails. - | Parameter | Type | Mandatory | Description | + 3. **Incident Identification**: The action accesses the `current_alert` object + in the SOAR platform to retrieve the `AlertId` from the `security_events` property. - | :--- | :--- | :--- | :--- | + 4. **Acknowledgment**: It sends a POST request to the Canary Console API (`/incident/acknowledge`) + using the retrieved `AlertId` to acknowledge the incident. - | None | N/A | N/A | This action does not take any input parameters. It automatically - identifies the alert to acknowledge using the `AlertId` stored in the alert's - metadata. | - - - ### Additional Notes + ### Parameters Description - This action requires the `AlertId` to be present in the `additional_properties` - of the first security event of the alert. This ID is typically populated automatically - by the Thinkst Canary connector when the alert is ingested. If the `AlertId` is - missing, the action will fail. + | Parameter | Type | Mandatory | Description | + | :--- | :--- | :--- | :--- | - ### Flow Description + | API Key | String | Yes | The API key used to authenticate with the Canary Console. + | + | Console Hash | String | Yes | The unique hash/domain identifier for the Canary + Console. | - 1. **Extract Configuration**: Retrieves the API Key, Console Hash, and SSL verification - settings from the integration configuration. + | Verify SSL | Boolean | No | Determines whether to verify SSL certificates when + making API requests. | - 2. **Identify Incident**: Accesses the current alert's security events and extracts - the `AlertId` from the `additional_properties` field of the first event. - 3. **API Request**: Sends a POST request to the `/api/v1/incident/acknowledge` - endpoint on the Canary Console using the extracted `AlertId`. + ### Additional Notes - 4. **Finalize**: Reports the outcome of the acknowledgement request (success or - failure) to the case wall. + - This action requires that the alert was originally ingested by the Thinkst Canary + Connector, as it relies on the `AlertId` being present in the `additional_properties` + of the alert's security events. capabilities: can_create_case_comments: false can_create_insight: false @@ -51,12 +86,21 @@ Acknowledge Console Alert: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates the status of an incident on the Thinkst Canary console to 'acknowledged' - via a POST request to the API. + The action sends a POST request to the Canary Console API to acknowledge an + incident, changing its status in the external system. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a POST request to an external API (Canary Console) to acknowledge + an incident. It does not fetch data for enrichment, nor does it modify any internal + SOAR data (entities, insights, or case comments). categories: enrichment: false + reasoning: >- + The action is a state-changing operation (acknowledgment) on an external system. + It does not fetch data for enrichment, nor does it perform any of the allowed + internal mutations (comments, insights, entity updates). Therefore, it is not + an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -72,63 +116,83 @@ Acknowledge Console Alert: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action operates on the `current_alert` object to retrieve the `AlertId` + from its security events. It does not iterate over or filter `target_entities`. Ping: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action is a connectivity check (Ping) to verify API credentials and console + accessibility. It does not perform any of the listed functional operations such + as enriching IOCs, updating tickets, or modifying alert data. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description - - The **Ping** action is a diagnostic utility used to verify the connectivity and - authentication credentials between Google SecOps and the Thinkst Canary Console. - It ensures that the provided API Key and Console Hash are valid and that the network - path to the Canary API is open. + Verifies connectivity to the Thinkst Canary Console by validating the provided + API credentials and console hash. This action ensures that the integration is + correctly configured and can communicate with the external service. - ### Parameters Description - - This action does not have any action-specific parameters. It relies entirely on - the integration's global configuration parameters: - - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | + ### Flow Description - | **API Key** | String | Yes | The authentication token used to access the Thinkst - Canary API. | + 1. **Configuration Extraction**: The action retrieves the 'API Key', 'Console + Hash', and 'Verify SSL' settings from the integration configuration. - | **Console Hash** | String | Yes | The unique subdomain identifier for your Canary - Console (e.g., the 'example' in 'example.canary.tools'). | + 2. **Validation**: It checks if the 'API Key' and 'Console Hash' are provided + and not set to their default placeholder values. If missing, the action fails. - | **Verify SSL** | Boolean | No | Determines whether to verify the SSL certificate - of the Canary Console. | + 3. **Connectivity Check**: It initializes the `ThinkstActionManager` and sends + a GET request to the `/ping` endpoint of the Canary Console API. + 4. **Result**: Based on the API response, it determines if the connection was + successful and terminates the action with the appropriate status and message. - ### Additional Notes - * This action will fail immediately if the **API Key** or **Console Hash** are - left as their default placeholder values. + ### Parameters - * Per Google SecOps standards, Ping actions are used for health checks and do - not contribute to case enrichment or data mutation. + | Parameter | Type | Mandatory | Description | + | :--- | :--- | :--- | :--- | - ### Flow Description + | API Key | String | Yes | The API key used to authenticate with the Canary Console. + | - 1. **Parameter Extraction:** The script retrieves the global configuration for - the Thinkst integration, including the API Key, Console Hash, and SSL verification - setting. + | Console Hash | String | Yes | The unique domain hash for the Canary Console + (e.g., 'example' in 'example.canary.tools'). | - 2. **Validation:** It checks if the API Key and Console Hash have been changed - from their default values. If not, the action fails with an error message. + | Verify SSL | Boolean | No | Whether to verify SSL certificates when connecting + to the console. | - 3. **Manager Initialization:** It initializes the `ThinkstActionManager` which - sets up the HTTP session and base URL for the Canary API. - 4. **Connectivity Check:** The script calls the `/api/v1/ping` endpoint using - a GET request. + ### Additional Notes - 5. **Result Processing:** If the API returns a JSON response with a 'success' - result, the action completes successfully. Otherwise, it reports a connection - failure. + This action is strictly for connectivity verification and does not perform any + data enrichment or system mutations. capabilities: can_create_case_comments: false can_create_insight: false @@ -137,10 +201,18 @@ Ping: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null - fetches_data: true + fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a simple connectivity check (ping) against the Thinkst Canary + Console API. It does not fetch contextual data for entities, nor does it mutate + any external or internal system state. It is a utility action for configuration + validation. categories: enrichment: false + reasoning: >- + The action is named 'Ping' and performs a connectivity check. Per the provided + instructions, actions named 'Ping' must not be categorized as enrichment actions. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -156,3 +228,6 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with any entities. It operates solely based on + configuration parameters provided in the integration settings. diff --git a/content/response_integrations/third_party/partner/thinkst_canary/resources/ai/connectors_ai_description.yaml b/content/response_integrations/third_party/partner/thinkst_canary/resources/ai/connectors_ai_description.yaml new file mode 100644 index 000000000..1104789ff --- /dev/null +++ b/content/response_integrations/third_party/partner/thinkst_canary/resources/ai/connectors_ai_description.yaml @@ -0,0 +1,60 @@ +Thinkst - Alert Connector: + ai_description: >- + ### General Description + + The Thinkst Alert Connector integrates with the Thinkst Canary Console to retrieve + security incidents. It periodically polls the Canary API for new, unacknowledged + incidents, transforms them into standardized SOAR alerts, and ingests them into + Google SecOps. This allows security teams to monitor and respond to honeypot triggers + and other Canary-detected events directly within the SOAR platform. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | API Key | Password | Yes | The API key for your Thinkst Canary console. | + + | Console Hash | String | Yes | The unique hash for your console (the part before + .canary.tools). | + + | Verify SSL | Boolean | No | Whether to verify SSL certificates when connecting + to the console. | + + | Ignore Informative | Boolean | No | If enabled, prevents the creation of cases + for informative incidents. | + + | PythonProcessTimeout | String | Yes | The timeout limit (in seconds) for the + Python process. | + + | DeviceProductField | String | Yes | The field name used to determine the device + product. | + + | EventClassId | String | Yes | The field name used to determine the event name + (sub-type). | + + + ### Flow Description + + 1. **Initialization**: The connector initializes using the provided API Key and + Console Hash to establish a secure connection to the Thinkst Canary API. + + 2. **Data Fetching**: It queries the `/incidents/unacknowledged` endpoint, handling + pagination to retrieve all new incidents since the last successful run (tracked + via context properties). + + 3. **Filtering**: If the "Ignore Informative" option is enabled, the connector + filters out incidents classified as informative (e.g., system configuration changes). + + 4. **Transformation**: Each incident is mapped to a SOAR `AlertInfo` object. This + includes normalizing timestamps, mapping incident types to priorities, and flattening + event data into a format compatible with Google SecOps. + + 5. **Ingestion**: The processed alerts are returned to the SOAR platform for case + creation. + + 6. **State Management**: Upon successful ingestion, the connector updates its + context with the latest incident ID and timestamp to ensure subsequent runs only + fetch new data. diff --git a/content/response_integrations/third_party/partner/thinkst_canary/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/partner/thinkst_canary/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..ae4ac1137 --- /dev/null +++ b/content/response_integrations/third_party/partner/thinkst_canary/resources/ai/integration_ai_description.yaml @@ -0,0 +1,21 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: true + reasoning: >- + The Thinkst Canary integration is a deception technology platform that monitors + for unauthorized access to honeypots. The primary function of the connector is + to ingest security alerts (honeypot triggers) into the SOAR platform. These alerts + are typically network-based, such as unauthorized port scans or access attempts, + which aligns with the Network Security category. The integration does not perform + log aggregation (SIEM), host-level process analysis (EDR), or other functions + like IAM, ITSM, or vulnerability management. Therefore, it is categorized under + Network Security. + siem: false + threat_intelligence: false + vulnerability_management: false diff --git a/content/response_integrations/third_party/partner/torq/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/partner/torq/resources/ai/actions_ai_description.yaml index 1607543bc..272a5bad8 100644 --- a/content/response_integrations/third_party/partner/torq/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/partner/torq/resources/ai/actions_ai_description.yaml @@ -1,68 +1,86 @@ Create a Case: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: true + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action triggers a workflow in Torq to create a case. This aligns with the + 'Create Ticket' category, as it generates a new record/case in an external system. + It does not perform enrichment, containment, or other listed actions. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description - - This action creates a case or incident in the Torq platform by triggering a specific - Torq workflow via a Webhook. It automatically collects the current alert's metadata, - including entity details and raw data, and packages it into a JSON payload sent - to Torq. If Torq API credentials or a Bearer token are configured, the action - will also poll the Torq Public API to retrieve the final execution status and - output of the triggered workflow, providing the results directly within Google - SecOps. + Creates a case in Torq by triggering a workflow via a webhook. This action sends + the current alert payload, including entity information, to a configured Torq + webhook URL. It supports optional deduplication and correlation keys to manage + case creation and grouping. If configured, the action polls the Torq Public API + to retrieve the final execution output of the workflow. - ### Parameters Description - - | Parameter | Description | Type | Mandatory | Default Value | + ### Flow Description - | :--- | :--- | :--- | :--- | :--- | + 1. Reads integration configuration (URL, Secret, etc.) and action parameters. - | **Deduplication Key** | An optional idempotency key used by Torq to prevent - the creation of duplicate cases for the same event. | string | No | "" | + 2. Collects alert context, including case ID, alert details, and associated entities. - | **Correlation Key** | An optional key used to group related cases or incidents - within the Torq platform. | string | No | "" | + 3. Constructs a JSON payload containing the alert data and optional keys. - | **Poll Max Seconds** | The maximum duration (in seconds) the action will wait - and poll the Torq API for the workflow's final result. | string | No | "60" | + 4. Sends a POST request to the Torq Webhook URL. - | **Poll Interval Seconds** | The frequency (in seconds) at which the action will - check the Torq API for the workflow status. | string | No | "3" | + 5. Optionally polls the Torq Public API for the execution status and output if + configured. + 6. Adds the execution result to the Google SecOps action result pane. - ### Additional Notes - - The action requires a **Torq URL** and **Webhook Secret** to be configured in - the integration settings. + ### Parameters Description - - To enable polling for the final workflow output, you must provide either **Client - ID/Secret** (for OAuth) or a **Bearer Token (override)** in the integration configuration. + | Parameter | Type | Mandatory | Description | - - If polling is not configured or fails, the action will still succeed if the - initial webhook trigger was accepted by Torq. + | :--- | :--- | :--- | :--- | + | Deduplication Key | string | No | Optional idempotency key for case creation. + | - ### Flow Description + | Correlation Key | string | No | Optional correlation key for grouping cases/incidents. + | - 1. **Data Collection:** The action gathers context from the current Google SecOps - case (Case ID, Environment) and the specific alert (Severity, Product, Vendor, - Entities, and Raw Data). + | Poll Max Seconds | string | No | Maximum seconds to poll the execution (default: + 60). | - 2. **Payload Construction:** It builds a JSON payload containing the source ("Google - SecOps"), the action type ("create_case"), and the collected alert/case context. + | Poll Interval Seconds | string | No | Seconds between poll requests (default: + 3). | - 3. **Webhook Trigger:** It sends a POST request to the Torq Webhook URL, authenticated - via the "secret" header. - 4. **Execution Tracking:** Upon a successful trigger, it extracts the `execution_id` - from the Torq response. + ### Additional Notes - 5. **Polling (Optional):** If API credentials are available, it enters a polling - loop, querying the Torq Public API for the status of the execution ID until it - reaches a terminal state (e.g., SUCCESS, FAILED) or the timeout is reached. + - The action requires a valid Torq URL and Webhook Secret to be configured in + the integration instance settings. - 6. **Result Reporting:** The final status, execution details, and any output returned - by the Torq workflow are attached to the action's JSON result in Google SecOps. + - The action uses asynchronous polling to retrieve the final execution output + from Torq. capabilities: can_create_case_comments: false can_create_insight: false @@ -71,49 +89,21 @@ Create a Case: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Triggers a Torq workflow via a webhook which typically results in the creation - of a case, incident, or other records within the Torq platform. + Triggers a workflow in Torq to create a case, which may result in external system + state changes. fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action makes a POST request to trigger a workflow (can_mutate_external_data=true) + and polls the Torq Public API for execution status (fetches_data=true). It does + not update internal entities or modify alert data. categories: enrichment: false + reasoning: >- + The action creates external data (a case in Torq) rather than retrieving data + for enrichment, so it cannot be an Enrichment action. entity_usage: - entity_types: - - ADDRESS - - ALERT - - APPLICATION - - CHILDHASH - - CHILDPROCESS - - CLUSTER - - CONTAINER - - CREDITCARD - - CVE - - CVEID - - DATABASE - - DEPLOYMENT - - DESTINATIONDOMAIN - - DOMAIN - - EMAILSUBJECT - - EVENT - - FILEHASH - - FILENAME - - GENERICENTITY - - HOSTNAME - - IPSET - - MacAddress - - PARENTHASH - - PARENTPROCESS - - PHONENUMBER - - POD - - PROCESS - - SERVICE - - SOURCEDOMAIN - - THREATACTOR - - THREATCAMPAIGN - - THREATSIGNATURE - - DestinationURL - - USB - - USERUNIQNAME + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -127,60 +117,85 @@ Create a Case: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over `alert.entities` to serialize them into the payload sent + to Torq. It does not filter or perform operations on `siemplify.target_entities`. + Therefore, it does not 'run on' entities in the context of the SOAR action framework. Ping: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action triggers a workflow in Torq and polls for the result. It does not + match any of the predefined categories such as enrichment, containment, or ticket + management. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description + Sends a ping to a Torq workflow via Webhook and optionally polls the Torq Public + API for the execution result. This action allows users to trigger automated workflows + in Torq and monitor their completion status directly from Google SecOps. - Sends a ping request to a Torq workflow via a Webhook and optionally polls the - Torq Public API to retrieve the execution result. This action is primarily used - to verify connectivity between Google SecOps and Torq, and to trigger automated - workflows within the Torq platform. + ### Flow Description - ### Parameters Description + 1. **Configuration Initialization**: The action reads the integration configuration + (URL, secret, region, etc.) from the server. - | Parameter | Description | Type | Mandatory | Default | + 2. **Payload Construction**: It constructs a JSON payload containing the source, + action label, and minimal context (case ID and name). - | :--- | :--- | :--- | :--- | :--- | + 3. **Webhook Trigger**: It sends a POST request to the configured Torq webhook + URL to initiate the workflow. - | Poll Max Seconds | The maximum amount of time (in seconds) the action will wait - for the Torq workflow execution to reach a terminal state. | String | No | 60 - | + 4. **Polling**: If an execution ID is returned, the action polls the Torq Public + API for the execution status until it reaches a terminal state or the maximum + polling time is exceeded. - | Poll Interval Seconds | The interval (in seconds) between successive requests - to the Torq API to check the status of the execution. | String | No | 3 | + 5. **Result Output**: The final execution result, including status and output, + is added to the action result. - ### Flow Description - - 1. **Configuration Retrieval**: The action fetches integration settings, including - the Webhook URL, Secret, and API credentials (Client ID/Secret or Bearer Token). - - 2. **Payload Preparation**: A JSON payload is constructed containing the source - ("Google SecOps"), the action name ("ping"), and context from the current case - (Case ID, Name, Environment). + ### Parameters Description - 3. **Webhook Trigger**: The action sends a POST request to the Torq Webhook URL - with the provided secret. + | Parameter | Type | Mandatory | Description | - 4. **Execution Identification**: It parses the response to extract an `execution_id`. + | :--- | :--- | :--- | :--- | - 5. **Polling (Optional)**: If an execution ID is found and polling parameters - are set, the action repeatedly queries the Torq Public API for the execution's - status (e.g., SUCCESS, FAILED). + | Poll Max Seconds | string | false | Maximum seconds to poll the execution. Defaults + to "60". | - 6. **Result Reporting**: The final execution status, output data, and full API - response are attached to the action result in Google SecOps. + | Poll Interval Seconds | string | false | Seconds between poll requests. Defaults + to "3". | ### Additional Notes - - This action is named "Ping" and is excluded from enrichment categorization. - - - To enable polling, the integration must be configured with either OAuth credentials - or a Bearer Token override. - - - If the Webhook response does not contain an execution ID, polling is skipped. + This action does not operate on specific entities and does not require any entity + selection to run. capabilities: can_create_case_comments: false can_create_insight: false @@ -189,12 +204,18 @@ Ping: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Triggers a Torq workflow via a webhook POST request, which initiates an execution - in the Torq platform. + Triggers a workflow execution in Torq via a webhook POST request. fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action triggers an external workflow via a POST request (can_mutate_external_data=true) + and polls the Torq Public API for the execution result (fetches_data=true). + It does not modify internal SecOps data, update entities, or create insights. categories: enrichment: false + reasoning: >- + The action triggers an external workflow and is not designed to fetch contextual + data for entities or alerts, therefore it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -210,18 +231,48 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over or interact with `siemplify.target_entities`. + It operates independently of any entity context. Run a Workflow: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action triggers a workflow in Torq. This is a generic automation trigger + and does not match any of the specific product categories provided (e.g., Enrichment, + Containment, Ticket Management). + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - This action triggers a Torq workflow by sending a POST request to a configured - Torq webhook. It is designed to bridge Google SecOps with Torq's automation capabilities, - allowing users to pass custom JSON data and optionally include the full context - of the current alert (including metadata and entities) to the workflow. If Torq - API credentials (Client ID/Secret or a Bearer Token) are provided in the integration - configuration, the action will also poll the Torq Public API to retrieve the final - execution status and output, providing a synchronous-like experience for asynchronous - workflow executions. + Triggers a workflow in Torq by sending a JSON payload to a configured webhook. + This action allows for custom automation by passing arbitrary JSON data and optionally + including the current alert's context. ### Parameters Description @@ -230,52 +281,36 @@ Run a Workflow: | :--- | :--- | :--- | :--- | - | **Workflow Input** | String (JSON) | Yes | A JSON object containing the data - to be passed into the Torq workflow. Must be a valid JSON dictionary. | + | Workflow Input | string | Yes | JSON object to pass into the Torq workflow. + | - | **Include Alert Payload** | Boolean | No | If set to `True`, the action retrieves - the current alert's details (identifier, name, severity, entities, etc.) and includes - them in the request payload under the 'alert' key. | + | Include Alert Payload | boolean | No | If true, include the current alert payload + under 'alert'. | - | **Poll Max Seconds** | String | No | The maximum amount of time (in seconds) - the action should wait and poll the Torq API for the workflow's completion. Defaults - to 60 seconds. | + | Poll Max Seconds | string | No | Maximum seconds to poll the execution. | - | **Poll Interval Seconds** | String | No | The frequency (in seconds) at which - the action checks the Torq API for the execution status. Defaults to 3 seconds. - | + | Poll Interval Seconds | string | No | Seconds between poll requests. | ### Additional Notes - - To enable polling for execution results, the Torq integration must be configured - with either `Client ID` and `Client Secret` or a `Bearer Token (override)`. Without - these, the action will only trigger the workflow and return the initial webhook - response. - - - The action uses a 'best-effort' approach to collect alert data, attempting to - find the current alert or falling back to the first alert in the case. + The action performs a POST request to trigger the workflow and then polls the + Torq Public API for the result. Ensure the Torq webhook URL and secret are correctly + configured in the integration settings. ### Flow Description - 1. **Configuration Retrieval:** The action reads the Torq URL, Webhook Secret, - and API credentials from the integration settings. + 1. Reads integration configuration (URL, secret, etc.) and action parameters. - 2. **Payload Construction:** It builds a JSON payload containing the user-provided - `Workflow Input`, minimal case context (Case ID, Environment), and the alert payload - if `Include Alert Payload` is enabled. + 2. Constructs a payload containing the provided `Workflow Input` and optionally + the current alert's context. - 3. **Workflow Trigger:** It sends a POST request to the Torq Webhook URL. If the - request is successful, it extracts the `execution_id` from the response. + 3. Sends a POST request to the Torq webhook URL. - 4. **Polling (Optional):** If an `execution_id` is found and API credentials are - available, the action enters a polling loop. It repeatedly queries the Torq Public - API for the status of the execution until it reaches a terminal state (e.g., SUCCESS, - FAILED) or the `Poll Max Seconds` threshold is met. + 4. Polls the Torq Public API for the execution status until completion or timeout. - 5. **Result Processing:** The action captures the final execution output and status, - attaching the full JSON response to the action results in Google SecOps. + 5. Returns the execution result in the action output. capabilities: can_create_case_comments: false can_create_insight: false @@ -284,12 +319,18 @@ Run a Workflow: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Triggers a new workflow execution in the Torq platform by posting to a webhook, - which creates a state-changing event (an execution) in the external system. + Triggers a workflow execution in the Torq platform via a webhook POST request. fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action makes a POST request to trigger a workflow (can_mutate_external_data=true) + and polls the Torq Public API for execution status (fetches_data=true). It does + not modify internal data or entities. categories: enrichment: false + reasoning: >- + The action triggers an external workflow (mutation) and polls for status. It + does not fit the 'read-only' enrichment criteria. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -305,3 +346,7 @@ Run a Workflow: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over `target_entities` or filter by entity type. + It optionally includes alert entities in the payload if 'Include Alert Payload' + is enabled, but it does not perform operations on these entities. diff --git a/content/response_integrations/third_party/partner/torq/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/partner/torq/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..ac206fcc0 --- /dev/null +++ b/content/response_integrations/third_party/partner/torq/resources/ai/integration_ai_description.yaml @@ -0,0 +1,20 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: true + edr: false + email_security: false + iam_and_identity_management: false + itsm: true + network_security: false + reasoning: >- + The Torq integration provides capabilities to create cases and run workflows within + the Torq platform. Creating cases aligns with the ITSM category, as it facilitates + documenting investigations and tracking tasks. Running workflows is a core orchestration + capability that often involves collaboration, such as triggering automated responses + or human-in-the-loop processes, which fits the Collaboration category. The integration + does not perform functions related to SIEM, EDR, Network Security, Threat Intelligence, + Email Security, IAM, Cloud Security, Vulnerability Management, or Asset Inventory. + siem: false + threat_intelligence: false + vulnerability_management: false diff --git a/content/response_integrations/third_party/partner/wiz/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/partner/wiz/resources/ai/actions_ai_description.yaml index 5c8a8d9f1..e0d29d21a 100644 --- a/content/response_integrations/third_party/partner/wiz/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/partner/wiz/resources/ai/actions_ai_description.yaml @@ -1,52 +1,64 @@ Add Comment To Issue: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action adds a comment to an external issue in Wiz. It does not match any + of the provided categories (e.g., it is not an alert comment, ticket update, + or IOC modification). + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description - - The **Add Comment To Issue** action allows users to append a text comment (note) - to a specific issue within the Wiz platform. This is primarily used for documenting - investigation steps, providing updates, or collaborating on security findings - directly from Google SecOps. + Adds a comment to a specified issue in Wiz. This action allows users to append + notes or updates to an existing issue within the Wiz platform by providing the + issue's unique identifier and the comment text. - ### Parameters Description + ### Parameters | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | **Issue ID** | String | Yes | The unique identifier of the target issue in Wiz - where the comment will be added. | + | Issue ID | string | Yes | The unique identifier of the issue in Wiz. | - | **Comment** | String | Yes | The actual text content of the comment to be posted - to the issue. | - - - ### Additional Notes - - - This action uses the Wiz GraphQL API (`createIssueNote` mutation) to perform - the update. - - - If the provided **Issue ID** does not exist in Wiz, the action will return an - error indicating the issue was not found. + | Comment | string | Yes | The text of the comment to add to the issue. | ### Flow Description - 1. **Parameter Extraction**: The action retrieves the `Issue ID` and `Comment` - text from the user input. + 1. The action extracts the `Issue ID` and `Comment` parameters from the input. - 2. **API Initialization**: It initializes the Wiz API client and authenticates - using the configured credentials (Client ID and Client Secret). + 2. It initializes the Wiz API client using the provided configuration. - 3. **Mutation Construction**: The action builds a GraphQL mutation payload using - the `AddCommentThreadMutationBuilder`, mapping the `Issue ID` and `Comment` to - the `createIssueNote` input. + 3. It constructs a GraphQL mutation to add a note to the specified issue. - 4. **Execution**: A POST request is sent to the Wiz GraphQL endpoint with the - mutation payload. + 4. It sends the mutation to the Wiz API via a POST request. - 5. **Result Processing**: The action parses the response from Wiz, confirms the - successful creation of the note, and returns the comment details as JSON results. + 5. It returns the result of the operation. capabilities: can_create_case_comments: false can_create_insight: false @@ -55,12 +67,19 @@ Add Comment To Issue: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Adds a new comment (note) to an existing issue in the Wiz platform via a GraphQL - mutation. + Adds a comment to an existing issue in the Wiz platform. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a mutation (adding a comment) on an external system (Wiz) + via a GraphQL POST request. It does not fetch contextual data, nor does it modify + internal SecOps data, entities, or alerts. categories: enrichment: false + reasoning: >- + The action is a mutation action (adding a comment to an external issue) and + does not retrieve data or perform enrichment, therefore it is not an enrichment + action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -76,14 +95,48 @@ Add Comment To Issue: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with SecOps entities. It operates on a specific + Issue ID provided as a parameter. Get Issue Details: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: true + reasoning: >- + The action fetches detailed information about a specific issue from the Wiz + platform. This aligns with the 'Get Alert Information' category, which covers + fetching details of alerts or issues from 3rd party products. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - The **Get Issue Details** action retrieves comprehensive information about a specific - security issue within the Wiz platform. It is designed to provide security analysts - with detailed context regarding vulnerabilities, misconfigurations, or threats - identified by Wiz, including resource metadata and project associations. + The Get Issue Details action retrieves comprehensive information about a specific + issue from the Wiz platform. This action is useful for gathering context on security + findings, vulnerabilities, or misconfigurations identified by Wiz. ### Parameters Description @@ -92,37 +145,29 @@ Get Issue Details: | :--- | :--- | :--- | :--- | - | **Issue ID** | String | Yes | The unique identifier of the Wiz issue to retrieve. - This ID is used to query the Wiz GraphQL API for specific issue metadata. | + | Issue ID | string | Yes | The unique identifier of the Wiz issue to retrieve. + | ### Flow Description - 1. **Parameter Extraction**: The action extracts the `Issue ID` from the input - parameters. + 1. The action extracts the `Issue ID` parameter provided by the user. - 2. **API Client Initialization**: It initializes the Wiz API client using the - integration's configuration (API Root, Client ID, and Client Secret) and authenticates - via OAuth2 to obtain a bearer token. + 2. It initializes the Wiz API client using the configured integration credentials. - 3. **GraphQL Query Construction**: The action builds a GraphQL query specifically - targeting the provided `Issue ID`. It requests fields such as status, severity, - description, creation/resolution timestamps, and an `entitySnapshot` which includes - cloud platform details (region, subscription, etc.). + 3. It constructs a GraphQL query to request specific fields (e.g., status, severity, + description, entity snapshot) for the specified issue. - 4. **Data Retrieval**: The query is sent to the Wiz `/graphql` endpoint via a - POST request. + 4. The action executes the GraphQL query against the Wiz API. - 5. **Result Output**: The action parses the response, converts the issue data - into a structured JSON format, and returns it as the action result. + 5. The retrieved issue details are returned as a JSON result, providing the analyst + with the necessary context. ### Additional Notes - - This is a read-only action and does not perform any mutations in the Wiz environment. - - - If the specified `Issue ID` is invalid or does not exist, the action will return - an explicit 'Issue not found' error. + This action does not modify any data in Wiz or the SOAR platform; it is a read-only + operation. capabilities: can_create_case_comments: false can_create_insight: false @@ -133,8 +178,16 @@ Get Issue Details: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GraphQL query to retrieve issue details from the Wiz API. + It does not modify external systems or internal SOAR data, nor does it update + entities or create insights. categories: enrichment: false + reasoning: >- + The action fetches data from an external source (Wiz) but does not operate on + SOAR entities (it uses a manual ID parameter). Therefore, it does not meet the + criteria for an Enrichment action, which requires operating on entities. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -150,49 +203,84 @@ Get Issue Details: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not reference `target_entities` or use the entity object model. + It accepts a raw string parameter `Issue ID` to perform its lookup. Ignore Issue: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action updates the status of an issue in the external Wiz platform. It does + not fit the specific definitions of 'Update Alert' (which is for SecOps platform + alerts) or 'Update Ticket' (which is for ITSM). Therefore, no category is selected. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - The **Ignore Issue** action allows users to ignore a specific issue within the - Wiz platform. This is typically used for issues identified as false positives, - exceptions, or those that will not be fixed. Note that this action is specifically - compatible with **Graph Control** or **Cloud Configuration** issues. + Use the Ignore Issue action to ignore a specified issue in Wiz. This action updates + the status of the issue to 'REJECTED' in the Wiz platform, effectively ignoring + it based on the provided resolution reason and note. - ### Parameters + ### Parameters Description | Parameter | Type | Mandatory | Description | - | :--- | :--- | :--- | :--- | + | --- | --- | --- | --- | - | **Issue ID** | String | Yes | The unique identifier of the issue in Wiz to be - ignored. | + | Issue ID | string | Yes | The unique identifier of the issue in Wiz. | - | **Resolution Reason** | DDL | No | The reason for ignoring the issue. Options - include: `False Positive`, `Exception`, `Won't Fix`. Defaults to `False Positive`. - | + | Resolution Reason | ddl | No | The reason for the resolution of the issue. Options: + False Positive, Exception, Won't Fix. | + + | Resolution Note | string | Yes | A note that gives additional context for the + issue resolution. | + + + ### Additional Notes - | **Resolution Note** | String | Yes | A mandatory note providing additional context - or justification for ignoring the issue. | + This action only works on Graph Control or Cloud Configuration issues. ### Flow Description - 1. **Parameter Extraction**: The action retrieves the Issue ID, Resolution Reason, - and Resolution Note from the input parameters. + 1. Extract the required parameters (Issue ID, Resolution Reason, Resolution Note) + from the action configuration. - 2. **Validation**: It validates that the provided Resolution Reason matches the - allowed values (False Positive, Exception, Won't Fix) defined in the integration - constants. + 2. Validate the provided parameters, ensuring the Resolution Reason is one of + the allowed values. - 3. **API Interaction**: It executes a GraphQL mutation against the Wiz API to - update the status of the specified issue to `REJECTED`, applying the selected - resolution reason and the provided note. + 3. Initialize the Wiz API client using the integration configuration. - 4. **Result Processing**: Upon a successful API response, the action returns the - updated issue details as a JSON result and outputs a success message to the case - wall. + 4. Call the `ignore_issue` method on the API client, which sends a GraphQL mutation + to update the issue status to 'REJECTED' in Wiz. + + 5. Return the result of the operation. capabilities: can_create_case_comments: false can_create_insight: false @@ -201,12 +289,18 @@ Ignore Issue: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates the status of a specified issue in Wiz to 'REJECTED' and attaches a - resolution reason and a mandatory note. + Updates the status of an issue in Wiz to 'REJECTED' with a specified resolution + reason and note. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a mutation on the external Wiz platform by updating an issue's + status. It does not fetch data, nor does it modify internal SecOps data or entities. categories: enrichment: false + reasoning: >- + The action is a mutation (updating an issue status) and does not fetch data, + therefore it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -222,48 +316,78 @@ Ignore Issue: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with `target_entities`. It operates on a specific + Issue ID provided as a parameter. Ping: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action is a connectivity test (Ping). It does not perform any of the listed + operational tasks (enrichment, containment, ticket management, etc.). + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description + Tests connectivity to the Wiz API. This action verifies that the provided credentials + and API root are valid by executing a test GraphQL query against the Wiz server. - The **Ping** action is a diagnostic utility designed to verify the connection - between Google SecOps and the Wiz platform. Its primary purpose is to ensure that - the integration's configuration parameters, such as the API Root, Client ID, and - Client Secret, are correct and that the environment can successfully communicate - with the Wiz API. + ### Flow Description - ### Parameters + 1. Initializes the API client using the provided configuration parameters (API + Root, Client ID, Client Secret). - There are no input parameters for this action. It relies entirely on the integration's - global configuration settings. + 2. Authenticates with the Wiz API using OAuth2 client credentials. + 3. Sends a test GraphQL query (`issues(first: 1)`) to the Wiz API to verify connectivity. - ### Additional Notes + 4. Returns a success message if the connection is established, or raises an error + if the connection fails. - - This action does not process any entities. - - It performs a read-only operation and has no impact on the data stored in Wiz. + ### Parameters Description + + | Parameter | Type | Mandatory | Description | - - According to standard SOAR practices, Ping actions are not categorized as enrichment. + | :--- | :--- | :--- | :--- | + | API Root | String | Yes | The base URL for the Wiz API. | - ### Flow Description + | Client ID | String | Yes | The client ID for authentication. | + + | Client Secret | String | Yes | The client secret for authentication. | - 1. **Client Initialization**: The action initializes the Wiz API client using - the global integration parameters (API Root, Client ID, Client Secret, and SSL - verification settings). + | Verify SSL | Boolean | No | Whether to verify SSL certificates. | - 2. **Authentication**: It performs an OAuth2 handshake with the Wiz authentication - server to obtain a bearer token. - 3. **Connectivity Test**: The action executes a minimal GraphQL query (fetching - the ID of a single issue) to the Wiz `/graphql` endpoint to verify that the token - is valid and the API is responsive. + ### Additional Notes - 4. **Response Validation**: The action checks the HTTP status code and the GraphQL - response body. If successful, it returns a confirmation message; otherwise, it - raises an error with details about the failure. + This action is a connectivity test and does not perform any data retrieval or + mutation beyond verifying the authentication and API reachability. capabilities: can_create_case_comments: false can_create_insight: false @@ -272,10 +396,17 @@ Ping: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null - fetches_data: false + fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a connectivity test by sending a GraphQL query to the Wiz + API. It does not modify external or internal data, nor does it update entities + or create insights. categories: enrichment: false + reasoning: >- + The action is a 'Ping' action. Per the instructions, 'Actions named Ping must + not be categorized as enrichment actions.' entity_usage: entity_types: [] filters_by_additional_properties: false @@ -291,14 +422,47 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not operate on entities; it is a global connectivity test. Reopen Issue: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action updates the status of an issue in the external Wiz platform. While + Wiz is a security platform, it functions as an issue tracking system, making + 'Update Ticket' the most appropriate category for this state-changing operation. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: true ai_description: >- ### General Description - The **Reopen Issue** action allows users to change the status of a specific issue - in Wiz back to 'OPEN'. This is typically used when an issue was previously resolved - or ignored but requires further investigation or remediation. The action interacts - with the Wiz GraphQL API to perform a status update mutation. + The **Reopen Issue** action updates the status of a specified issue in the Wiz + platform to 'OPEN'. This action is used to reactivate issues that were previously + resolved or ignored, allowing for further investigation or remediation. ### Parameters Description @@ -307,34 +471,23 @@ Reopen Issue: | :--- | :--- | :--- | :--- | - | **Issue ID** | String | Yes | The unique identifier of the issue in Wiz that - you want to reopen. | + | Issue ID | string | Yes | The unique identifier of the issue in Wiz to be reopened. + | ### Flow Description - 1. **Parameter Extraction**: The action retrieves the mandatory `Issue ID` from - the input parameters. - - 2. **API Initialization**: It initializes the Wiz API client using the integration's - configuration (API Root, Client ID, Client Secret). - - 3. **Mutation Execution**: The action constructs and sends a GraphQL mutation - to the Wiz API, specifically targeting the `updateIssue` endpoint to set the issue's - status to 'OPEN'. + 1. **Parameter Extraction**: The action extracts the `Issue ID` from the provided + input parameters. - 4. **Result Processing**: Upon success, the action retrieves the updated issue - object from the response and provides it as a JSON result for downstream use in - the playbook. + 2. **API Client Initialization**: The action initializes the Wiz API client using + the configured credentials. + 3. **Mutation Execution**: The action sends a GraphQL mutation to the Wiz API + to update the status of the specified issue to 'OPEN'. - ### Additional Notes - - - This action requires valid API credentials with permissions to modify issue - statuses in Wiz. - - - If the provided `Issue ID` does not exist, the action will return an error indicating - the issue was not found. + 4. **Result Handling**: The action returns the updated issue details and provides + a success message confirming the issue has been reopened. capabilities: can_create_case_comments: false can_create_insight: false @@ -343,12 +496,19 @@ Reopen Issue: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates the status of a specified issue in the Wiz platform to 'OPEN' via a - GraphQL mutation. - fetches_data: true + Updates the status of an issue in the Wiz platform to 'OPEN'. + fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a mutation (GraphQL update) on an external system (Wiz) + to change the status of an issue. It does not fetch data for enrichment purposes, + nor does it modify internal SecOps data or entities. categories: enrichment: false + reasoning: >- + The action is a mutation (state change) on an external system and does not perform + any data retrieval for enrichment or analysis. Therefore, it does not qualify + as an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -364,59 +524,86 @@ Reopen Issue: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not operate on SecOps entities (e.g., IP, Host). It takes an + 'Issue ID' as a direct input parameter to perform the operation on the external + Wiz platform. Resolve Issue: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action performs a mutation to resolve an issue in the Wiz platform. It does + not match any of the provided categories (e.g., it is not an enrichment, ticket + creation, or alert update within SecOps). + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - The **Resolve Issue** action allows users to programmatically resolve a specific - issue within the Wiz platform. This action is specifically designed for managing - **Threat Detection** issues. By providing the unique identifier of an issue, users - can transition its status to 'RESOLVED' while documenting the reason and providing - additional context. + The Resolve Issue action updates the status of a specified issue in the Wiz platform + to 'RESOLVED'. This action is used to manage threat detection issues by providing + a resolution reason and an optional note, allowing analysts to track and close + out security findings directly from the SOAR platform. ### Parameters Description | Parameter | Type | Mandatory | Description | - | :--- | :--- | :--- | :--- | - - | **Issue ID** | String | Yes | The unique identifier of the issue in Wiz that - needs to be resolved. | + | --- | --- | --- | --- | - | **Resolution Reason** | DDL | No | The reason for resolving the issue. Supported - values include: `Malicious Threat`, `Not Malicious Threat`, `Security Test Threat`, - `Planned Action Threat`, and `Inconclusive Threat`. Defaults to `Not Malicious - Threat`. | + | Issue ID | string | Yes | The unique identifier of the issue in Wiz. | - | **Resolution Note** | String | No | An optional note providing further context - or details regarding the resolution of the issue. | + | Resolution Reason | ddl | No | The reason for the resolution of the issue. Defaults + to 'Not Malicious Threat'. | + | Resolution Note | string | No | A note that gives additional context about the + resolution. | - ### Flow Description - 1. **Parameter Extraction:** The action retrieves the `Issue ID`, `Resolution - Reason`, and `Resolution Note` from the user input. + ### Additional Notes - 2. **Validation:** It validates that the provided `Resolution Reason` matches - one of the supported values defined in the Wiz integration constants. + This action is a mutation action and does not fetch data. It requires an `Issue + ID` to identify the target issue in Wiz. The `Resolution Reason` must be one of + the predefined values: 'Malicious Threat', 'Not Malicious Threat', 'Security Test + Threat', 'Planned Action Threat', or 'Inconclusive Threat'. - 3. **API Interaction:** The action constructs and sends a GraphQL mutation to - the Wiz API. This mutation updates the issue's status to `RESOLVED` and attaches - the specified reason and note. - 4. **Result Handling:** Upon success, the action returns the updated issue object - as JSON and provides a success message. If the issue is not found, it raises an - `IssueNotFoundError`. + ### Flow Description + 1. Extract the `Issue ID`, `Resolution Reason`, and `Resolution Note` from the + action parameters. - ### Additional Notes + 2. Initialize the Wiz API client using the provided integration configuration. - - This action performs a state change in the external Wiz system by updating the - issue status. + 3. Execute a GraphQL mutation to update the issue status to 'RESOLVED' in Wiz, + including the provided reason and note. - - This action does not operate on SecOps entities (like IPs or Hostnames) but - rather on a specific Wiz Issue ID provided as a string parameter. + 4. Return the result of the mutation and output a success message. capabilities: can_create_case_comments: false can_create_insight: false @@ -425,12 +612,17 @@ Resolve Issue: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates the status of a specified issue in Wiz to 'RESOLVED' and sets the resolution - reason and note. + Updates the status of an issue in Wiz to 'RESOLVED' via a GraphQL mutation. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a GraphQL mutation to resolve an issue in Wiz. It does not + fetch data, nor does it modify internal SOAR data or entities. categories: enrichment: false + reasoning: >- + The action is a mutation action that updates the state of an issue in an external + system (Wiz). It does not fetch data, so it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -446,3 +638,6 @@ Resolve Issue: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over `target_entities`. It uses an `Issue ID` provided + as a parameter to resolve an issue in Wiz. diff --git a/content/response_integrations/third_party/partner/wiz/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/partner/wiz/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..baa2a2a9b --- /dev/null +++ b/content/response_integrations/third_party/partner/wiz/resources/ai/integration_ai_description.yaml @@ -0,0 +1,23 @@ +product_categories: + asset_inventory: true + cloud_security: true + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: false + reasoning: >- + The Wiz integration is a Cloud Security platform (CNAPP) that provides visibility + into cloud environments. It qualifies for the 'Cloud Security' category as it + manages cloud-native resources, findings, and configurations. It qualifies for + 'Vulnerability Management' because it identifies and tracks vulnerabilities and + misconfigurations across cloud assets. It qualifies for 'Asset Inventory' as it + provides detailed information about cloud assets, including ownership and criticality. + It does not qualify for 'ITSM' as the 'Issues' managed are security findings rather + than general IT tickets, nor does it fit 'SIEM', 'EDR', 'Network Security', 'Threat + Intelligence', 'Email Security', 'IAM', or 'Collaboration' categories based on + the provided actions. + siem: false + threat_intelligence: false + vulnerability_management: true diff --git a/content/response_integrations/third_party/partner/xm_cyber/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/partner/xm_cyber/resources/ai/actions_ai_description.yaml index 27768f939..13e5d5a91 100644 --- a/content/response_integrations/third_party/partner/xm_cyber/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/partner/xm_cyber/resources/ai/actions_ai_description.yaml @@ -1,80 +1,96 @@ Calculate Risk Score: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action performs internal calculations to generate a risk score. It does + not match any of the defined product categories (e.g., it does not enrich IOCs/assets + with external data, update alerts, or perform containment). + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - Calculates a comprehensive risk score for an alert by analyzing XM Cyber enrichment - data embedded within security events and entity properties. This action acts as - a logic engine that transforms raw enrichment attributes into a structured JSON - object, enabling playbooks to make informed filtering and prioritization decisions - based on calculated risk levels. + The 'Calculate Risk Score' action computes a risk score for entities and alerts + based on a set of configurable parameters and existing event or entity properties. + It aggregates risk factors such as critical asset status, administrative privileges, + and MFA usage to provide a normalized risk score, which can be used by playbooks + for alert prioritization and filtering. - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | AD Risk to Domain | DDL | Yes | Select the weight for Active Directory risk - to domain values (Disabled, Low, Default, High). | - - | AD Risky Principals | DDL | Yes | Select the weight for Active Directory risky - principals values (Disabled, Low, Default, High). | - - | AD Admins And DCs | DDL | Yes | Select the weight for AD Admins and Domain Controllers - values (Disabled, Low, Default, High). | - - | User without MFA | DDL | Yes | Select the weight for users lacking Multi-Factor - Authentication (Disabled, Low, Default, High). | + ### Flow Description - | Is Critical Asset | DDL | Yes | Select the weight applied if the entity is identified - as a critical asset (Disabled, Low, Default, High). | + 1. **Parameter Collection**: The action extracts configuration parameters (e.g., + risk weights for AD roles, MFA status, and critical assets) from the action settings. - | Predefined Admin | DDL | Yes | Select the weight applied if the entity is a - predefined administrator (Disabled, Low, Default, High). | + 2. **Data Retrieval**: It accesses the current alert's security events and target + entities (specifically USER and HOSTNAME types). - | Highly Privileged | DDL | Yes | Select the weight applied if the entity has - high privileges (Disabled, Low, Default, High). | + 3. **Risk Calculation**: For each event and entity, it calculates a risk score + using predefined mappings and the provided configuration parameters. - | Compromise Risk Score | DDL | Yes | Select the weight for the XM Cyber Compromise - Risk Score (Low, Default, High). | + 4. **Aggregation**: It aggregates the calculated scores and properties into a + structured JSON object. - | Choke Point Score | DDL | Yes | Select the weight for the XM Cyber Choke Point - Score (Low, Default, High). | + 5. **Result Output**: The final JSON object is added to the action results for + use by subsequent playbook steps. - ### Additional Notes + ### Parameters Description - - This action does not perform external API calls; it processes data already present - in the alert's security events and entity additional properties. + | Parameter | Type | Mandatory | Description | - - The final calculated risk score is capped at 100. + | :--- | :--- | :--- | :--- | - - The impact score component of the calculation is capped at 1.7. + | AD Risk to Domain | ddl | Yes | Select the AD Risk to Domain values to be used + in the XMCyber Risk Score Calculations. | + | AD Risky Principals | ddl | Yes | Select the AD Risky Principals values to be + used in the XMCyber Risk Score Calculations. | - ### Flow Description + | AD Admins And DCs | ddl | Yes | Select the AD Admins And DCs values to be used + in the XMCyber Risk Score Calculations. | - 1. **Parameter Extraction**: Retrieves user-defined weights for various risk factors - (e.g., MFA status, administrative privileges) from the action configuration. + | User without MFA | ddl | Yes | Select the User without MFA values to be used + in the XMCyber Risk Score Calculations. | - 2. **Event Analysis**: Iterates through the alert's security events, searching - for XM Cyber specific metadata and labels associated with assets or users. + | Is Critical Asset | ddl | Yes | Select the Is Critical Asset values to be used + in the XMCyber Risk Score Calculations. | - 3. **Entity Analysis**: Iterates through the alert's target entities (filtered - for Users and Hostnames), checking for XM Cyber enrichment data stored in their - additional properties. + | Predefined Admin | ddl | Yes | Select the Predefined Admin values to be used + in the XMCyber Risk Score Calculations. | - 4. **Scoring Logic**: For each identified entity, it calculates a risk score using - a formula that combines a base score with probability and impact multipliers derived - from the found attributes and configured weights. + | Highly Privileged | ddl | Yes | Select the Highly Privileged values to be used + in the XMCyber Risk Score Calculations. | - 5. **Aggregation**: Consolidates the findings from all events and entities, selecting - the maximum risk scores and aggregating boolean flags (like 'Is Critical Asset'). + | Compromise Risk Score | ddl | Yes | Select Compromise Risk Score value to be + used for the XMCyber Risk Score Calculations. | - 6. **Result Generation**: Produces a final JSON object containing the aggregated - risk profile, which is then attached to the action result for use in playbook - decision-making. + | Choke Point Score | ddl | Yes | Select Choke Point Score value to be used for + the XMCyber Risk Score Calculations. | capabilities: can_create_case_comments: false can_create_insight: false @@ -85,8 +101,18 @@ Calculate Risk Score: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs internal calculations on existing alert and entity data + retrieved from the SOAR platform. It does not make external API calls (fetches_data=false), + does not modify external systems (can_mutate_external_data=false), and does + not modify internal SOAR data (can_mutate_internal_data=false). It simply generates + a result JSON object. categories: enrichment: false + reasoning: >- + The action does not fetch data from an external source, which is a requirement + for enrichment actions. It is a utility action for calculating risk scores based + on internal data. entity_usage: entity_types: - HOSTNAME @@ -104,31 +130,78 @@ Calculate Risk Score: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action iterates over `siemplify.target_entities` and filters them based + on `SUPPORTED_ENTITY_TYPES` (USER and HOSTNAME). It also accesses `entity.additional_properties` + to perform the risk calculation. Enrich Entities: - ai_description: "### General Description\nThe **Enrich Entities** action retrieves\ - \ deep contextual information for **HOSTNAME** and **USER** entities from the\ - \ XM Cyber platform. It is designed to provide security analysts with visibility\ - \ into asset criticality, compromise risk scores, and associated attack techniques\ - \ by enriching entities with data stored in the XM Cyber environment.\n\n### Parameters\ - \ Description\nThere are no user-configurable parameters for this action. It automatically\ - \ processes all supported entities within the current alert context based on the\ - \ integration's configuration.\n\n### Flow Description\n1. **Entity Identification**:\ - \ The action identifies all `HOSTNAME` and `USER` entities associated with the\ - \ alert.\n2. **Pre-Enrichment Filtering**: \n * It filters entities to ensure\ - \ they are of supported types.\n * It checks if the entity has already been\ - \ enriched within the last 24 hours by inspecting the `XMC_last_enriched` property\ - \ in the entity's additional properties.\n * It verifies if the entity is already\ - \ present in the security events to avoid redundant processing.\n3. **Data Retrieval**:\ - \ For eligible entities, the action queries the XM Cyber API (`/api/secopsPublisher/entities`)\ - \ using the entity identifiers.\n4. **Data Processing**: The retrieved data (e.g.,\ - \ risk scores, labels, AD risk details) is processed and prefixed with `XMC_`\ - \ to distinguish it from other enrichment sources.\n5. **Entity Update**: The\ - \ action updates the entities' `additional_properties` with the new data and marks\ - \ them as enriched by setting the `is_enriched` flag to `True`.\n\n### Additional\ - \ Notes\n* The action uses either API Key or OAuth-based authentication depending\ - \ on the integration configuration.\n* Enrichment data includes fields such as\ - \ `Compromise Risk Score`, `Is Critical Asset`, `Choke Point Score`, and `Attacked\ - \ By Techniques`." + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: true + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action retrieves contextual metadata (labels, risk scores, etc.) for assets + and users from XM Cyber and updates the entity profile in SecOps. This matches + the 'Enrich Asset' category. It does not match 'Enrich IOC' as it targets assets/users, + not indicators like IPs or Hashes. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: >- + ### General Description + + This action enriches `HOSTNAME` and `USER` entities by retrieving contextual metadata + from the XM Cyber platform. It enhances the entity profile within Google SecOps + by adding relevant security attributes, such as risk scores and labels, which + helps analysts better understand the threat landscape associated with specific + assets and users. + + + ### Parameters + + There are no explicit parameters defined for this action. It utilizes integration-level + configuration settings (Base URL, API Key, Authentication Type) to establish a + connection with the XM Cyber platform. + + + ### Flow Description + + 1. **Initialization**: The action retrieves integration parameters and initializes + the API manager. + + 2. **Filtering**: It filters the target entities from the alert, keeping only + `HOSTNAME` and `USER` types. It further refines this list by excluding entities + that have already been enriched within the last 24 hours. + + 3. **Enrichment**: The action queries the XM Cyber API to fetch enrichment data + for the remaining entities. + + 4. **Update**: It processes the API response, updates the `additional_properties` + of the entities with the retrieved data, and marks them as enriched. + + 5. **Finalization**: The action updates the entities in the Google SecOps platform + and provides a summary of the processed entities. capabilities: can_create_case_comments: false can_create_insight: false @@ -139,10 +212,18 @@ Enrich Entities: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates entity additional properties with enrichment data from XM Cyber and - sets the is_enriched flag to true. + Updates entity additional properties and enrichment status within Google SecOps. + reasoning: >- + The action fetches data from an external API (XM Cyber) to enrich entities. + It updates the entity's `additional_properties` and `is_enriched` status within + the SecOps platform using `siemplify.update_entities`. It does not mutate external + data or create insights/comments. categories: enrichment: true + reasoning: >- + The action fetches data (enrichment) and updates internal entity properties. + It does not mutate external systems, create insights, or add comments. It fits + the definition of an Enrichment Action. entity_usage: entity_types: - HOSTNAME @@ -152,63 +233,77 @@ Enrich Entities: filters_by_case_identifier: false filters_by_creation_time: false filters_by_entity_type: true - filters_by_identifier: true + filters_by_identifier: false filters_by_is_artifact: false - filters_by_is_enriched: false + filters_by_is_enriched: true filters_by_is_internal: false filters_by_is_pivot: false filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code filters `siemplify.target_entities` by `SUPPORTED_ENTITY_TYPES` (`USER`, + `HOSTNAME`). It also checks `additional_properties` for existing enrichment + data and updates the entity's `is_enriched` status. Get Event Data JSON: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action is a utility that formats existing data into a JSON result. It does + not fetch new information from an external product, nor does it perform any + enrichment, containment, or ticketing operations. It does not match any of the + defined product categories. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description - - The **Get Event Data JSON** action aggregates XM Cyber-specific metadata from - both the security events of an alert and the entities associated with the case. - It compiles this information into a structured JSON object, mapping entity identifiers - to their full XM Cyber context (e.g., risk scores, criticality, and labels). This - allows playbooks to easily access consolidated threat intelligence and direct - portal links for all relevant entities in a single step. - + This action aggregates entity details (users and hostnames) from the current alert's + security events and existing enriched entities. It formats this information into + a structured JSON object, including direct links to the XM Cyber entity overview + page. - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - | :--- | :--- | :--- | :--- | - - | None | N/A | N/A | This action does not have any input parameters. | - - - ### Additional Notes - - - This action is a data-processing utility and does not communicate with the XM - Cyber API during execution. + ### Flow Description - - It relies on data being present from previous enrichment steps or ingestion - mapping within the alert's `security_events` or the case's `target_entities`. + 1. Retrieve security events and target entities from the current alert. + 2. Extract entity IDs and XM Cyber-specific attributes from event properties. - ### Flow Description + 3. Filter target entities based on supported types (USER, HOSTNAME) and XM Cyber + identifiers. - 1. **Retrieve Context**: The action fetches all security events associated with - the current alert and all target entities in the case. + 4. Compile the extracted data into a mapping of entity IDs to their properties, + appending a URL to the XM Cyber instance for each. - 2. **Process Events**: It scans alert events for XM Cyber identifiers and attributes - (e.g., labels, product object IDs) for assets and users. + 5. Output the final JSON object to the action results. - 3. **Process Entities**: It filters case entities (Hostnames and Users) for those - containing XM Cyber enrichment data in their `additional_properties`. - 4. **Map Attributes**: For each identified entity, it extracts specific XM Cyber - fields such as 'Choke Point Score', 'Compromise Risk Score', and 'AD Risk'. + ### Parameters - 5. **Generate Links**: It constructs direct URLs to the XM Cyber portal for each - entity using the integration's base URL. - - 6. **Output Results**: It compiles all gathered data into a single JSON object - and returns it as the action result. + There are no input parameters for this action. capabilities: can_create_case_comments: false can_create_insight: false @@ -219,12 +314,21 @@ Get Event Data JSON: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action processes existing data from the alert and entities to format a JSON + result. It does not perform any external API calls (fetches_data=false), does + not mutate external systems, and does not modify internal case data (entities, + insights, or comments). categories: enrichment: false + reasoning: >- + The action does not fetch data from an external source (it processes existing + alert/entity data) and does not perform any mutations. Therefore, it does not + meet the criteria for an Enrichment action. entity_usage: entity_types: - - HOSTNAME - USERUNIQNAME + - HOSTNAME filters_by_additional_properties: true filters_by_alert_identifier: false filters_by_case_identifier: false @@ -238,26 +342,54 @@ Get Event Data JSON: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action iterates over `siemplify.target_entities` and filters them based + on their `entity_type` (USERUNIQNAME, HOSTNAME) and the presence of specific + XM Cyber identifiers in their `additional_properties`. Ping: - ai_description: "### General Description\nThe **Ping** action is a diagnostic tool\ - \ designed to verify the connectivity and authentication configuration between\ - \ Google SecOps and the XM Cyber platform. It ensures that the provided Base URL\ - \ and credentials (either API Key or Access Token) are valid and that the network\ - \ path is open.\n\n### Parameters Description\nThere are no action-specific parameters\ - \ for this action. It relies entirely on the integration's global configuration\ - \ settings (Base URL, API Key, and Authentication Type).\n\n### Flow Description\n\ - 1. **Configuration Retrieval**: The action fetches the integration's global settings,\ - \ including the Base URL, API Key, and the selected authentication method (API\ - \ Key vs. Access Token).\n2. **API Manager Initialization**: It initializes the\ - \ internal API communication module.\n3. **Connectivity Test**: \n * If using\ - \ **API Key Authentication**, the action performs a `POST` request to the `/api/auth/`\ - \ endpoint to validate the key.\n * If using **Access Token Based Authentication**,\ - \ it initializes the OAuth2 flow, which involves attempting to retrieve or refresh\ - \ an access token.\n4. **Status Reporting**: If the authentication handshake is\ - \ successful, the action returns a success message. If any step fails (e.g., 401\ - \ Unauthorized, connection timeout), it captures the error and reports a failure.\n\ - \n### Additional Notes\nThis action is intended for setup and troubleshooting\ - \ purposes and does not interact with specific security entities or alert data." + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action is a connectivity test (Ping) and does not perform any of the listed + operational tasks (enrichment, containment, ticket management, etc.). + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: >- + Tests the connectivity and configuration of the XM Cyber integration. This action + verifies that the provided credentials and base URL are valid by attempting to + authenticate with the XM Cyber API. Flow: 1. Extracts integration parameters (Base + URL, API Key, Auth Type) from the configuration. 2. Initializes the ApiManager + with the provided credentials. 3. Performs a connectivity test by sending a request + to the XM Cyber API (specifically the /api/auth/ endpoint). 4. Returns a success + or failure status based on the API response. Parameters: Access Token Based Authentication + (Boolean, Mandatory): Determines whether to use OAuth or API Key authentication. + Base URL (String, Mandatory): The base URL of the XM Cyber instance. API Key (String, + Mandatory): The API key used for authentication. Additional Notes: This action + is a connectivity test and does not perform any data enrichment or system modifications. capabilities: can_create_case_comments: false can_create_insight: false @@ -268,8 +400,15 @@ Ping: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a simple connectivity check (Ping) to verify that the provided + credentials and URL are valid. It does not fetch data, mutate external systems, + or modify internal SOAR data. categories: enrichment: false + reasoning: >- + The action is named Ping and is used for connectivity testing. Per the instructions, + Ping actions must not be categorized as enrichment actions. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -285,69 +424,91 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with any entities. Push Breach Point Data: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + reasoning: >- + The action pushes breach point labels to entities in the XM Cyber platform based + on criteria. It does not fetch data, nor does it perform standard containment + or ticketing actions. It modifies metadata in an external system, but does not + fit the specific definitions of the provided categories (e.g., it's not updating + an identity's password or permissions, nor is it a standard ticket update). + Therefore, all categories are false. + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description + Pushes breach point labels to entities in XM Cyber based on defined criteria. + This action allows analysts to identify specific entities (users or assets) that + meet certain criteria and apply a custom label to them within the XM Cyber platform. - The **Push Breach Point Data** action allows users to apply specific labels (attributes) - to entities within the XM Cyber platform based on filtering criteria defined in - Google SecOps. This action is typically used to tag entities involved in a security - incident as 'Breach Points' or other custom designations within the XM Cyber environment - for further risk analysis and visibility. + ### Flow - ### Parameters Description + 1. Authenticate with the XM Cyber platform using the configured credentials. - | Parameter | Type | Mandatory | Description | + 2. Extract action parameters: `Attribute Name`, `Parameter`, `Operator`, and `Value`. - | :--- | :--- | :--- | :--- | + 3. Validate the provided input parameters. - | **Attribute Name** | String | Yes | The name of the attribute/label to be pushed - to XM Cyber (e.g., `Google_SecOps_BP`). | + 4. Iterate through the current alert's security events and target entities. - | **Parameter** | DDL | Yes | The entity or event property to evaluate (e.g., - `Compromised Risk Score`, `Is Critical Asset`, `entityID`, `Labels`). | + 5. Filter entities based on the provided criteria (e.g., checking if a specific + property matches a value). - | **Operator** | DDL | Yes | The logical operator used to compare the `Parameter` - against the `Value` (e.g., `Equals`, `Greater than`, `Contains`). | + 6. Push the breach point label to the matching entities in XM Cyber via an API + request. - | **Value** | String | Yes | The specific value to match against the chosen `Parameter`. - | + ### Parameters - ### Flow Description + | Parameter | Type | Mandatory | Description | - 1. **Authentication**: The action authenticates with the XM Cyber API using either - API Key or OAuth (Access Token) credentials. + | :--- | :--- | :--- | :--- | - 2. **Input Validation**: It validates the user-provided criteria (Parameter, Operator, - Value) to ensure they are compatible (e.g., ensuring 'Contains' is only used with - list-based parameters). + | Attribute Name | string | Yes | The name of the attribute/label to be pushed + to entities in XM Cyber. | - 3. **Entity Identification**: - - The action scans all **Security Events** associated with the current alert - to identify asset or user IDs. - - It scans all **Target Entities** (specifically Hostnames and Users) in the - current case scope. - 4. **Criteria Evaluation**: For each identified entity, the action checks if its - properties (retrieved from `additional_properties` populated by previous enrichment) - match the specified criteria. + | Parameter | ddl | Yes | The entity property to check against the criteria. | - 5. **Data Push**: For every entity that meets the criteria, the action sends a - POST request to the XM Cyber API to apply the specified label (e.g., setting the - attribute to `true`). + | Operator | ddl | Yes | The operator used for matching the values (e.g., Equals, + Contains). | - 6. **Completion**: The action returns a summary of the entities successfully updated - in the XM Cyber platform. + | Value | string | Yes | The custom value to compare against the entity parameter + value. | ### Additional Notes - - This action requires entities to have been previously enriched by XM Cyber (specifically - requiring the `XMC_product_object_id` property) to successfully map them back - to the XM Cyber platform. + - The action supports filtering entities based on `USER` and `HOSTNAME` types. - - Supported entity types are **HOSTNAME** and **USER**. + - If the `Parameter` is set to 'All', the criteria check is bypassed, and data + is pushed for all supported entities. capabilities: can_create_case_comments: false can_create_insight: false @@ -356,22 +517,28 @@ Push Breach Point Data: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Applies labels/attributes to entities in the XM Cyber platform via a POST request - to the `/api/entityInventory/applyImportedLabelsOnEntities` endpoint. + Pushes breach point labels to entities in the XM Cyber platform. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a POST request to the XM Cyber API to push breach point + labels to entities. It does not fetch data from the external system for enrichment, + nor does it modify internal SOAR case data (entities, insights, etc.). categories: enrichment: false + reasoning: >- + The action is a mutation action that pushes data to an external system, not + an enrichment action that retrieves data. entity_usage: entity_types: - HOSTNAME - USERUNIQNAME - filters_by_additional_properties: true + filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false filters_by_creation_time: false filters_by_entity_type: true - filters_by_identifier: true + filters_by_identifier: false filters_by_is_artifact: false filters_by_is_enriched: false filters_by_is_internal: false @@ -379,3 +546,7 @@ Push Breach Point Data: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over `siemplify.target_entities` and filters by `SUPPORTED_ENTITY_TYPES` + which includes `USER` and `HOSTNAME`. This means it targets `USERUNIQNAME` and + `HOSTNAME` entities, filtering by entity_type. diff --git a/content/response_integrations/third_party/partner/xm_cyber/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/partner/xm_cyber/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..08e3c9acd --- /dev/null +++ b/content/response_integrations/third_party/partner/xm_cyber/resources/ai/integration_ai_description.yaml @@ -0,0 +1,21 @@ +product_categories: + asset_inventory: true + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: false + reasoning: >- + The XM Cyber integration provides capabilities to enrich HOSTNAME and USER entities + with risk scores, criticality, and breach point data from the XM Cyber Continuous + Exposure Management platform. This aligns with Asset Inventory as it provides + critical context (risk, criticality) about internal assets. It also aligns with + Vulnerability Management because XM Cyber's core function is to identify attack + paths, breach points, and exposure, which is a critical component of modern vulnerability + management and risk-based prioritization. It does not perform SIEM log ingestion, + EDR host containment, network blocking, or IAM management. + siem: false + threat_intelligence: false + vulnerability_management: true diff --git a/packages/mp/docs/commands/describe.md b/packages/mp/docs/commands/describe.md index bd1d064d6..934545a5d 100644 --- a/packages/mp/docs/commands/describe.md +++ b/packages/mp/docs/commands/describe.md @@ -1,46 +1,93 @@ -# `mp describe action` +# `mp describe` -Generate AI-based descriptions for integration actions using Gemini. This command analyzes action scripts and metadata to create detailed documentation and capabilities summaries. +Commands for creating AI-based descriptions for marketplace content using Gemini. This set of commands analyzes Python scripts and metadata to create detailed documentation and capabilities summaries. -## Usage +## `mp describe action` + +Generate AI-based descriptions for integration actions. + +### Usage ```bash mp describe action [ACTIONS]... [OPTIONS] ``` -## Arguments +### Options -* `ACTIONS`: Optional list of specific action names to describe. If omitted and a specific integration is targeted, all actions in that integration will be described. +| Option | Shorthand | Description | Type | Default | +|:----------------|:----------|:---------------------------------------------------------------------------------------------|:-------|:--------| +| `--integration` | `-i` | The name of the integration containing the actions. | `str` | `None` | +| `--all` | `-a` | Describe all integrations in the marketplace, or all actions if an integration is specified. | `bool` | `False` | +| `--override` | | Rewrite actions that already have a description. | `bool` | `False` | -## Options +## `mp describe connector` -| Option | Shorthand | Description | Type | Default | -| :--- | :--- | :--- | :--- | :--- | -| `--integration` | `-i` | The name of the integration containing the actions. | `str` | `None` | -| `--all` | `-a` | Describe all integrations in the marketplace, or all actions if an integration is specified. | `bool` | `False` | -| `--src` | | Customize source folder to describe from. | `Path` | `None` | -| `--override` | | Rewrite actions that already have a description. | `bool` | `False` | -| `--quiet` | `-q` | Log less on runtime. | `bool` | `False` | -| `--verbose` | `-v` | Log more on runtime. | `bool` | `False` | +Generate AI-based descriptions for integration connectors. -## Examples +### Usage -### Describe specific actions in an integration ```bash -mp describe action ping get_logs --integration aws_ec2 +mp describe connector [CONNECTORS]... [OPTIONS] ``` -### Describe all actions in a specific integration +### Options + +| Option | Shorthand | Description | Type | Default | +|:----------------|:----------|:-----------------------------------------------------------------------------------------------|:-------|:--------| +| `--integration` | `-i` | The name of the integration to describe connectors for. | `str` | `None` | +| `--all` | `-a` | Describe all integrations in the marketplace, or all connectors if an integration is specified | `bool` | `False` | +| `--override` | `-o` | Rewrite connectors that already have a description. | `bool` | `False` | + +## `mp describe job` + +Generate AI-based descriptions for integration jobs. + +### Usage + ```bash -mp describe action --integration aws_ec2 --all +mp describe job [JOBS]... [OPTIONS] ``` -### Describe all actions in the entire marketplace +### Options + +| Option | Shorthand | Description | Type | Default | +|:----------------|:----------|:------------------------------------------------------------------------------------------|:-------|:--------| +| `--integration` | `-i` | The name of the integration to describe jobs for. | `str` | `None` | +| `--all` | `-a` | Describe all integrations in the marketplace, or all jobs if an integration is specified. | `bool` | `False` | +| `--override` | `-o` | Rewrite jobs that already have a description. | `bool` | `False` | + +## `mp describe integration` + +Determine product categories for an integration based on its actions, connectors, and jobs descriptions. + +### Usage + ```bash -mp describe action --all +mp describe integration [INTEGRATIONS]... [OPTIONS] ``` -### Describe all actions in a custom source directory +### Options + +| Option | Shorthand | Description | Type | Default | +|:-------------|:----------|:------------------------------------------------------|:-------|:--------| +| `--all` | `-a` | Describe all integrations in the marketplace. | `bool` | `False` | +| `--override` | `-o` | Rewrite integrations that already have a description. | `bool` | `False` | + +## `mp describe all-content` + +Describe all content (actions, connectors, jobs, and the integration) for integrations. + +### Usage + ```bash -mp describe action --all --src ./custom_integrations -``` \ No newline at end of file +mp describe all-content [INTEGRATIONS]... [OPTIONS] +``` + +### Options + +| Option | Shorthand | Description | Type | Default | +|:-------------|:----------|:-----------------------------------------------------|:-------|:--------| +| `--all` | `-a` | Describe all content for all integrations. | `bool` | `False` | +| `--override` | `-o` | Rewrite content that already have their description. | `bool` | `False` | +| `--quiet` | `-q` | Log less on runtime. | `bool` | `False` | +| `--verbose` | `-v` | Log more on runtime. | `bool` | `False` | \ No newline at end of file diff --git a/packages/mp/pyproject.toml b/packages/mp/pyproject.toml index ee978d62f..2a8d260fd 100644 --- a/packages/mp/pyproject.toml +++ b/packages/mp/pyproject.toml @@ -1,6 +1,6 @@ [project] name = "mp" -version = "1.28.22" +version = "1.29.0" description = "General Purpose CLI tool for Google SecOps Marketplace" readme = "README.md" authors = [ @@ -35,7 +35,7 @@ dependencies = [ "pydantic>=2.11.7", "pyyaml>=6.0.2", "rich>=14.0.0", - "ruff>=0.15.0", + "ruff>=0.15.9", "defusedxml>=0.7.1", "toml>=0.10.2", "typer>=0.16.0", @@ -44,9 +44,9 @@ dependencies = [ "jinja2>=3.1.6", "deepdiff>=8.6.1", "platformdirs>=4.5.0", - "ty>=0.0.15", + "ty>=0.0.29", "ruamel-yaml == 0.17.40", - "google-genai>=1.59.0", + "google-genai>=1.73.0", "tenacity>=9.1.2", "anyio>=4.12.1", "toon-format", @@ -55,10 +55,10 @@ dependencies = [ [dependency-groups] dev = [ - "hypothesis>=6.147.0", - "pytest>=8.4.0", - "pytest-cov>=6.2.1", - "pytest-xdist>=3.7.0", + "hypothesis>=6.151.12", + "pytest>=9.0.3", + "pytest-cov>=7.1.0", + "pytest-xdist>=3.8.0", ] [project.scripts] @@ -66,7 +66,7 @@ mp = "mp.main:main" wmp = "mp.main:main" [build-system] -requires = ["uv_build>=0.10.0"] +requires = ["uv_build>=0.11.3,<0.12"] build-backend = "uv_build" [project.urls] diff --git a/packages/mp/src/mp/build_project/restructure/integrations/deconstruct.py b/packages/mp/src/mp/build_project/restructure/integrations/deconstruct.py index 3c5c5170f..297f86d72 100644 --- a/packages/mp/src/mp/build_project/restructure/integrations/deconstruct.py +++ b/packages/mp/src/mp/build_project/restructure/integrations/deconstruct.py @@ -46,6 +46,11 @@ from mp.core.data_models.integrations.action.metadata import ActionMetadata from mp.core.data_models.integrations.action_widget.metadata import ActionWidgetMetadata from mp.core.data_models.integrations.connector.metadata import ConnectorMetadata +from mp.core.data_models.integrations.integration_meta.ai.metadata import IntegrationAiMetadata +from mp.core.data_models.integrations.integration_meta.ai.product_categories import ( + PRODUCT_CATEGORY_TO_DEF_PRODUCT_CATEGORY, + IntegrationProductCategories, +) from mp.core.data_models.integrations.integration_meta.metadata import ( IntegrationMetadata, PythonVersion, @@ -169,6 +174,31 @@ def _create_resource_files(self) -> None: self._create_png_image(resources_dir) self._create_svg_logo(resources_dir) + self._create_ai_description_file(resources_dir) + + def _create_ai_description_file(self, resources_dir: Path) -> None: + ai_dir: Path = resources_dir / mp.core.constants.AI_DIR + ai_dir.mkdir(exist_ok=True, parents=True) + + for file_name, content in self.integration.ai_metadata.items(): + if file_name == mp.core.constants.INTEGRATIONS_AI_DESCRIPTION_FILE: + continue + + ai_file: Path = ai_dir / file_name + mp.core.file_utils.write_yaml_to_file(content, ai_file) + + categories_dict: dict[str, bool | str] = { + category: value in self.integration.metadata.product_categories + for category, value in PRODUCT_CATEGORY_TO_DEF_PRODUCT_CATEGORY.items() + } + categories_dict["reasoning"] = "" + + ai_meta = IntegrationAiMetadata( + product_categories=IntegrationProductCategories.model_validate(categories_dict) + ) + + ai_file: Path = ai_dir / mp.core.constants.INTEGRATIONS_AI_DESCRIPTION_FILE + mp.core.file_utils.write_yaml_to_file(ai_meta.model_dump(), ai_file) def _create_png_image(self, resources_dir: Path) -> None: if self.integration.metadata.image_base64: diff --git a/packages/mp/src/mp/build_project/restructure/integrations/integration.py b/packages/mp/src/mp/build_project/restructure/integrations/integration.py index 3fede6054..41cfc38ef 100644 --- a/packages/mp/src/mp/build_project/restructure/integrations/integration.py +++ b/packages/mp/src/mp/build_project/restructure/integrations/integration.py @@ -52,10 +52,10 @@ def restructure_integration( """ rich.print(f"Restructuring {integration_metadata['metadata']['Identifier']}") - if mp.core.file_utils.is_non_built_integration(integration_path): - rich.print("Restructuring metadata") - metadata.Metadata(integration_out_path, integration_metadata).restructure() + rich.print("Restructuring metadata") + metadata.Metadata(integration_out_path, integration_metadata).restructure() + if mp.core.file_utils.is_non_built_integration(integration_path): rich.print("Restructuring scripts") scripts.Scripts(integration_path, integration_out_path).restructure() diff --git a/packages/mp/src/mp/build_project/restructure/integrations/metadata.py b/packages/mp/src/mp/build_project/restructure/integrations/metadata.py index 519d1f034..c26aba43e 100644 --- a/packages/mp/src/mp/build_project/restructure/integrations/metadata.py +++ b/packages/mp/src/mp/build_project/restructure/integrations/metadata.py @@ -26,7 +26,9 @@ import dataclasses import json import operator -from typing import TYPE_CHECKING +from typing import TYPE_CHECKING, Any + +import yaml import mp.core.constants @@ -62,6 +64,18 @@ def restructure(self) -> None: self._restructure_widget_metadata() self._restructure_custom_families() self._restructure_mapping_rules() + self._restructure_ai_metadata() + + def _restructure_ai_metadata(self) -> None: + ai_metadata: Mapping[str, Any] = self.metadata["ai_metadata"] + if not ai_metadata: + return + + ai_path: Path = self.out_path / mp.core.constants.RESOURCES_DIR / mp.core.constants.AI_DIR + ai_path.mkdir(parents=True, exist_ok=True) + for file_name, content in ai_metadata.items(): + metadata_file: Path = ai_path / file_name + metadata_file.write_text(yaml.dump(content, sort_keys=True), encoding="utf-8") def _restructure_integration_metadata(self) -> None: metadata: BuiltIntegrationMetadata = self.metadata["metadata"] diff --git a/packages/mp/src/mp/config/typer_app.py b/packages/mp/src/mp/config/typer_app.py index 483e10d49..286a74c51 100644 --- a/packages/mp/src/mp/config/typer_app.py +++ b/packages/mp/src/mp/config/typer_app.py @@ -14,6 +14,7 @@ from __future__ import annotations +import os import pathlib from typing import Annotated @@ -93,13 +94,25 @@ def config( n: int = mp.core.config.get_processes_number() c: int = mp.core.config.get_gemini_concurrency() k: str | None = mp.core.config.get_gemini_api_key() + env_k: str | None = os.environ.get("GEMINI_API_KEY") + + display_k: str = "N/A" if k: - k = f"{k[:4]}{'*' * (len(k) - 4)}" + display_k = f"{k[:4]}{'*' * (len(k) - 4)} (from config)" + if env_k and k != env_k: + display_k += ( + f"\n[yellow]Warning: GEMINI_API_KEY environment variable is also set " + f"({env_k[:4]}{'*' * (len(env_k) - 4)}), but the configuration above " + "takes priority.[/yellow]" + ) + elif env_k: + display_k = f"{env_k[:4]}{'*' * (len(env_k) - 4)} (from GEMINI_API_KEY env var)" + rich.print( f"Marketplace path: {p}\n" f"Number of processes: {n}\n" f"Gemini concurrency: {c}\n" - f"API Key: {k}" + f"API Key: {display_k}" ) diff --git a/packages/mp/src/mp/core/constants.py b/packages/mp/src/mp/core/constants.py index 3e270f47e..0cf8f6349 100644 --- a/packages/mp/src/mp/core/constants.py +++ b/packages/mp/src/mp/core/constants.py @@ -84,6 +84,15 @@ AI_DIR: str = "ai" ACTIONS_AI_DESCRIPTION_FILE: str = "actions_ai_description.yaml" +CONNECTORS_AI_DESCRIPTION_FILE: str = "connectors_ai_description.yaml" +JOBS_AI_DESCRIPTION_FILE: str = "jobs_ai_description.yaml" +INTEGRATIONS_AI_DESCRIPTION_FILE: str = "integration_ai_description.yaml" +AI_DESCRIPTION_FILES: tuple[str, ...] = ( + ACTIONS_AI_DESCRIPTION_FILE, + CONNECTORS_AI_DESCRIPTION_FILE, + JOBS_AI_DESCRIPTION_FILE, + INTEGRATIONS_AI_DESCRIPTION_FILE, +) ACTIONS_META_SUFFIX: str = ".actiondef" CONNECTORS_META_SUFFIX: str = ".connectordef" diff --git a/packages/mp/src/mp/core/data_models/abc.py b/packages/mp/src/mp/core/data_models/abc.py index 1f2794bb2..96bc9cdb3 100644 --- a/packages/mp/src/mp/core/data_models/abc.py +++ b/packages/mp/src/mp/core/data_models/abc.py @@ -16,13 +16,14 @@ import abc import enum -import json from collections.abc import Mapping from typing import TYPE_CHECKING, Any, Generic, Self, TypeVar import pydantic import yaml +import mp.core.file_utils + if TYPE_CHECKING: from pathlib import Path @@ -306,15 +307,12 @@ def _from_built_path(cls, metadata_path: Path) -> T_SingularComponentMetadata: ValueError: when the built JSON failed to be loaded """ - from mp.core.utils.common.utils import trim_values # noqa: PLC0415 - - built_content: str = metadata_path.read_text(encoding="utf-8") try: - metadata_json: _BT = json.loads(built_content) + metadata_json: _BT = mp.core.file_utils.load_json_file(metadata_path) built: T_SingularComponentMetadata = cls.from_built(metadata_path.stem, metadata_json) - except (ValueError, json.JSONDecodeError) as e: - msg: str = f"Failed to load json from {metadata_path}\n{built_content}" - raise ValueError(trim_values(msg)) from e + except ValueError as e: + msg: str = f"Failed to load json from {metadata_path}" + raise ValueError(msg) from e else: return built @@ -332,15 +330,12 @@ def _from_non_built_path(cls, metadata_path: Path) -> T_SingularComponentMetadat ValueError: when the non-built YAML failed to be loaded """ - from mp.core.utils.common.utils import trim_values # noqa: PLC0415 - - non_built_content: str = metadata_path.read_text(encoding="utf-8") try: - metadata_json: _NBT = yaml.safe_load(non_built_content) + metadata_json: _NBT = mp.core.file_utils.load_yaml_file(metadata_path) non_built: Self = cls.from_non_built(metadata_path.stem, metadata_json) - except (ValueError, yaml.YAMLError) as e: - msg: str = f"Failed to load yaml from {metadata_path}\n{non_built_content}" - raise ValueError(trim_values(msg)) from e + except ValueError as e: + msg: str = f"Failed to load yaml from {metadata_path}" + raise ValueError(msg) from e else: return non_built @@ -393,15 +388,12 @@ def _from_built_path(cls, metadata_path: Path) -> T_ComponentMetadata: ValueError: when the built JSON failed to be loaded """ - from mp.core.utils.common.utils import trim_values # noqa: PLC0415 - - built_content: str = metadata_path.read_text(encoding="utf-8") try: - metadata_json: _BT = json.loads(built_content) + metadata_json: _BT = mp.core.file_utils.load_json_file(metadata_path) built: T_ComponentMetadata = cls.from_built(metadata_path.stem, metadata_json) - except (ValueError, json.JSONDecodeError) as e: - msg: str = f"Failed to load json from {metadata_path}\n{built_content}" - raise ValueError(trim_values(msg)) from e + except ValueError as e: + msg: str = f"Failed to load json from {metadata_path}" + raise ValueError(msg) from e else: return built @@ -419,15 +411,12 @@ def _from_non_built_path(cls, metadata_path: Path) -> T_ComponentMetadata: ValueError: when the non-built YAML failed to be loaded """ - from mp.core.utils.common.utils import trim_values # noqa: PLC0415 - - non_built_content: str = metadata_path.read_text(encoding="utf-8") try: - metadata_json: _NBT = yaml.safe_load(non_built_content) + metadata_json: _NBT = mp.core.file_utils.load_yaml_file(metadata_path) non_built: Self = cls.from_non_built(metadata_path.stem, metadata_json) - except (ValueError, yaml.YAMLError) as e: - msg: str = f"Failed to load yaml from {metadata_path}\n{non_built_content}" - raise ValueError(trim_values(msg)) from e + except ValueError as e: + msg: str = f"Failed to load yaml from {metadata_path}" + raise ValueError(msg) from e else: return non_built @@ -481,15 +470,12 @@ def _from_built_path(cls, meta_path: Path) -> list[T_SequentialMetadata]: ValueError: when the built JSON failed to be loaded """ - from mp.core.utils.common.utils import trim_values # noqa: PLC0415 - - built: str = meta_path.read_text(encoding="utf-8") try: - content: list[_BT] = json.loads(built) + content: list[_BT] = mp.core.file_utils.load_json_file(meta_path) results: list[T_SequentialMetadata] = [cls.from_built(c) for c in content] - except (ValueError, json.JSONDecodeError) as e: - msg: str = f"Failed to load json from {meta_path}\n{built}" - raise ValueError(trim_values(msg)) from e + except ValueError as e: + msg: str = f"Failed to load json from {meta_path}" + raise ValueError(msg) from e else: return results @@ -521,13 +507,11 @@ def from_non_built_str(cls, raw_text: str) -> list[T_SequentialMetadata]: ValueError: when the built JSON failed to be loaded """ - from mp.core.utils.common.utils import trim_values # noqa: PLC0415 - try: content: list[_NBT] = yaml.safe_load(raw_text) results: list[T_SequentialMetadata] = [cls.from_non_built(c) for c in content] except (ValueError, yaml.YAMLError) as e: msg: str = "Failed to load yaml." - raise ValueError(trim_values(msg)) from e + raise ValueError(msg) from e else: return results diff --git a/packages/mp/src/mp/core/data_models/integrations/action/ai/categories.py b/packages/mp/src/mp/core/data_models/integrations/action/ai/ai_categories.py similarity index 81% rename from packages/mp/src/mp/core/data_models/integrations/action/ai/categories.py rename to packages/mp/src/mp/core/data_models/integrations/action/ai/ai_categories.py index f96dbc783..17ef02c02 100644 --- a/packages/mp/src/mp/core/data_models/integrations/action/ai/categories.py +++ b/packages/mp/src/mp/core/data_models/integrations/action/ai/ai_categories.py @@ -18,8 +18,21 @@ from pydantic import BaseModel, Field +from mp.core.data_models.abc import RepresentableEnum + class AiCategories(BaseModel): + reasoning: Annotated[ + str, + Field( + title="Categorization Reasoning", + description=( + "Step-by-step reasoning evaluating the action against all available AI " + "categories (e.g. enrichment). Explicitly state why the action matches or " + "does not match the criteria before setting their boolean flags." + ), + ), + ] enrichment: Annotated[ bool, Field( @@ -88,3 +101,12 @@ def is_enrichment_action(action): ) ), ] + + +class ActionAiCategory(RepresentableEnum): + ENRICHMENT = "Enrichment" + + +AI_CATEGORY_TO_DEF_AI_CATEGORY: dict[str, ActionAiCategory] = { + "enrichment": ActionAiCategory.ENRICHMENT, +} diff --git a/packages/mp/src/mp/core/data_models/integrations/action/ai/capabilities.py b/packages/mp/src/mp/core/data_models/integrations/action/ai/capabilities.py index ea9aee936..8e3d35fb3 100644 --- a/packages/mp/src/mp/core/data_models/integrations/action/ai/capabilities.py +++ b/packages/mp/src/mp/core/data_models/integrations/action/ai/capabilities.py @@ -20,6 +20,18 @@ class ActionCapabilities(BaseModel): + reasoning: Annotated[ + str, + Field( + title="Categorization Reasoning", + description=( + "Step-by-step reasoning evaluating the action's capabilities. Explicitly " + "state why the action fetches data, mutates external data, mutates internal " + "data, updates entities, creates insights, modifies alert data, or creates " + "case comments before setting the boolean flags." + ), + ), + ] fetches_data: Annotated[ bool, Field( diff --git a/packages/mp/src/mp/core/data_models/integrations/action/ai/entity_usage.py b/packages/mp/src/mp/core/data_models/integrations/action/ai/entity_usage.py index 6bb9421e4..6c6938548 100644 --- a/packages/mp/src/mp/core/data_models/integrations/action/ai/entity_usage.py +++ b/packages/mp/src/mp/core/data_models/integrations/action/ai/entity_usage.py @@ -22,6 +22,17 @@ class EntityUsage(BaseModel): + reasoning: Annotated[ + str, + Field( + title="Categorization Reasoning", + description=( + "Step-by-step reasoning evaluating how the action uses entities. Explicitly " + "state the entity types used and why each filtering condition is met or not " + "met before setting the boolean flags." + ), + ), + ] entity_types: Annotated[ list[EntityType], Field( diff --git a/packages/mp/src/mp/core/data_models/integrations/action/ai/metadata.py b/packages/mp/src/mp/core/data_models/integrations/action/ai/metadata.py index 25deac8dc..abd31499a 100644 --- a/packages/mp/src/mp/core/data_models/integrations/action/ai/metadata.py +++ b/packages/mp/src/mp/core/data_models/integrations/action/ai/metadata.py @@ -18,9 +18,10 @@ from pydantic import BaseModel, Field +from .ai_categories import AiCategories # noqa: TC001 from .capabilities import ActionCapabilities # noqa: TC001 -from .categories import AiCategories # noqa: TC001 from .entity_usage import EntityUsage # noqa: TC001 +from .product_categories import ActionProductCategories # noqa: TC001 class ActionAiMetadata(BaseModel): @@ -57,7 +58,7 @@ class ActionAiMetadata(BaseModel): description=( "Fields that describe how the action operates. Determine these fields based on the" "metadata json and the code itself." - ) + ), ), ] categories: Annotated[ @@ -66,7 +67,7 @@ class ActionAiMetadata(BaseModel): description=( "Categories that describe the action's capabilities." " These tags are inferred based on the fields." - ) + ), ), ] entity_usage: Annotated[ @@ -78,3 +79,13 @@ class ActionAiMetadata(BaseModel): ), ), ] + action_product_categories: Annotated[ + ActionProductCategories, + Field( + description=( + "Categories that describe the action's capabilities in its security product." + " It shows the category and explains the expected outcome of such" + " action." + ), + ), + ] diff --git a/packages/mp/src/mp/core/data_models/integrations/action/ai/product_categories.py b/packages/mp/src/mp/core/data_models/integrations/action/ai/product_categories.py new file mode 100644 index 000000000..2f033cf75 --- /dev/null +++ b/packages/mp/src/mp/core/data_models/integrations/action/ai/product_categories.py @@ -0,0 +1,413 @@ +# Copyright 2025 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +from __future__ import annotations + +import enum +from typing import Annotated + +from pydantic import BaseModel, Field + + +class ActionProductCategories(BaseModel): + reasoning: Annotated[ + str, + Field( + title="Categorization Reasoning", + description=( + "Step-by-step reasoning evaluating the action against all available product " + "categories. Explicitly state why the action matches or does not match the " + "'Expected Outcome' of relevant categories before setting their boolean flags." + ), + ), + ] + enrich_ioc: Annotated[ + bool, + Field( + title="Enrich IOC (hash, filename, IP, domain, URL, CVE, Threat Actor, Campaign)", + description=( + "Mark as true for actions that match the expected outcome." + " Expected Outcome:" + " Returns reputation, prevalence, and threat intelligence" + " (e.g., malware family, attribution) for the indicator." + ), + ), + ] + enrich_asset: Annotated[ + bool, + Field( + title="Enrich Asset (hostname, user or internal resource)", + description=( + "Mark as true for actions that match the expected outcome." + " Expected Outcome:" + " Returns contextual metadata (e.g., OS version, owner, department, MAC address)" + " for a user or resource." + ), + ), + ] + update_alert: Annotated[ + bool, + Field( + title="Update Alert", + description=( + "Mark as true for actions that match the expected outcome." + " Expected Outcome:" + " Changes the status, severity, or assignee of the alert within the SecOps" + " platform." + ), + ), + ] + add_alert_comment: Annotated[ + bool, + Field( + title="Add Alert Comment", + description=( + "Mark as true for actions that match the expected outcome." + " Expected Outcome:" + " Appends analyst notes or automated log entries to the alert's activity timeline." + ), + ), + ] + create_ticket: Annotated[ + bool, + Field( + title="Create Ticket", + description=( + "Mark as true for actions that match the expected outcome." + " Expected Outcome:" + " Generates a new record in an external ITSM (e.g., Jira, ServiceNow) and returns" + " the Ticket ID." + ), + ), + ] + update_ticket: Annotated[ + bool, + Field( + title="Update Ticket", + description=( + "Mark as true for actions that match the expected outcome." + " Expected Outcome:" + " Synchronizes status, priority, or field changes from SecOps to the external" + " ticketing system." + ), + ), + ] + add_ioc_to_blocklist: Annotated[ + bool, + Field( + title="Add IOC To Blocklist", + description=( + "Mark as true for actions that match the expected outcome." + " Expected Outcome:" + " Updates security controls (Firewall, EDR, Proxy) to prevent any future" + " interaction with the IOC." + ), + ), + ] + remove_ioc_from_blocklist: Annotated[ + bool, + Field( + title="Remove IOC From Blocklist", + description=( + "Mark as true for actions that match the expected outcome." + " Expected Outcome:" + " Restores connectivity or execution rights for an indicator by removing it from" + " restricted lists." + ), + ), + ] + add_ioc_to_allowlist: Annotated[ + bool, + Field( + title="Add IOC To Allowlist", + description=( + "Mark as true for actions that match the expected outcome." + " Expected Outcome:" + ' Marks an indicator as "known good" to prevent future security alerts or false' + " positives." + ), + ), + ] + remove_ioc_from_allowlist: Annotated[ + bool, + Field( + title="Remove IOC From Allowlist", + description=( + "Mark as true for actions that match the expected outcome." + " Expected Outcome:" + " Re-enables standard security monitoring and blocking for a previously trusted" + " indicator." + ), + ), + ] + disable_identity: Annotated[ + bool, + Field( + title="Disable Identity (User, Account)", + description=( + "Mark as true for actions that match the expected outcome." + " Expected Outcome:" + " Revokes active sessions and prevents a user or service account from" + " authenticating to the network." + ), + ), + ] + enable_identity: Annotated[ + bool, + Field( + title="Enable Identity (User, Account)", + description=( + "Mark as true for actions that match the expected outcome." + " Expected Outcome:" + " Restores authentication capabilities and system access for a previously disabled" + " account." + ), + ), + ] + contain_host: Annotated[ + bool, + Field( + title="Contain Host", + description=( + "Mark as true for actions that match the expected outcome." + " Expected Outcome:" + " Isolates an endpoint from the network via EDR, allowing communication only with" + " the management console." + ), + ), + ] + uncontain_host: Annotated[ + bool, + Field( + title="Uncontain Host", + description=( + "Mark as true for actions that match the expected outcome." + " Expected Outcome:" + " Removes network isolation and restores the endpoint's full communication" + " capabilities." + ), + ), + ] + reset_identity_password: Annotated[ + bool, + Field( + title="Reset Identity Password (User, Account)", + description=( + "Mark as true for actions that match the expected outcome." + " Expected Outcome:" + " Invalidates the current credentials and triggers a password change or temporary" + " password generation." + ), + ), + ] + update_identity: Annotated[ + bool, + Field( + title="Update Identity (User, Account)", + description=( + "Mark as true for actions that match the expected outcome." + " Expected Outcome:" + " Modifies account metadata, such as group memberships, permissions, or contact" + " information." + ), + ), + ] + search_events: Annotated[ + bool, + Field( + title="Search Events", + description=( + "Mark as true for actions that match the expected outcome." + " Expected Outcome:" + " Returns a collection of historical logs or telemetry data matching specific" + " search parameters." + ), + ), + ] + execute_command_on_the_host: Annotated[ + bool, + Field( + title="Execute Command on the Host", + description=( + "Mark as true for actions that match the expected outcome." + " Expected Outcome:" + " Runs a script or system command on a remote endpoint and returns the standard" + " output (STDOUT)." + ), + ), + ] + download_file: Annotated[ + bool, + Field( + title="Download File", + description=( + "Mark as true for actions that match the expected outcome." + " Expected Outcome:" + " Retrieves a specific file from a remote host for local forensic analysis" + " or sandboxing." + ), + ), + ] + send_email: Annotated[ + bool, + Field( + title="Send Email", + description=( + "Mark as true for actions that match the expected outcome." + " Expected Outcome:" + " Dispatches an outbound email notification or response to specified recipients." + ), + ), + ] + search_email: Annotated[ + bool, + Field( + title="Search Email", + description=( + "Mark as true for actions that match the expected outcome." + " Expected Outcome:" + " Identifies and lists emails across the mail server based on criteria like sender," + " subject, or attachment." + ), + ), + ] + delete_email: Annotated[ + bool, + Field( + title="Delete Email", + description=( + "Mark as true for actions that match the expected outcome." + " Expected Outcome:" + " Removes a specific email or thread from one or more user mailboxes" + " (Purge/Withdraw)." + ), + ), + ] + update_email: Annotated[ + bool, + Field( + title="Update Email", + description=( + "Mark as true for actions that match the expected outcome." + " Expected Outcome:" + " Modifies the state of an email, such as moving it to quarantine, marking as read," + " or applying labels." + ), + ), + ] + submit_file: Annotated[ + bool, + Field( + title="Submit File", + description=( + "Mark as true for actions that match the expected outcome." + " Expected Outcome:" + " Uploads a file or sample to a sandbox or analysis engine" + " (e.g., VirusTotal, Joe Sandbox) and returns a behavior report or threat score." + ), + ), + ] + send_message: Annotated[ + bool, + Field( + title="Send Message", + description=( + "Mark as true for actions that match the expected outcome." + " Expected Outcome:" + " Sends a message to a communication app (e.g., Google Chat, Microsoft Teams)" + ), + ), + ] + search_asset: Annotated[ + bool, + Field( + title="Search Asset", + description=( + "Mark as true for actions that match the expected outcome." + " Expected Outcome:" + " Searches for the asset associated with the alert within the product" + ), + ), + ] + get_alert_information: Annotated[ + bool, + Field( + title="Get Alert Information", + description=( + "Mark as true for actions that match the expected outcome." + " Expected Outcome: Fetches information about the alert from the 3rd party product" + ), + ), + ] + + +class ActionProductCategory(enum.StrEnum): + ENRICH_IOC = "Enrich IOC (Indicator of Compromise)" + ENRICH_ASSET = "Enrich Asset" + UPDATE_ALERT = "Update Alert" + ADD_ALERT_COMMENT = "Add Alert Comment" + CREATE_TICKET = "Create Ticket" + UPDATE_TICKET = "Update Ticket" + ADD_IOC_TO_BLOCKLIST = "Add IOC to Blocklist" + REMOVE_IOC_FROM_BLOCKLIST = "Remove IOC from Blocklist" + ADD_IOC_TO_ALLOWLIST = "Add IOC to Allowlist" + REMOVE_IOC_FROM_ALLOWLIST = "Remove IOC from Allowlist" + DISABLE_IDENTITY = "Disable Identity (User, Account)" + ENABLE_IDENTITY = "Enable Identity (User, Account)" + CONTAIN_HOST = "Contain Host" + UNCONTAIN_HOST = "Uncontain Host" + RESET_IDENTITY_PASSWORD = "Reset Identity Password (User, Account)" # noqa: S105 + UPDATE_IDENTITY = "Update Identity (User, Account)" + SEARCH_EVENTS = "Search Events" + EXECUTE_COMMAND_ON_THE_HOST = "Execute Command on the Host" + DOWNLOAD_FILE = "Download File" + SEND_EMAIL = "Send Email" + SEARCH_EMAIL = "Search Email" + DELETE_EMAIL = "Delete Email" + UPDATE_EMAIL = "Update Email" + SUBMIT_FILE = "Submit File" + SEND_MESSAGE = "Send Message" + SEARCH_ASSET = "Search Asset" + GET_ALERT_INFORMATION = "Get Alert Information" + + +PRODUCT_CATEGORY_TO_DEF_PRODUCT_CATEGORY: dict[str, ActionProductCategory] = { + "enrich_ioc": ActionProductCategory.ENRICH_IOC, + "enrich_asset": ActionProductCategory.ENRICH_ASSET, + "update_alert": ActionProductCategory.UPDATE_ALERT, + "add_alert_comment": ActionProductCategory.ADD_ALERT_COMMENT, + "create_ticket": ActionProductCategory.CREATE_TICKET, + "update_ticket": ActionProductCategory.UPDATE_TICKET, + "add_ioc_to_blocklist": ActionProductCategory.ADD_IOC_TO_BLOCKLIST, + "remove_ioc_from_blocklist": ActionProductCategory.REMOVE_IOC_FROM_BLOCKLIST, + "add_ioc_to_allowlist": ActionProductCategory.ADD_IOC_TO_ALLOWLIST, + "remove_ioc_from_allowlist": ActionProductCategory.REMOVE_IOC_FROM_ALLOWLIST, + "disable_identity": ActionProductCategory.DISABLE_IDENTITY, + "enable_identity": ActionProductCategory.ENABLE_IDENTITY, + "contain_host": ActionProductCategory.CONTAIN_HOST, + "uncontain_host": ActionProductCategory.UNCONTAIN_HOST, + "reset_identity_password": ActionProductCategory.RESET_IDENTITY_PASSWORD, + "update_identity": ActionProductCategory.UPDATE_IDENTITY, + "search_events": ActionProductCategory.SEARCH_EVENTS, + "execute_command_on_the_host": ActionProductCategory.EXECUTE_COMMAND_ON_THE_HOST, + "download_file": ActionProductCategory.DOWNLOAD_FILE, + "send_email": ActionProductCategory.SEND_EMAIL, + "search_email": ActionProductCategory.SEARCH_EMAIL, + "delete_email": ActionProductCategory.DELETE_EMAIL, + "update_email": ActionProductCategory.UPDATE_EMAIL, + "submit_file": ActionProductCategory.SUBMIT_FILE, + "send_message": ActionProductCategory.SEND_MESSAGE, + "search_asset": ActionProductCategory.SEARCH_ASSET, + "get_alert_information": ActionProductCategory.GET_ALERT_INFORMATION, +} diff --git a/packages/mp/src/mp/core/data_models/integrations/action/metadata.py b/packages/mp/src/mp/core/data_models/integrations/action/metadata.py index 6a15215c9..f4a10dcc6 100644 --- a/packages/mp/src/mp/core/data_models/integrations/action/metadata.py +++ b/packages/mp/src/mp/core/data_models/integrations/action/metadata.py @@ -18,7 +18,6 @@ from typing import Annotated, Any, NamedTuple, NotRequired, Self, TypedDict, cast import pydantic -import yaml from PIL.GifImagePlugin import TYPE_CHECKING import mp.core.constants @@ -26,8 +25,13 @@ import mp.core.utils import mp.core.validators from mp.core import exclusions -from mp.core.data_models.abc import ComponentMetadata, RepresentableEnum +from mp.core.data_models.abc import ComponentMetadata +from mp.core.data_models.integrations.action.ai.product_categories import ( + PRODUCT_CATEGORY_TO_DEF_PRODUCT_CATEGORY, + ActionProductCategory, +) +from .ai.ai_categories import AI_CATEGORY_TO_DEF_AI_CATEGORY, ActionAiCategory from .ai.entity_types import EntityType from .ai.metadata import ActionAiMetadata from .dynamic_results_metadata import ( @@ -44,18 +48,16 @@ if TYPE_CHECKING: from mp.core.custom_types import JsonString + DEFAULT_SCRIPT_RESULT_NAME: str = "is_success" DEFAULT_SIMULATION_DATA: str = '{"Entities": []}' class AiFields(NamedTuple): description: str | None - categories: list[ActionAiCategories] + ai_categories: list[ActionAiCategory] entity_types: list[EntityType] - - -class ActionAiCategories(RepresentableEnum): - ENRICHMENT = "Enrichment" + action_product_categories: list[ActionProductCategory] class BuiltActionMetadata(TypedDict): @@ -73,9 +75,10 @@ class BuiltActionMetadata(TypedDict): SimulationDataJson: NotRequired[str] DefaultResultValue: NotRequired[str | None] Version: float - AIDescription: str | None + AIDescription: NotRequired[str | None] AICategories: NotRequired[list[str] | None] EntityTypes: NotRequired[list[str] | None] + ActionProductCategories: NotRequired[list[str] | None] class NonBuiltActionMetadata(TypedDict): @@ -96,6 +99,7 @@ class NonBuiltActionMetadata(TypedDict): ai_description: NotRequired[str | None] ai_categories: NotRequired[list[str]] entity_types: NotRequired[list[str]] + action_product_categories: NotRequired[list[str]] class ActionMetadata(ComponentMetadata[BuiltActionMetadata, NonBuiltActionMetadata]): @@ -138,8 +142,9 @@ class ActionMetadata(ComponentMetadata[BuiltActionMetadata, NonBuiltActionMetada pydantic.Field(ge=mp.core.constants.MINIMUM_SCRIPT_VERSION), ] ai_description: str | None - ai_categories: list[ActionAiCategories] + ai_categories: list[ActionAiCategory] entity_types: list[EntityType] + action_product_categories: list[ActionProductCategory] @classmethod def from_built_path(cls, path: Path) -> list[Self]: @@ -188,9 +193,7 @@ def from_non_built_path(cls, path: Path) -> list[Self]: action_metadata_json["dynamic_results_metadata"] = drms_with_json_contents ai_fields: AiFields = _get_ai_fields(action_metadata_json["name"], path) - action_metadata_json["ai_description"] = ai_fields.description - action_metadata_json["ai_categories"] = [c.value for c in ai_fields.categories] - action_metadata_json["entity_types"] = [t.value for t in ai_fields.entity_types] + _update_non_built_with_ai_fields(action_metadata_json, ai_fields) metadata_object: Self = cls.from_non_built(p.stem, action_metadata_json) metadata_objects.append(metadata_object) @@ -232,8 +235,11 @@ def _from_built(cls, file_name: str, built: BuiltActionMetadata) -> Self: default_result_value=built.get("DefaultResultValue"), version=version, ai_description=built.get("AIDescription"), - ai_categories=[ActionAiCategories(c) for c in built.get("AICategories") or []], - entity_types=[EntityType(e) for e in built.get("EntityTypes") or []], + ai_categories=[ActionAiCategory(c) for c in (built.get("AICategories") or [])], + entity_types=[EntityType(e) for e in (built.get("EntityTypes") or [])], + action_product_categories=[ + ActionProductCategory(c) for c in (built.get("ActionProductCategories") or []) + ], ) @classmethod @@ -271,8 +277,11 @@ def _from_non_built(cls, file_name: str, non_built: NonBuiltActionMetadata) -> A default_result_value=non_built.get("default_result_value"), version=non_built.get("version", mp.core.constants.MINIMUM_SCRIPT_VERSION), ai_description=non_built.get("ai_description"), - ai_categories=[ActionAiCategories(c) for c in non_built.get("ai_categories") or []], - entity_types=[EntityType(e) for e in non_built.get("entity_types") or []], + ai_categories=[ActionAiCategory(c) for c in (non_built.get("ai_categories") or [])], + entity_types=[EntityType(e) for e in (non_built.get("entity_types") or [])], + action_product_categories=[ + ActionProductCategory(c) for c in (non_built.get("action_product_categories") or []) + ], ) def to_built(self) -> BuiltActionMetadata: @@ -300,6 +309,7 @@ def to_built(self) -> BuiltActionMetadata: AIDescription=self.ai_description, AICategories=[c.value for c in self.ai_categories] or None, EntityTypes=[e.value for e in self.entity_types] or None, + ActionProductCategories=[c.value for c in self.action_product_categories] or None, ) mp.core.utils.remove_none_entries_from_mapping(built) return built @@ -375,34 +385,60 @@ def _load_json_examples( return loaded_drms -AI_CATEGORY_TO_DEF_AI_CATEGORY: dict[str, ActionAiCategories] = { - "enrichment": ActionAiCategories.ENRICHMENT, -} - - def _get_ai_fields(action_name: str, integration_path: Path) -> AiFields: - empty_results: AiFields = AiFields(description=None, categories=[], entity_types=[]) + empty_results: AiFields = AiFields( + description=None, ai_categories=[], entity_types=[], action_product_categories=[] + ) + if not integration_path.exists(): + return empty_results + actions_desc: Path = ( integration_path / mp.core.constants.RESOURCES_DIR / mp.core.constants.AI_DIR / mp.core.constants.ACTIONS_AI_DESCRIPTION_FILE ) + if not actions_desc.exists(): return empty_results - content: dict[str, Any] = yaml.safe_load(actions_desc.read_text(encoding="utf-8")) + content: dict[str, Any] = mp.core.file_utils.load_yaml_file(actions_desc) action_content: dict[str, Any] | None = content.get(action_name) + if action_content is None: + action_content = content.get(mp.core.utils.str_to_snake_case(action_name)) + if action_content is None: return empty_results ai_meta: ActionAiMetadata = ActionAiMetadata.model_validate(action_content) return AiFields( description=ai_meta.ai_description, - categories=[ - AI_CATEGORY_TO_DEF_AI_CATEGORY[category] - for category, is_true in ai_meta.categories.model_dump().items() - if is_true - ], - entity_types=ai_meta.entity_usage.entity_types, + ai_categories=( + [ + AI_CATEGORY_TO_DEF_AI_CATEGORY[category] + for category, val in ai_meta.categories.model_dump().items() + if category != "reasoning" and val is True + ] + if ai_meta.categories + else [] + ), + entity_types=ai_meta.entity_usage.entity_types if ai_meta.entity_usage else [], + action_product_categories=( + [ + PRODUCT_CATEGORY_TO_DEF_PRODUCT_CATEGORY[category] + for category, val in ai_meta.action_product_categories.model_dump().items() + if category != "reasoning" and val is True + ] + if ai_meta.action_product_categories + else [] + ), ) + + +def _update_non_built_with_ai_fields( + non_built: NonBuiltActionMetadata, ai_fields: AiFields +) -> None: + non_built["ai_description"] = ai_fields.description + non_built["ai_categories"] = [c.value for c in ai_fields.ai_categories] + non_built["entity_types"] = [t.value for t in ai_fields.entity_types] + non_built["action_product_categories"] = [c.value for c in ai_fields.action_product_categories] diff --git a/packages/mp/src/mp/describe/action/utils/__init__.py b/packages/mp/src/mp/core/data_models/integrations/connector/ai/__init__.py similarity index 100% rename from packages/mp/src/mp/describe/action/utils/__init__.py rename to packages/mp/src/mp/core/data_models/integrations/connector/ai/__init__.py diff --git a/packages/mp/src/mp/core/data_models/integrations/connector/ai/metadata.py b/packages/mp/src/mp/core/data_models/integrations/connector/ai/metadata.py new file mode 100644 index 000000000..85945ac36 --- /dev/null +++ b/packages/mp/src/mp/core/data_models/integrations/connector/ai/metadata.py @@ -0,0 +1,39 @@ +# Copyright 2026 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +from __future__ import annotations + +from typing import Annotated + +from pydantic import BaseModel, Field + + +class ConnectorAiMetadata(BaseModel): + ai_description: Annotated[ + str, + Field( + description=( + "Detailed description that will be used by LLMs to understand what the connector" + " does. This should be a concise yet informative summary of the connector's" + " purpose, what kind of data it pulls, and the expected outcome." + " Use markdown formatting for clarity, as this is a description for LLMs." + " Please add a description of the data ingestion flow in numbered or bulleted" + " points. In addition, create a table that describes the configuration" + " parameters. How to use them, what is the expected type of value," + " whether the parameter is mandatory or not, and describe what each of them" + " does. Overall the description should be divided into 3-4 sections," + " General description, Parameters description, and Flow description." + ), + ), + ] diff --git a/packages/mp/src/mp/core/data_models/integrations/integration.py b/packages/mp/src/mp/core/data_models/integrations/integration.py index df632cea6..2ee6a88b7 100644 --- a/packages/mp/src/mp/core/data_models/integrations/integration.py +++ b/packages/mp/src/mp/core/data_models/integrations/integration.py @@ -17,7 +17,9 @@ import dataclasses import itertools import tomllib -from typing import TYPE_CHECKING, Self, TypedDict +from typing import TYPE_CHECKING, Any, Self, TypedDict, cast + +import yaml import mp.core.constants import mp.core.file_utils @@ -63,6 +65,7 @@ class BuiltIntegration(TypedDict): connectors: Mapping[ConnectorName, BuiltConnectorMetadata] jobs: Mapping[JobName, BuiltJobMetadata] widgets: Mapping[WidgetName, BuiltActionWidgetMetadata] + ai_metadata: Mapping[str, Any] class NonBuiltIntegration(TypedDict): @@ -75,6 +78,7 @@ class NonBuiltIntegration(TypedDict): connectors: Mapping[ConnectorName, NonBuiltConnectorMetadata] jobs: Mapping[JobName, NonBuiltJobMetadata] widgets: Mapping[WidgetName, NonBuiltActionWidgetMetadata] + ai_metadata: Mapping[str, Any] class FullDetailsReleaseNoteJson(TypedDict): @@ -117,6 +121,7 @@ class Integration: connectors_metadata: Mapping[ConnectorName, ConnectorMetadata] jobs_metadata: Mapping[JobName, JobMetadata] widgets_metadata: Mapping[WidgetName, ActionWidgetMetadata] + ai_metadata: Mapping[str, Any] @classmethod def from_built_path(cls, path: Path) -> Self: @@ -155,6 +160,7 @@ def from_built_path(cls, path: Path) -> Self: widgets_metadata={ w.file_name: w for w in ActionWidgetMetadata.from_built_path(path) }, + ai_metadata=_get_ai_metadata(path), ) except ValueError as e: msg: str = f"Failed to load integration {path.name}" @@ -176,7 +182,9 @@ def from_non_built_path(cls, path: Path) -> Self: """ project_file_path: Path = path / mp.core.constants.PROJECT_FILE file_content: str = project_file_path.read_text(encoding="utf-8") - pyproject_toml: PyProjectTomlFile = tomllib.loads(file_content) # ty: ignore[invalid-assignment] + pyproject_toml: PyProjectTomlFile = cast( + "PyProjectTomlFile", cast("object", tomllib.loads(file_content)) + ) try: integration_meta: IntegrationMetadata = IntegrationMetadata.from_non_built_path(path) _update_integration_meta_form_pyproject( @@ -204,6 +212,7 @@ def from_non_built_path(cls, path: Path) -> Self: widgets_metadata={ w.file_name: w for w in ActionWidgetMetadata.from_non_built_path(path) }, + ai_metadata=_get_ai_metadata(path), ) except (KeyError, ValueError, tomllib.TOMLDecodeError) as e: @@ -229,6 +238,7 @@ def to_built(self) -> BuiltIntegration: }, jobs={name: metadata.to_built() for name, metadata in self.jobs_metadata.items()}, widgets={name: metadata.to_built() for name, metadata in self.widgets_metadata.items()}, + ai_metadata=self.ai_metadata, ) def to_non_built(self) -> NonBuiltIntegration: @@ -254,6 +264,7 @@ def to_non_built(self) -> NonBuiltIntegration: widgets={ name: metadata.to_non_built() for name, metadata in self.widgets_metadata.items() }, + ai_metadata=self.ai_metadata, ) def to_built_full_details(self) -> BuiltFullDetails: @@ -325,3 +336,13 @@ def _update_integration_meta_form_pyproject( integration_meta.python_version = pyproject_toml.project.requires_python integration_meta.description = pyproject_toml.project.description integration_meta.version = pyproject_toml.project.version + + +def _get_ai_metadata(path: Path) -> dict[str, Any]: + ai_metadata: dict[str, Any] = {} + ai_dir: Path = path / mp.core.constants.RESOURCES_DIR / mp.core.constants.AI_DIR + for ai_file in mp.core.constants.AI_DESCRIPTION_FILES: + if (ai_path := ai_dir / ai_file).exists(): + ai_metadata[ai_file] = yaml.safe_load(ai_path.read_text(encoding="utf-8")) + + return ai_metadata diff --git a/packages/mp/src/mp/core/data_models/integrations/integration_meta/ai/__init__.py b/packages/mp/src/mp/core/data_models/integrations/integration_meta/ai/__init__.py new file mode 100644 index 000000000..0a2669d7a --- /dev/null +++ b/packages/mp/src/mp/core/data_models/integrations/integration_meta/ai/__init__.py @@ -0,0 +1,13 @@ +# Copyright 2025 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. diff --git a/packages/mp/src/mp/core/data_models/integrations/integration_meta/ai/metadata.py b/packages/mp/src/mp/core/data_models/integrations/integration_meta/ai/metadata.py new file mode 100644 index 000000000..a9618f656 --- /dev/null +++ b/packages/mp/src/mp/core/data_models/integrations/integration_meta/ai/metadata.py @@ -0,0 +1,34 @@ +# Copyright 2025 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +from __future__ import annotations + +from typing import Annotated + +from pydantic import BaseModel, Field + +from .product_categories import IntegrationProductCategories # noqa: TC001 + + +class IntegrationAiMetadata(BaseModel): + product_categories: Annotated[ + IntegrationProductCategories, + Field( + description=( + "Categories that describe the integration's capabilities as a security product." + " It shows the category and explains when to use it and the expected outcome" + " of the usage." + ) + ), + ] diff --git a/packages/mp/src/mp/core/data_models/integrations/integration_meta/ai/product_categories.py b/packages/mp/src/mp/core/data_models/integrations/integration_meta/ai/product_categories.py new file mode 100644 index 000000000..3fbf7c4e4 --- /dev/null +++ b/packages/mp/src/mp/core/data_models/integrations/integration_meta/ai/product_categories.py @@ -0,0 +1,213 @@ +# Copyright 2025 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +from __future__ import annotations + +import enum +from typing import Annotated + +from pydantic import BaseModel, Field + + +class IntegrationProductCategories(BaseModel): + reasoning: Annotated[ + str, + Field( + title="Categorization Reasoning", + description=( + "Step-by-step reasoning evaluating the integration against all available product " + "categories. Explicitly state why the integration matches or does not match the " + "criteria of relevant categories before setting their boolean flags." + ), + ), + ] + siem: Annotated[ + bool, + Field( + title="SIEM", + description=( + "When to Use:" + " Use when you need to find the activity related to Assets," + " Users or see if an IOC has been seen globally across your logs in the last 90" + " days." + " Expected Outcome:" + " Returns a timeline of activity, lists all internal assets that touched an IOC," + " and identifies source of the suspicious activity" + ), + ), + ] + edr: Annotated[ + bool, + Field( + title="EDR", + description=( + "When to Use:" + " Use when the investigation involves a specific host (workstation/server) and you" + " need to see deep process-level activity." + " Expected Outcome:" + " Returns the process tree (Parent/Child), retrieves suspicious files for analysis," + " or contains the host by isolating it from the network." + ), + ), + ] + network_security: Annotated[ + bool, + Field( + title="Network Security", + description=( + "When to Use:" + " Use when an internal asset is communicating with a known malicious external IP or" + " to verify if a web-based attack was blocked." + " Expected Outcome:" + " Returns firewall/WAF permit/deny logs and allows the agent to block malicious" + " IPs/URLs at the gateway." + ), + ), + ] + threat_intelligence: Annotated[ + bool, + Field( + title="Threat Intelligence", + description=( + "When to Use:" + " Use as the first step of enrichment for any external indicator (IP, Hash, URL) to" + " determine its reputation." + " Expected Outcome:" + " Returns risk scores, malware family names, and historical 'last seen' data to" + " confirm if an alert is a True Positive." + ), + ), + ] + email_security: Annotated[ + bool, + Field( + title="Email Security", + description=( + "When to Use:" + " Use when the alert involves a phishing report, a suspicious attachment, or a link" + " delivered via email." + " Expected Outcome:" + " Returns a list of all affected users who received the same email and allows the" + " agent to manage emails in all inboxes." + ), + ), + ] + iam_and_identity_management: Annotated[ + bool, + Field( + title="IAM & Identity Management", + description=( + "When to Use:" + ' Use when a user account is showing suspicious behavior ("Impossible Travel,"' + " credential stuffing, or unauthorized privilege escalation) and you want to manage" + " identity." + " Expected Outcome:" + " Returns user or identity group/privilege levels and allows the agent to suspend" + " accounts, force password resets, reset service accounts." + ), + ), + ] + cloud_security: Annotated[ + bool, + Field( + title="Cloud Security", + description=( + "When to Use: Use for alerts involving cloud-native resources GCP/AWS/Azure." + " Expected Outcome:" + " Returns resource configuration states, findings and identifies rogue cloud" + " instances or API keys." + ), + ), + ] + itsm: Annotated[ + bool, + Field( + title="ITSM", + description=( + "When to Use: Use to document the investigation, assign tasks to other teams." + " Expected Outcome:" + " Creates/updates tickets, assigns tasks to specific departments." + ), + ), + ] + vulnerability_management: Annotated[ + bool, + Field( + title="Vulnerability Management", + description=( + "When to Use:" + " Use to verify if a targeted asset is actually susceptible to the exploit seen in" + " the alert." + " Expected Outcome:" + " Returns CVE information and a list of missing patches on the target host to" + " determine if the attack had a high probability of success." + ), + ), + ] + asset_inventory: Annotated[ + bool, + Field( + title="Asset Inventory", + description=( + "When to Use:" + " Use when you want to get more information about an internal asset." + " Expected Outcome:" + " Returns the asset owner, department, business criticality, and whether the device" + " is managed by IT." + ), + ), + ] + collaboration: Annotated[ + bool, + Field( + title="Collaboration", + description=( + "When to Use: " + 'Use when an automated action requires a "Human-in-the-Loop" approval or when the' + " SOC needs to be notified of a critical find." + " Expected Outcome:" + " Sends interactive alerts to Slack/Teams for manual approval and notifies" + " stakeholders of critical findings." + ), + ), + ] + + +class IntegrationProductCategory(enum.StrEnum): + SIEM = "SIEM" + EDR = "EDR" + NETWORK_SECURITY = "Network Security" + THREAT_INTELLIGENCE = "Threat Intelligence" + EMAIL_SECURITY = "Email Security" + IAM_AND_IDENTITY_MANAGEMENT = "IAM & Identity Management" + CLOUD_SECURITY = "Cloud Security" + ITSM = "ITSM" + VULNERABILITY_MANAGEMENT = "Vulnerability Management" + ASSET_INVENTORY = "Asset Inventory" + COLLABORATION = "Collaboration" + + +PRODUCT_CATEGORY_TO_DEF_PRODUCT_CATEGORY: dict[str, IntegrationProductCategory] = { + "siem": IntegrationProductCategory.SIEM, + "edr": IntegrationProductCategory.EDR, + "network_security": IntegrationProductCategory.NETWORK_SECURITY, + "threat_intelligence": IntegrationProductCategory.THREAT_INTELLIGENCE, + "email_security": IntegrationProductCategory.EMAIL_SECURITY, + "iam_and_identity_management": IntegrationProductCategory.IAM_AND_IDENTITY_MANAGEMENT, + "cloud_security": IntegrationProductCategory.CLOUD_SECURITY, + "itsm": IntegrationProductCategory.ITSM, + "vulnerability_management": IntegrationProductCategory.VULNERABILITY_MANAGEMENT, + "asset_inventory": IntegrationProductCategory.ASSET_INVENTORY, + "collaboration": IntegrationProductCategory.COLLABORATION, +} diff --git a/packages/mp/src/mp/core/data_models/integrations/integration_meta/metadata.py b/packages/mp/src/mp/core/data_models/integrations/integration_meta/metadata.py index 9f549048c..c1afb8100 100644 --- a/packages/mp/src/mp/core/data_models/integrations/integration_meta/metadata.py +++ b/packages/mp/src/mp/core/data_models/integrations/integration_meta/metadata.py @@ -17,16 +17,20 @@ import base64 import json import pathlib -from typing import TYPE_CHECKING, Annotated, NotRequired, Self, TypedDict +from typing import TYPE_CHECKING, Annotated, Any, NamedTuple, NotRequired, Self, TypedDict, cast import pydantic -import yaml import mp.core.constants import mp.core.file_utils import mp.core.utils from mp.core import exclusions from mp.core.data_models.abc import RepresentableEnum, SingularComponentMetadata +from mp.core.data_models.integrations.integration_meta.ai.metadata import IntegrationAiMetadata +from mp.core.data_models.integrations.integration_meta.ai.product_categories import ( + PRODUCT_CATEGORY_TO_DEF_PRODUCT_CATEGORY, + IntegrationProductCategory, +) from .feature_tags import BuiltFeatureTags, FeatureTags, NonBuiltFeatureTags from .parameter import BuiltIntegrationParameter, IntegrationParameter, NonBuiltIntegrationParameter @@ -37,6 +41,10 @@ MINIMUM_SYSTEM_VERSION: float = 5.3 +class AiFields(NamedTuple): + product_categories: list[IntegrationProductCategory] + + class PythonVersion(RepresentableEnum): PY_3_11 = 3 @@ -108,6 +116,7 @@ class BuiltIntegrationMetadata(TypedDict): IsCustom: bool IsPowerUp: bool IsCertified: bool + ProductCategories: NotRequired[list[str] | None] GoogleSecOpsProduct: NotRequired[bool] @@ -127,6 +136,7 @@ class NonBuiltIntegrationMetadata(TypedDict): is_custom: NotRequired[bool] is_available_for_community: NotRequired[bool] is_powerup: NotRequired[bool] + product_categories: NotRequired[list[str] | None] google_secops_product: NotRequired[bool] @@ -173,6 +183,7 @@ class IntegrationMetadata( pydantic.PositiveFloat, pydantic.Field(ge=MINIMUM_SYSTEM_VERSION), ] = MINIMUM_SYSTEM_VERSION + product_categories: list[IntegrationProductCategory] google_secops_product: bool = False @classmethod @@ -210,24 +221,23 @@ def from_non_built_path(cls, path: Path) -> Self: path: the path to the integration's "non-built" version Returns: - An IntegrationMetadata object - - Raises: - ValueError: when the "non-built" is failed to be loaded + An IntegrationMetadata object\ """ metadata_path: Path = path / mp.core.constants.DEFINITION_FILE - built: str = metadata_path.read_text(encoding="utf-8") - try: - metadata_content: NonBuiltIntegrationMetadata = yaml.safe_load(built) - _read_image_files(metadata_content, path) - metadata: Self = cls.from_non_built(metadata_path.name, metadata_content) - metadata.is_certified = mp.core.file_utils.is_certified_integration(path) - except (ValueError, json.JSONDecodeError) as e: - msg: str = f"Failed to load json from {metadata_path}\n{built}" - raise ValueError(mp.core.utils.trim_values(msg)) from e - else: - return metadata + metadata_content: NonBuiltIntegrationMetadata = cast( + "NonBuiltIntegrationMetadata", + cast("object", mp.core.file_utils.load_yaml_file(metadata_path)), + ) + _read_image_files(metadata_content, path) + + ai_fields: AiFields = _get_ai_fields(path) + _update_non_built_with_ai_fields(metadata_content, ai_fields) + + metadata: Self = cls.from_non_built(metadata_path.name, metadata_content) + metadata.is_certified = mp.core.file_utils.is_certified_integration(path) + + return metadata @classmethod def _from_built(cls, _: str, built: BuiltIntegrationMetadata) -> Self: # ty:ignore[invalid-method-override] @@ -260,6 +270,10 @@ def _from_built(cls, _: str, built: BuiltIntegrationMetadata) -> Self: # ty:ign is_custom=built.get("IsCustom", False), is_available_for_community=built.get("IsAvailableForCommunity", True), is_powerup=built.get("IsPowerUp", False), + product_categories=[ + IntegrationProductCategory(category) + for category in (built.get("ProductCategories") or []) + ], google_secops_product=built.get("GoogleSecOpsProduct", False), ) @@ -290,6 +304,9 @@ def _from_non_built(cls, _: str, non_built: NonBuiltIntegrationMetadata) -> Self True, ), is_powerup=non_built.get("is_powerup", False), + product_categories=[ + IntegrationProductCategory(c) for c in (non_built.get("product_categories") or []) + ], google_secops_product=non_built.get("google_secops_product", False), ) @@ -327,6 +344,7 @@ def to_built(self) -> BuiltIntegrationMetadata: IsCustom=self.is_custom, IsPowerUp=self.is_powerup, IsCertified=self.is_certified, + ProductCategories=[c.value for c in self.product_categories], GoogleSecOpsProduct=self.google_secops_product, ) mp.core.utils.remove_none_entries_from_mapping(built) @@ -356,6 +374,7 @@ def to_non_built(self) -> NonBuiltIntegrationMetadata: categories=self.categories, svg_logo_path=svg_path.as_posix() if self.svg_logo is not None else None, image_path=image.as_posix() if self.image_base64 is not None else None, + product_categories=[c.value for c in self.product_categories] or None, ) if self.feature_tags is not None: @@ -370,6 +389,8 @@ def to_non_built(self) -> NonBuiltIntegrationMetadata: if self.is_powerup is True: non_built["is_powerup"] = self.is_powerup + del non_built["product_categories"] + if self.google_secops_product is True: non_built["google_secops_product"] = self.google_secops_product @@ -392,3 +413,37 @@ def _read_image_files(metadata_content: NonBuiltIntegrationMetadata, path: Path) if svg_path_str := metadata_content.get("svg_logo_path"): full_path = path / svg_path_str metadata_content["svg_logo_path"] = mp.core.file_utils.svg_path_to_text(full_path) + + +def _get_ai_fields(integration_path: Path) -> AiFields: + empty_results: AiFields = AiFields(product_categories=[]) + if not integration_path.exists(): + return empty_results + + integration_desc: Path = ( + integration_path + / mp.core.constants.RESOURCES_DIR + / mp.core.constants.AI_DIR + / mp.core.constants.INTEGRATIONS_AI_DESCRIPTION_FILE + ) + if not integration_desc.exists(): + return empty_results + + integration_content: dict[str, Any] = mp.core.file_utils.load_yaml_file(integration_desc) + if integration_content is None: + return empty_results + + ai_meta: IntegrationAiMetadata = IntegrationAiMetadata.model_validate(integration_content) + return AiFields( + product_categories=[ + PRODUCT_CATEGORY_TO_DEF_PRODUCT_CATEGORY[category] + for category, val in ai_meta.product_categories.model_dump().items() + if category != "reasoning" and val is True + ], + ) + + +def _update_non_built_with_ai_fields( + non_built: NonBuiltIntegrationMetadata, ai_fields: AiFields +) -> None: + non_built["product_categories"] = [c.value for c in ai_fields.product_categories] diff --git a/packages/mp/src/mp/core/data_models/integrations/job/ai/__init__.py b/packages/mp/src/mp/core/data_models/integrations/job/ai/__init__.py new file mode 100644 index 000000000..58d482ea3 --- /dev/null +++ b/packages/mp/src/mp/core/data_models/integrations/job/ai/__init__.py @@ -0,0 +1,13 @@ +# Copyright 2026 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. diff --git a/packages/mp/src/mp/core/data_models/integrations/job/ai/metadata.py b/packages/mp/src/mp/core/data_models/integrations/job/ai/metadata.py new file mode 100644 index 000000000..b2cbb0f6c --- /dev/null +++ b/packages/mp/src/mp/core/data_models/integrations/job/ai/metadata.py @@ -0,0 +1,39 @@ +# Copyright 2026 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +from __future__ import annotations + +from typing import Annotated + +from pydantic import BaseModel, Field + + +class JobAiMetadata(BaseModel): + ai_description: Annotated[ + str, + Field( + description=( + "Detailed description that will be used by LLMs to understand what the job" + " does. This should be a concise yet informative summary of the job's" + " purpose, and the expected outcome." + " Use markdown formatting for clarity, as this is a description for LLMs." + " Please add a description of the flow of the job in numbered or bulleted" + " points. In addition, create a table that describes the configuration" + " parameters. How to use them, what is the expected type of value," + " whether the parameter is mandatory or not, and describe what each of them" + " does. Overall the description should be divided into 3-4 sections," + " General description, Parameters description, and Flow description." + ), + ), + ] diff --git a/packages/mp/src/mp/core/file_utils/integrations/file_utils.py b/packages/mp/src/mp/core/file_utils/integrations/file_utils.py index 1228ea1bb..804c75561 100644 --- a/packages/mp/src/mp/core/file_utils/integrations/file_utils.py +++ b/packages/mp/src/mp/core/file_utils/integrations/file_utils.py @@ -20,8 +20,10 @@ from __future__ import annotations import base64 +import contextlib import dataclasses import json +import pathlib from typing import TYPE_CHECKING, Any import yaml @@ -74,6 +76,7 @@ def get_integration_base_folders_paths(integrations_classification: str) -> list third_party = base_path / constants.THIRD_PARTY_REPO_NAME return mp.core.file_utils.common.create_dirs_if_not_exists( + third_party, base_path / constants.POWERUPS_DIR_NAME, third_party / constants.COMMUNITY_DIR_NAME, third_party / constants.PARTNER_DIR_NAME, @@ -132,6 +135,55 @@ def create_or_get_out_integrations_dir() -> Path: ) +def get_marketplace_integration_base_paths() -> list[Path]: + """Get all integration base paths across all relevant repository types. + + Returns: + list[Path]: All integration base directories. + + """ + base_paths: list[Path] = [] + for repo_type_name in [ + constants.COMMERCIAL_REPO_NAME, + constants.THIRD_PARTY_REPO_NAME, + constants.CUSTOM_REPO_NAME, + ]: + base_paths.extend(get_integration_base_folders_paths(repo_type_name)) + + return base_paths + + +def get_marketplace_integration_path(name: str) -> Path | None: + """Find the path to an integration in the marketplace. + + Args: + name: The name or path of the integration. + + Returns: + Path | None: The path to the integration if found, None otherwise. + + """ + p = pathlib.Path(name) + if p.exists() and is_integration(p): + return p + + for base_path in get_marketplace_integration_base_paths(): + if (p := base_path / name).exists() and is_integration(p): + return p + + return None + + +def get_all_marketplace_integrations_paths() -> list[Path]: + """Get all integration paths from the marketplace. + + Returns: + list[Path]: All integration paths found in the marketplace. + + """ + return sorted(get_integrations_from_paths(*get_marketplace_integration_base_paths())) + + def discover_core_modules(path: Path) -> list[ManagerName]: """Discover core/manager modules in an integration. @@ -177,8 +229,9 @@ def get_integrations_from_paths(*paths: Path) -> set[Path]: continue for dir_ in path.iterdir(): - if is_integration(dir_): - integrations.add(dir_) + with contextlib.suppress(Exception): + if is_integration(dir_): + integrations.add(dir_) return integrations @@ -207,8 +260,7 @@ def is_integration(path: Path) -> bool: validator.validate_integration_components_parity() pyproject_toml: Path = path / constants.PROJECT_FILE - def_: Path = path / constants.INTEGRATION_DEF_FILE.format(path.name) - return pyproject_toml.exists() or def_.exists() + return pyproject_toml.exists() or _has_def_file(path) def replace_file_content(file: Path, replace_fn: Callable[[str], str]) -> None: @@ -233,9 +285,7 @@ def is_built(integration: Path) -> bool: """ pyproject: Path = integration / constants.PROJECT_FILE - def_file: Path = integration / constants.INTEGRATION_DEF_FILE.format(integration.name) - definition_file: Path = integration / constants.DEFINITION_FILE - return not pyproject.exists() and def_file.exists() and not definition_file.exists() + return not pyproject.exists() and _has_def_file(integration) def is_half_built(integration: Path) -> bool: @@ -246,8 +296,7 @@ def is_half_built(integration: Path) -> bool: """ pyproject: Path = integration / constants.PROJECT_FILE - def_file: Path = integration / constants.INTEGRATION_DEF_FILE.format(integration.name) - return pyproject.exists() and def_file.exists() + return pyproject.exists() and _has_def_file(integration) def is_non_built_integration(integration: Path) -> bool: @@ -258,9 +307,18 @@ def is_non_built_integration(integration: Path) -> bool: """ pyproject: Path = integration / constants.PROJECT_FILE - def_file: Path = integration / constants.INTEGRATION_DEF_FILE.format(integration.name) definition_file: Path = integration / constants.DEFINITION_FILE - return pyproject.exists() and definition_file.exists() and not def_file.exists() + return pyproject.exists() and definition_file.exists() and not _has_def_file(integration) + + +def _has_def_file(path: Path) -> bool: + """Check if the path contains an Integration-*.def file. + + Returns: + True if it has a def file, False otherwise. + + """ + return any(path.glob("Integration-*.def")) def write_yaml_to_file(content: Mapping[str, Any] | Sequence[Any], path: Path) -> None: @@ -459,7 +517,7 @@ def write_str_to_json_file(json_path: Path, json_content: JsonString) -> None: json.dump(json_content, f_json, indent=4) -def load_yaml_file(path: Path) -> dict[str, Any]: +def load_yaml_file(path: Path) -> Any: # noqa: ANN401 """Read a file and loads its content as YAML. Returns: @@ -470,7 +528,7 @@ def load_yaml_file(path: Path) -> dict[str, Any]: """ try: - content = path.read_text(encoding="utf-8") + content: str = path.read_text(encoding="utf-8") return yaml.safe_load(content) except yaml.YAMLError as e: msg = f"Failed to load or parse YAML from file: {path}" @@ -478,3 +536,24 @@ def load_yaml_file(path: Path) -> dict[str, Any]: except FileNotFoundError as e: msg = f"File {path} does not exist" raise ValueError(msg) from e + + +def load_json_file(path: Path) -> Any: # noqa: ANN401 + """Read a file and loads its content as JSON. + + Returns: + The decoded JSON content of the JSON file if it exists. + + Raises: + ValueError: If the file doesn't exist or is an invalid JSON. + + """ + try: + content: str = path.read_text(encoding="utf-8") + return json.loads(content) + except json.JSONDecodeError as e: + msg = f"Failed to load or parse JSON from file: {path}" + raise ValueError(msg) from e + except FileNotFoundError as e: + msg = f"File {path} does not exist" + raise ValueError(msg) from e diff --git a/packages/mp/src/mp/core/llm/gemini.py b/packages/mp/src/mp/core/llm/gemini.py index e41eb5e7e..7f1ba2ebf 100644 --- a/packages/mp/src/mp/core/llm/gemini.py +++ b/packages/mp/src/mp/core/llm/gemini.py @@ -73,7 +73,7 @@ class ApiKeyNotFoundError(Exception): class GeminiConfig(LlmConfig): - model_name: str = "gemini-3-pro-preview" + model_name: str = "gemini-3.1-pro-preview" temperature: float = 0.0 sexually_explicit: str = "OFF" dangerous_content: str = "OFF" @@ -95,13 +95,13 @@ def api_key(self) -> str: ApiKeyNotFoundError: If the API key is not found. """ + if mp_api_key := mp.core.config.get_gemini_api_key(): + return mp_api_key + gemini_api_key: str | None = os.environ.get("GEMINI_API_KEY") if gemini_api_key: return gemini_api_key - if mp_api_key := mp.core.config.get_gemini_api_key(): - return mp_api_key - msg: str = ( "Could not find a saved Gemini API key in the configuration. " "Please configure it using 'mp config --gemini-api-key ' or" diff --git a/packages/mp/src/mp/core/unix.py b/packages/mp/src/mp/core/unix.py index 41c962610..166939b91 100644 --- a/packages/mp/src/mp/core/unix.py +++ b/packages/mp/src/mp/core/unix.py @@ -72,6 +72,8 @@ def compile_core_integration_dependencies(project_path: Path, requirements_path: "--no-dev", "--python", python_version, + "--default-index", + "https://pypi.org/simple", ] runtime_config: list[str] = _get_runtime_config() command.extend(runtime_config) @@ -175,6 +177,8 @@ def download_wheels_from_requirements( "cp", "--platform", "none-any", + "--index-url", + "https://pypi.org/simple", ] runtime_config: list[str] = _get_runtime_config() command.extend(runtime_config) @@ -218,6 +222,8 @@ def add_dependencies_to_toml( "add", "--python", python_version, + "--default-index", + "https://pypi.org/simple", ] runtime_config: list[str] = _get_runtime_config() base_command.extend(runtime_config) @@ -238,10 +244,6 @@ def _add_regular_dependencies_to_toml( return deps_command: list[str] = base_command.copy() deps_command.extend(deps_to_add) - deps_command.extend([ - "--default-index", - "https://pypi.org/simple", - ]) try: sp.run(deps_command, cwd=project_path, check=True, text=True) # noqa: S603 @@ -545,6 +547,8 @@ def check_lock_file(project_path: Path) -> None: str(project_path), "--python", python_version, + "--default-index", + "https://pypi.org/simple", ] runtime_config: list[str] = _get_runtime_config() diff --git a/packages/mp/src/mp/describe/__init__.py b/packages/mp/src/mp/describe/__init__.py index 513030846..76294486c 100644 --- a/packages/mp/src/mp/describe/__init__.py +++ b/packages/mp/src/mp/describe/__init__.py @@ -12,7 +12,15 @@ # See the License for the specific language governing permissions and # limitations under the License. -from . import action +from . import action, connector, integration, job +from .all_content import describe_all_content from .typer_app import app -__all__: list[str] = ["action", "app"] +__all__: list[str] = [ + "action", + "app", + "connector", + "describe_all_content", + "integration", + "job", +] diff --git a/packages/mp/src/mp/describe/action/describe.py b/packages/mp/src/mp/describe/action/describe.py index d1ae46edc..3662a340e 100644 --- a/packages/mp/src/mp/describe/action/describe.py +++ b/packages/mp/src/mp/describe/action/describe.py @@ -14,29 +14,23 @@ from __future__ import annotations -import asyncio -import contextlib import json import logging -from typing import TYPE_CHECKING, Any, NamedTuple, TypeAlias +from typing import TYPE_CHECKING, Any, NamedTuple -import anyio import yaml -from rich.progress import TaskID, track from mp.core import constants from mp.core.data_models.integrations.action.ai.metadata import ActionAiMetadata -from mp.core.utils import folded_string_representer +from mp.describe.common.describe import DescribeBase, IntegrationStatus from .prompt_constructors.built import BuiltPromptConstructor from .prompt_constructors.source import SourcePromptConstructor -from .utils import llm, paths if TYPE_CHECKING: import pathlib - from collections.abc import AsyncIterator, Callable - from rich.progress import Progress + import anyio from mp.core.data_models.integrations.action.metadata import ( BuiltActionMetadata, @@ -44,23 +38,6 @@ ) logger: logging.Logger = logging.getLogger(__name__) -_PromptConstructor: TypeAlias = BuiltPromptConstructor | SourcePromptConstructor - - -class IntegrationStatus(NamedTuple): - is_built: bool - out_path: anyio.Path - - -class ActionDescriptionResult(NamedTuple): - action_name: str - metadata: ActionAiMetadata | None - - -class RichParams(NamedTuple): - on_action_done: Callable[[], None] | None = None - progress: Progress | None = None - task_id: TaskID | None = None class DescriptionParams(NamedTuple): @@ -71,65 +48,7 @@ class DescriptionParams(NamedTuple): status: IntegrationStatus -def _merge_results(metadata: dict[str, Any], results: list[ActionDescriptionResult]) -> None: - for result in results: - if result.metadata is not None: - metadata[result.action_name] = result.metadata.model_dump(mode="json") - - -def _create_notifier(rich_params: RichParams) -> Callable[[], None]: - """Create a notifier function to handle progress and callbacks. - - Args: - rich_params: Progress and callback parameters. - - Returns: - Callable[[], None]: A function that advances progress and calls the callback. - - """ - - def notify() -> None: - if rich_params.on_action_done: - rich_params.on_action_done() - if rich_params.progress and rich_params.task_id: - rich_params.progress.advance(rich_params.task_id) - - return notify - - -def _map_bulk_results_to_actions( - actions: list[str], - valid_indices: list[int], - results: list[ActionAiMetadata | str], -) -> list[ActionDescriptionResult]: - """Map Gemini results back to action names. - - Args: - actions: Original list of action names. - valid_indices: Indices of actions that had valid prompts. - results: Results from Gemini for those valid prompts. - - Returns: - list[ActionDescriptionResult]: Mapped results. - - """ - final_results: list[ActionDescriptionResult] = [ - ActionDescriptionResult(action_name=a, metadata=None) for a in actions - ] - for i, result in zip(valid_indices, results, strict=False): - action_name: str = actions[i] - - if isinstance(result, ActionAiMetadata) and action_name.casefold() == "Ping".casefold(): - result.categories.enrichment = False - - final_results[i] = ActionDescriptionResult( - action_name, result if isinstance(result, ActionAiMetadata) else None - ) - - return final_results - - -class DescribeAction: +class DescribeAction(DescribeBase[ActionAiMetadata]): def __init__( self, integration: str, @@ -139,272 +58,40 @@ def __init__( dst: pathlib.Path | None = None, override: bool = False, ) -> None: - self.integration_name: str = integration - self.src: pathlib.Path | None = src - self.integration: anyio.Path = paths.get_integration_path(integration, src=src) - self.actions: set[str] = actions - self.override: bool = override - self.dst: pathlib.Path | None = dst - + super().__init__(integration, actions, src=src, dst=dst, override=override) self._action_name_to_file_stem: dict[str, str] = {} - async def describe_actions( - self, - sem: asyncio.Semaphore | None = None, - on_action_done: Callable[[], None] | None = None, - progress: Progress | None = None, - ) -> None: - """Describe actions in a given integration. + @property + def metadata_file_name(self) -> str: + """Get the name of the metadata file.""" + return constants.ACTIONS_AI_DESCRIPTION_FILE - Args: - sem: Optional semaphore to limit concurrent Gemini requests. - on_action_done: An optional callback is called when an action is finished. - progress: An optional Progress object to use for progress reporting. + @property + def resource_type_name(self) -> str: + """Get the resource type name.""" + return "action" - """ - metadata, status = await asyncio.gather( - self._load_metadata(), self._get_integration_status() - ) - - actions_to_process: set[str] = await self._prepare_actions(status, metadata) - if not actions_to_process: - if not self.actions: - await self._save_metadata(metadata) - else: - logger.info( - "All actions in %s already have descriptions. Skipping.", self.integration_name - ) - return - - if len(actions_to_process) == 1: - logger.info( - "Describing action %s for %s", - next(iter(actions_to_process)), - self.integration_name, - ) - else: - logger.info( - "Describing %d actions for %s", - len(actions_to_process), - self.integration_name, - ) - - results: list[ActionDescriptionResult] = await self._execute_descriptions( - actions_to_process, status, sem, on_action_done, progress - ) + @property + def response_schema(self) -> type[ActionAiMetadata]: + """Get the response schema.""" + return ActionAiMetadata - _merge_results(metadata, results) - await self._save_metadata(metadata) + async def describe_actions(self, **kwargs: Any) -> None: # noqa: ANN401 + """Describe actions (compatibility method).""" + # Compatibility method + await self.describe(**kwargs) async def get_actions_count(self) -> int: - """Get the number of actions in the integration. + """Get actions' count (compatibility method). Returns: int: The number of actions. """ - status, metadata = await asyncio.gather( - self._get_integration_status(), self._load_metadata() - ) - actions: set[str] = await self._prepare_actions(status, metadata) - return len(actions) - - async def _prepare_actions( - self, status: IntegrationStatus, metadata: dict[str, Any] - ) -> set[str]: - if not self.actions: - self.actions = await self._get_all_actions(status) - - if not self.override: - actions_to_process = {action for action in self.actions if action not in metadata} - skipped_count: int = len(self.actions) - len(actions_to_process) - if skipped_count > 0: - if skipped_count == 1: - logger.info( - "Skipping 1 action that already has a description in %s", - self.integration_name, - ) - else: - logger.info( - "Skipping %d actions that already have a description in %s", - skipped_count, - self.integration_name, - ) - return actions_to_process + # Compatibility method + return await self.get_resources_count() - return self.actions - - async def _execute_descriptions( - self, - actions: set[str], - status: IntegrationStatus, - sem: asyncio.Semaphore | None = None, - on_action_done: Callable[[], None] | None = None, - progress: Progress | None = None, - ) -> list[ActionDescriptionResult]: - action_list = list(actions) - bulks = [ - action_list[i : i + llm.DESCRIBE_BULK_SIZE] - for i in range(0, len(action_list), llm.DESCRIBE_BULK_SIZE) - ] - - if len(actions) == 1: - description = f"Describing action {next(iter(actions))} for {self.integration_name}..." - else: - description = f"Describing actions for {self.integration_name}..." - - results: list[ActionDescriptionResult] = [] - - if progress: - task_id = progress.add_task(description, total=len(actions)) - rich_params = RichParams(on_action_done, progress, task_id) - tasks: list[asyncio.Task] = [ - asyncio.create_task(self._process_bulk_actions(bulk, status, sem, rich_params)) - for bulk in bulks - ] - for coro in asyncio.as_completed(tasks): - results.extend(await coro) - - progress.remove_task(task_id) - - else: - rich_params = RichParams(on_action_done) - tasks: list[asyncio.Task] = [ - asyncio.create_task(self._process_bulk_actions(bulk, status, sem, rich_params)) - for bulk in bulks - ] - results.extend([ - res - for bulk_res in track( - asyncio.as_completed(tasks), - description=description, - total=len(bulks), - ) - for res in await bulk_res - ]) - - return results - - async def _process_bulk_actions( - self, - actions: list[str], - status: IntegrationStatus, - sem: asyncio.Semaphore | None = None, - rich_params: RichParams | None = None, - ) -> list[ActionDescriptionResult]: - if rich_params is None: - rich_params = RichParams() - - notify_done: Callable[[], None] = _create_notifier(rich_params) - try: - async with _maybe_use_semaphore(sem): - return await self._describe_actions_bulk_with_error_handling( - actions, status, notify_done - ) - - except Exception: - logger.exception("Failed to process bulk of actions: %s", actions) - for _ in actions: - notify_done() - - return [ActionDescriptionResult(a, None) for a in actions] - - async def _describe_actions_bulk_with_error_handling( - self, - actions: list[str], - status: IntegrationStatus, - notify_done: Callable[[], None], - ) -> list[ActionDescriptionResult]: - try: - results: list[ActionDescriptionResult] = await self.describe_actions_bulk( - actions, status - ) - except Exception: - logger.exception("Failed to describe actions bulk %s", actions) - results: list[ActionDescriptionResult] = [ - ActionDescriptionResult(a, None) for a in actions - ] - - for _ in actions: - notify_done() - - return results - - async def describe_actions_bulk( - self, - actions: list[str], - status: IntegrationStatus, - ) -> list[ActionDescriptionResult]: - """Describe multiple actions of a given integration in bulk. - - Args: - actions: The names of the actions to describe. - status: The status of the integration. - - Returns: - list[ActionDescriptionResult]: The AI-generated metadata for the actions. - - """ - prompts: list[str] = await self._construct_prompts(actions, status) - - valid_indices: list[int] = [i for i, p in enumerate(prompts) if p] - valid_prompts: list[str] = [prompts[i] for i in valid_indices] - - if not valid_prompts: - return [ActionDescriptionResult(a, None) for a in actions] - - results: list[ActionAiMetadata | str] = await llm.call_gemini_bulk(valid_prompts) - return _map_bulk_results_to_actions(actions, valid_indices, results) - - async def _construct_prompts(self, actions: list[str], status: IntegrationStatus) -> list[str]: - """Construct prompts for a list of actions. - - Args: - actions: Names of actions. - status: Integration status. - - Returns: - list[str]: List of constructed prompts. - - """ - prompts: list[str] = [] - for action_name in actions: - if action_name not in self._action_name_to_file_stem: - # Fallback: assume the file stem is the action name (legacy support) - self._action_name_to_file_stem[action_name] = action_name - - params = DescriptionParams( - integration=self.integration, - integration_name=self.integration_name, - action_name=action_name, - action_file_name=self._action_name_to_file_stem[action_name], - status=status, - ) - constructor: _PromptConstructor = _create_prompt_constructor(params) - prompt: str = await constructor.construct() - if not prompt: - logger.warning("Could not construct prompt for action %s", action_name) - prompts.append("") - else: - prompts.append(prompt) - return prompts - - async def _get_integration_status(self) -> IntegrationStatus: - out_path: anyio.Path = paths.get_out_path(self.integration_name, src=self.src) - is_built: bool = await out_path.exists() - - # If it's not built in the out directory, check if the integration itself is built - if not is_built: - def_file: anyio.Path = self.integration / constants.INTEGRATION_DEF_FILE.format( - self.integration_name - ) - if await def_file.exists(): - is_built = True - out_path = self.integration - - return IntegrationStatus(is_built=is_built, out_path=out_path) - - async def _get_all_actions(self, status: IntegrationStatus) -> set[str]: + async def _get_all_resources(self, status: IntegrationStatus) -> set[str]: actions: set[str] = set() if status.is_built: await self._get_all_built_actions(status.out_path, actions) @@ -438,48 +125,28 @@ async def _get_all_non_built_actions(self, actions: set[str]) -> None: except (yaml.YAMLError, KeyError): logger.warning("Failed to parse non-built action metadata %s", file.name) - async def _load_metadata(self) -> dict[str, Any]: - resource_ai_dir: anyio.Path = self.integration / constants.RESOURCES_DIR / constants.AI_DIR - metadata_file: anyio.Path = resource_ai_dir / constants.ACTIONS_AI_DESCRIPTION_FILE - metadata: dict[str, Any] = {} - - if await metadata_file.exists(): - content: str = await metadata_file.read_text() - with contextlib.suppress(yaml.YAMLError): - metadata = yaml.safe_load(content) or {} - - if self.dst: - dst_file: anyio.Path = anyio.Path(self.dst) / constants.ACTIONS_AI_DESCRIPTION_FILE - if await dst_file.exists(): - content: str = await dst_file.read_text() - with contextlib.suppress(yaml.YAMLError): - dst_metadata = yaml.safe_load(content) or {} - - metadata.update(dst_metadata) - - return metadata - - async def _save_metadata(self, metadata: dict[str, Any]) -> None: - if self.dst: - save_dir: anyio.Path = anyio.Path(self.dst) - else: - save_dir: anyio.Path = self.integration / constants.RESOURCES_DIR / constants.AI_DIR - - await save_dir.mkdir(parents=True, exist_ok=True) - metadata_file: anyio.Path = save_dir / constants.ACTIONS_AI_DESCRIPTION_FILE - yaml.add_representer(str, folded_string_representer, Dumper=yaml.SafeDumper) - await metadata_file.write_text(yaml.safe_dump(metadata)) + async def _construct_prompts( + self, resources: list[str], status: IntegrationStatus + ) -> list[str]: + prompts: list[str] = [] + for action_name in resources: + params = DescriptionParams( + self.integration, + self.integration_name, + action_name, + self._action_name_to_file_stem.get(action_name, action_name), + status, + ) + constructor: BuiltPromptConstructor | SourcePromptConstructor = ( + _create_prompt_constructor(params) + ) + prompts.append(await constructor.construct()) + return prompts def _create_prompt_constructor( params: DescriptionParams, ) -> BuiltPromptConstructor | SourcePromptConstructor: - """Create the object. - - Returns: - PromptConstructor: The constructed object. - - """ if params.status.is_built: return BuiltPromptConstructor( params.integration, @@ -495,21 +162,3 @@ def _create_prompt_constructor( params.action_file_name, params.status.out_path, ) - - -@contextlib.asynccontextmanager -async def _maybe_use_semaphore(sem: asyncio.Semaphore | None) -> AsyncIterator[None]: - """Use a context manager that optionally uses semaphore. - - Args: - sem: The semaphore to use, or None. - - Yields: - None: When the semaphore is acquired or if no semaphore is provided. - - """ - if sem: - async with sem: - yield - else: - yield diff --git a/packages/mp/src/mp/describe/action/describe_all.py b/packages/mp/src/mp/describe/action/describe_all.py index 6a9bc25ff..900fb942e 100644 --- a/packages/mp/src/mp/describe/action/describe_all.py +++ b/packages/mp/src/mp/describe/action/describe_all.py @@ -14,202 +14,43 @@ from __future__ import annotations -import asyncio -import collections -import logging -from asyncio import Task -from typing import TYPE_CHECKING, NamedTuple +from pathlib import Path -from rich.progress import ( - BarColumn, - Progress, - SpinnerColumn, - TaskID, - TextColumn, - TimeRemainingColumn, +from mp.describe.common.describe_all import ( + MarketplaceOrchestratorBase, + get_all_integrations_paths, ) +from mp.describe.common.utils.paths import get_integration_path -import mp.core.config -from mp.core.custom_types import RepositoryType -from mp.core.file_utils import get_integration_base_folders_paths -from mp.describe.action.describe import DescribeAction - -if TYPE_CHECKING: - from pathlib import Path - - -logger: logging.Logger = logging.getLogger(__name__) -MAX_ACTIVE_INTEGRATIONS: int = 3 -MAX_ACTIVE_TASKS: int = 3 - - -class IntegrationTask(NamedTuple): - task: asyncio.Task[None] - integration_name: str - initial_action_count: int +from .describe import DescribeAction async def describe_all_actions( - src: Path | None = None, dst: Path | None = None, *, override: bool = False + src: Path | None = None, + dst: Path | None = None, + *, + override: bool = False, + integrations: list[str] | None = None, ) -> None: - """Describe all actions in all integrations in the marketplace.""" - integrations_paths: list[Path] = _get_all_integrations_paths(src=src) + """Describe all actions in all integrations in the marketplace or specific ones.""" + integrations_paths: list[Path] + if integrations: + integrations_paths = [ + Path(str(get_integration_path(name, src=src))) for name in integrations + ] + else: + integrations_paths = get_all_integrations_paths(src=src) + orchestrator = _MarketplaceOrchestrator(src, integrations_paths, dst=dst, override=override) await orchestrator.run() -class _MarketplaceOrchestrator: - def __init__( - self, - src: Path | None, - integrations_paths: list[Path], - *, - dst: Path | None = None, - override: bool = False, - ) -> None: - self.src: Path | None = src - self.dst: Path | None = dst - self.integrations_paths: list[Path] = integrations_paths - self.concurrency: int = mp.core.config.get_gemini_concurrency() - self.action_sem: asyncio.Semaphore = asyncio.Semaphore(self.concurrency) - self.max_active_integrations: int = max(MAX_ACTIVE_INTEGRATIONS, self.concurrency) - self.override: bool = override - - self.pending_paths: collections.deque[Path] = collections.deque(integrations_paths) - self.active_tasks: set[IntegrationTask] = set() - self.actions_in_flight: int = 0 - - def _on_action_done(self) -> None: - self.actions_in_flight -= 1 - - def _can_start_more(self) -> bool: - """Check if we have capacity and space in UI to start new integrations. - - Returns: - bool: True if we can start more integrations, False otherwise. - - """ - # We want to have at least 'concurrency' actions in flight (or queued), - # But we also want to limit the number of integrations to keep the UI clean. - return bool( - self.pending_paths - and ( - self.actions_in_flight < self.concurrency - or len(self.active_tasks) < MAX_ACTIVE_TASKS - ) - and len(self.active_tasks) < self.max_active_integrations - ) - - async def _start_next_integration(self, progress: Progress) -> None: - """Start describing the next integration in the queue.""" - path: Path = self.pending_paths.popleft() - da: DescribeAction = DescribeAction( - integration=path.name, +class _MarketplaceOrchestrator(MarketplaceOrchestratorBase): + def _create_describer(self, integration_name: str) -> DescribeAction: + return DescribeAction( + integration=integration_name, actions=set(), src=self.src, dst=self.dst, override=self.override, ) - - # Pre-discover action count to decide if we should start more - count: int = await da.get_actions_count() - self.actions_in_flight += count - - task: Task[None] = asyncio.create_task( - da.describe_actions( - sem=self.action_sem, on_action_done=self._on_action_done, progress=progress - ) - ) - self.active_tasks.add( - IntegrationTask( - task=task, - integration_name=path.name, - initial_action_count=count, - ) - ) - - async def _wait_for_tasks(self) -> set[IntegrationTask]: - """Wait for at least one active task to complete and return done tasks. - - Returns: - set[IntegrationTask]: Set of completed tasks. - - """ - if not self.active_tasks: - return set() - - done_tasks, pending_tasks = await asyncio.wait( - {it.task for it in self.active_tasks}, return_when=asyncio.FIRST_COMPLETED - ) - - done_integration_tasks: set[IntegrationTask] = { - it for it in self.active_tasks if it.task in done_tasks - } - self.active_tasks: set[IntegrationTask] = { - it for it in self.active_tasks if it.task in pending_tasks - } - - return done_integration_tasks - - async def run(self) -> None: - """Run the orchestration loop.""" - with Progress( - SpinnerColumn(), - TextColumn("[progress.description]{task.description}"), - BarColumn(), - TextColumn("[progress.percentage]{task.percentage:>3.0f}%"), - TimeRemainingColumn(), - ) as progress: - main_task: TaskID = progress.add_task( - description="Describing integrations...", - total=len(self.integrations_paths), - ) - - while self.pending_paths or self.active_tasks: - while self._can_start_more(): - await self._start_next_integration(progress) - - if not self.active_tasks: - break - - done_integration_tasks: set[IntegrationTask] = await self._wait_for_tasks() - await _process_completed_tasks(done_integration_tasks, progress, main_task) - - -async def _process_completed_tasks( - done_integration_tasks: set[IntegrationTask], - progress: Progress, - main_task: TaskID, -) -> None: - """Process results and exceptions for completed tasks.""" - for it in done_integration_tasks: - progress.advance(main_task) - try: - await it.task - except Exception: - logger.exception( - "Failed to describe integration %s", - it.integration_name, - ) - - -def _get_all_integrations_paths(src: Path | None = None) -> list[Path]: - if src: - return ( - [p for p in src.iterdir() if p.is_dir() and not p.name.startswith(".")] - if src.exists() - else [] - ) - - paths: list[Path] = [] - base_paths: list[Path] = [] - for repo_type in [RepositoryType.COMMERCIAL, RepositoryType.THIRD_PARTY]: - base_paths.extend(get_integration_base_folders_paths(repo_type.value)) - - for base_path in base_paths: - if not base_path.exists(): - continue - - paths.extend([p for p in base_path.iterdir() if p.is_dir() and not p.name.startswith(".")]) - - return paths diff --git a/packages/mp/src/mp/describe/action/prompt_constructors/prompt_constructor.py b/packages/mp/src/mp/describe/action/prompt_constructors/prompt_constructor.py index 51dbead71..95af5e044 100644 --- a/packages/mp/src/mp/describe/action/prompt_constructors/prompt_constructor.py +++ b/packages/mp/src/mp/describe/action/prompt_constructors/prompt_constructor.py @@ -19,14 +19,15 @@ import anyio +from mp.describe.common.prompt_constructors.prompt_constructor import ( + PromptConstructor as BasePromptConstructor, +) -class PromptConstructor(abc.ABC): + +class PromptConstructor(BasePromptConstructor, abc.ABC): __slots__: tuple[str, ...] = ( "action_file_name", "action_name", - "integration", - "integration_name", - "out_path", ) def __init__( @@ -37,18 +38,16 @@ def __init__( action_file_name: str, out_path: anyio.Path, ) -> None: - self.integration: anyio.Path = integration - self.integration_name: str = integration_name + super().__init__(integration, integration_name, out_path) self.action_name: str = action_name self.action_file_name: str = action_file_name - self.out_path: anyio.Path = out_path - @property - async def task_prompt(self) -> Template: + @staticmethod + async def get_task_prompt() -> Template: """Get the task prompt. Returns: - str: The task prompt. + Template: The task prompt. """ prompt_file: anyio.Path = anyio.Path(__file__).parent.parent / "prompts" / "task.md" @@ -56,7 +55,7 @@ async def task_prompt(self) -> Template: @abc.abstractmethod async def construct(self) -> str: - """Construct a prompt for generating action descriptions. + """Construct a prompt for generating AI descriptions. Returns: str: The constructed prompt. diff --git a/packages/mp/src/mp/describe/action/prompts/system.md b/packages/mp/src/mp/describe/action/prompts/system.md deleted file mode 100644 index 57bfceec9..000000000 --- a/packages/mp/src/mp/describe/action/prompts/system.md +++ /dev/null @@ -1,30 +0,0 @@ -**Role:** -You are a Technical Architect and expert in Security Orchestration, Automation, and Response (SOAR) integrations. Your specific expertise lies in analyzing Google SecOps (Chronicle) integration code written in Python. - -**Objective:** -Your goal is to analyze integration code (Python) and its configuration (JSON) to produce a structured JSON capability summary. This summary helps autonomous agents understand the purpose, capabilities, and side effects of the code. - -**Resource Usage Strategy:** -You will be provided with Python code, JSON configurations, and access to library documentation. Use them as follows: - -1. **Python Script (`.py`):** Use this to determine the *logic - flow*, identifying which external API calls are made and what SDK methods (e.g., - `SiemplifyAction`, `TIPCommon`) are utilized. -2. **Configuration File (`.json`):** Use this to identify input parameters, default values, and the - *Entity Scopes* (e.g., IP, HASH) the action supports. -3. **SDK/Library Docs: - ** Use provided documentation links to interpret specific method calls (e.g., distinguishing between - `add_entity_insight` vs `add_result_json` vs `update_entities`). - -**Analysis Guidelines:** - -1. **Primary Purpose (Description):** Write a concise but detailed paragraph explaining - *what* the code does. Focus on the business value (e.g., "Enriches reputation," "Blocks traffic," "Parses email"). Mention specific external services interacting with and specific data points retrieved. -2. **Capability Flags:** You must accurately determine boolean flags (e.g., `fetches_data`, - `can_mutate_external_data`). - * *Enrichment* implies fetching data without changing the external system state. - * *Mutation* implies changing state (e.g., blocking an IP, resetting a password). - * *Internal Mutation* refers to changing the SOAR case data (entities, case wall, insights). - -**Output Format:** -Return **strictly** a valid JSON object matching the provided schema. Do not include Markdown code blocks or conversational text. diff --git a/packages/mp/src/mp/describe/action/prompts/task.md b/packages/mp/src/mp/describe/action/prompts/task.md index 905c8124f..fa1e6070b 100644 --- a/packages/mp/src/mp/describe/action/prompts/task.md +++ b/packages/mp/src/mp/describe/action/prompts/task.md @@ -26,6 +26,36 @@ I have provided the following files for a Google SecOps action: * https://docs.cloud.google.com/chronicle/docs/soar/reference/script-result-module * https://docs.cloud.google.com/chronicle/docs/soar/reference/script-result-module +**Action Product Categories Definitions:** +Review these categories carefully. An action can belong to one or more categories if it matches the expected outcome. +- **Enrich IOC**: Returns reputation, prevalence, and threat intelligence for the indicator. +- **Enrich Asset**: Returns contextual metadata (e.g., OS version, owner, department, MAC address) for a user or resource. +- **Update Alert**: Changes the status, severity, or assignee of the alert within the SecOps platform. +- **Add Alert Comment**: Appends analyst notes or automated log entries to the alert's activity timeline. +- **Create Ticket**: Generates a new record in an external ITSM (e.g., Jira, ServiceNow) and returns the Ticket ID. +- **Update Ticket**: Synchronizes status, priority, or field changes from SecOps to the external ticketing system. +- **Add IOC To Blocklist**: Updates security controls (Firewall, EDR, Proxy) to prevent any future interaction with the IOC. +- **Remove IOC From Blocklist**: Restores connectivity or execution rights for an indicator by removing it from restricted lists. +- **Add IOC To Allowlist**: Marks an indicator as "known good" to prevent future security alerts or false positives. +- **Remove IOC From Allowlist**: Re-enables standard security monitoring and blocking for a previously trusted indicator. +- **Disable Identity**: Revokes active sessions and prevents a user or service account from authenticating to the network. +- **Enable Identity**: Restores authentication capabilities and system access for a previously disabled account. +- **Contain Host**: Isolates an endpoint from the network via EDR, allowing communication only with the management console. +- **Uncontain Host**: Removes network isolation and restores the endpoint's full communication capabilities. +- **Reset Identity Password**: Invalidates the current credentials and triggers a password change or temporary password generation. +- **Update Identity**: Modifies account metadata, such as group memberships, permissions, or contact information. +- **Search Events**: Returns a collection of historical logs or telemetry data matching specific search parameters. +- **Execute Command on the Host**: Runs a script or system command on a remote endpoint and returns the standard output (STDOUT). +- **Download File**: Retrieves a specific file from a remote host for local forensic analysis or sandboxing. +- **Send Email**: Dispatches an outbound email notification or response to specified recipients. +- **Search Email**: Identifies and lists emails across the mail server based on criteria like sender, subject, or attachment. +- **Delete Email**: Removes a specific email or thread from one or more user mailboxes (Purge/Withdraw). +- **Update Email**: Modifies the state of an email, such as moving it to quarantine, marking as read, or applying labels. +- **Submit File**: Uploads a file or sample to a sandbox or analysis engine (e.g., VirusTotal, Joe Sandbox) and returns a behavior report or threat score. +- **Send Message**: Sends a message to a communication app (e.g., Google Chat, Microsoft Teams). +- **Search Asset**: Searches for the asset associated with the alert within the product. +- **Get Alert Information**: Fetches information about the alert from the 3rd party product. + **Instructions:** 1. **Analyze the Description:** Synthesize the `Script Code` logic and`Script Settings` description. @@ -40,6 +70,7 @@ I have provided the following files for a Google SecOps action: `update_entities`, `add_case_comment`. 3. **Extract Entity Scopes:** Look at the `Supported entities` in the JSON description or the `SimulationDataJson` to see if it targets `ADDRESS`, `FILEHASH`, `USER`, etc. +4. **Action Product Categories & Reasoning:** You MUST write out your step-by-step reasoning in the `reasoning` field of the `action_product_categories` object BEFORE populating the boolean flags. Discuss why the action matches or fails to match specific categories based on the expected outcomes defined above. **Golden Dataset (Few-Shot Examples):** @@ -88,6 +119,7 @@ for entity in suitable_entities: "can_create_case_comments": false }, "entity_usage": { + "reasoning": "The code iterates over `siemplify.target_entities` and filters using `entity.entity_type == EntityTypes.ADDRESS and entity.is_internal`. This means it targets ADDRESS entities, filtering by entity_type and is_internal.", "run_on_entity_types": [ "ADDRESS" ], @@ -105,8 +137,38 @@ for entity in suitable_entities: "filters_by_is_enriched": false, "filters_by_is_pivot": false }, - "tags": { - "is_enrichment": true + "categories": { + "enrichment": true + }, + "action_product_categories": { + "reasoning": "The action fetches IP data from VirusTotal, returning threat intelligence and evaluating risk. This matches the 'Enrich IOC' expected outcome. It does not mutate data on external systems, so it is not a Contain Host or Blocklist action.", + "add_alert_comment": false, + "add_ioc_to_allowlist": false, + "add_ioc_to_blocklist": false, + "contain_host": false, + "create_ticket": false, + "delete_email": false, + "disable_identity": false, + "download_file": false, + "enable_identity": false, + "enrich_asset": false, + "enrich_ioc": true, + "execute_command_on_the_host": false, + "get_alert_information": false, + "remove_ioc_from_allowlist": false, + "remove_ioc_from_blocklist": false, + "reset_identity_password": false, + "search_asset": false, + "search_email": false, + "search_events": false, + "send_email": false, + "send_message": false, + "submit_file": false, + "uncontain_host": false, + "update_alert": false, + "update_email": false, + "update_identity": false, + "update_ticket": false } } ``` @@ -153,6 +215,7 @@ if result['success']: "can_create_case_comments": false }, "entity_usage": { + "reasoning": "The code processes `entities` looking for `e.entity_type == \"ADDRESS\"`, filtering strictly by entity_type.", "run_on_entity_types": [ "ADDRESS" ], @@ -170,8 +233,38 @@ if result['success']: "filters_by_is_enriched": false, "filters_by_is_pivot": false }, - "tags": { - "is_enrichment": false + "categories": { + "enrichment": false + }, + "action_product_categories": { + "reasoning": "The action performs a POST to a firewall to block an IP address. This directly aligns with the 'Contain Host' expected outcome of isolating an endpoint, or 'Add IOC To Blocklist' depending on exact definition. Based on the JSON snippet, 'Contain Host' is true.", + "add_alert_comment": false, + "add_ioc_to_allowlist": false, + "add_ioc_to_blocklist": false, + "contain_host": true, + "create_ticket": false, + "delete_email": false, + "disable_identity": false, + "download_file": false, + "enable_identity": false, + "enrich_asset": false, + "enrich_ioc": false, + "execute_command_on_the_host": false, + "get_alert_information": false, + "remove_ioc_from_allowlist": false, + "remove_ioc_from_blocklist": false, + "reset_identity_password": false, + "search_asset": false, + "search_email": false, + "search_events": false, + "send_email": false, + "send_message": false, + "submit_file": false, + "uncontain_host": false, + "update_alert": false, + "update_email": false, + "update_identity": false, + "update_ticket": false } } ``` @@ -199,8 +292,9 @@ results = ticket_manager.create_ticket(title, description) ```json { - "fields": { - "description": "Opens a new ticket in the ticket service by a post request.", + "ai_description": "Opens a new ticket in the ticket service by a post request.", + "capabilities": { + "reasoning": "The action makes a POST request to create a ticket (can_mutate_external_data=true). It does not fetch context data or update internal entities.", "fetches_data": false, "can_mutate_external_data": true, "external_data_mutation_explanation": "Creates a new ticket in the ticket service.", @@ -227,8 +321,39 @@ results = ticket_manager.create_ticket(title, description) "filters_by_is_enriched": false, "filters_by_is_pivot": false }, - "tags": { - "is_enrichment": false + "categories": { + "reasoning": "The action creates external data (a ticket) rather than retrieving data, so it cannot be an Enrichment action.", + "enrichment": false + }, + "action_product_categories": { + "reasoning": "The action creates a new ticket in an external ticket service. This directly aligns with the 'Create Ticket' category.", + "add_alert_comment": false, + "add_ioc_to_allowlist": false, + "add_ioc_to_blocklist": false, + "contain_host": false, + "create_ticket": true, + "delete_email": false, + "disable_identity": false, + "download_file": false, + "enable_identity": false, + "enrich_asset": false, + "enrich_ioc": false, + "execute_command_on_the_host": false, + "get_alert_information": false, + "remove_ioc_from_allowlist": false, + "remove_ioc_from_blocklist": false, + "reset_identity_password": false, + "search_asset": false, + "search_email": false, + "search_events": false, + "send_email": false, + "send_message": false, + "submit_file": false, + "uncontain_host": false, + "update_alert": false, + "update_email": false, + "update_identity": false, + "update_ticket": false } } ``` @@ -263,3 +388,17 @@ Based strictly on the provided "Current Task Input" and the guidelines defined i 1. Analyze the code flow and settings. 2. Construct the Capability Summary JSON. 3. Ensure valid JSON syntax. + +3. Ensure valid JSON syntax. +ttings. +2. Construct the Capability Summary JSON. +3. Ensure valid JSON syntax. + settings. +2. Construct the Capability Summary JSON. +3. Ensure valid JSON syntax. +ttings. +2. Construct the Capability Summary JSON. +3. Ensure valid JSON syntax. + settings. +2. Construct the Capability Summary JSON. +3. Ensure valid JSON syntax. diff --git a/packages/mp/src/mp/describe/action/typer_app.py b/packages/mp/src/mp/describe/action/typer_app.py index 83afd79eb..ec69e3193 100644 --- a/packages/mp/src/mp/describe/action/typer_app.py +++ b/packages/mp/src/mp/describe/action/typer_app.py @@ -86,6 +86,7 @@ def describe( # noqa: PLR0913 bool, typer.Option( "--override", + "-o", help="Rewrite actions that already have their description.", ), ] = False, diff --git a/packages/mp/src/mp/describe/action/utils/paths.py b/packages/mp/src/mp/describe/action/utils/paths.py deleted file mode 100644 index d3efa5194..000000000 --- a/packages/mp/src/mp/describe/action/utils/paths.py +++ /dev/null @@ -1,86 +0,0 @@ -# Copyright 2026 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -from __future__ import annotations - -import logging -from typing import TYPE_CHECKING - -import anyio -import typer - -from mp.core.custom_types import RepositoryType -from mp.core.file_utils import ( - create_or_get_out_integrations_dir, - get_integration_base_folders_paths, -) - -if TYPE_CHECKING: - import pathlib - -logger: logging.Logger = logging.getLogger(__name__) - - -def get_integration_path(name: str, *, src: pathlib.Path | None = None) -> anyio.Path: - """Get the path to an integration. - - Args: - name: The name of the integration. - src: Optional custom source path. - - Returns: - anyio.Path: The path to the integration. - - """ - if src: - return _get_source_integration_path(name, src) - return _get_marketplace_integration_path(name) - - -def _get_source_integration_path(name: str, src: pathlib.Path) -> anyio.Path: - path = src / name - if path.exists(): - return anyio.Path(path) - logger.error("Integration '%s' not found in source '%s'", name, src) - raise typer.Exit(1) - - -def _get_marketplace_integration_path(name: str) -> anyio.Path: - base_paths: list[pathlib.Path] = [] - for repo_type in [RepositoryType.COMMERCIAL, RepositoryType.THIRD_PARTY]: - base_paths.extend(get_integration_base_folders_paths(repo_type.value)) - - for path in base_paths: - if (p := path / name).exists(): - return anyio.Path(p) - - logger.error("Integration '%s' not found in marketplace", name) - raise typer.Exit(1) - - -def get_out_path(integration_name: str, src: pathlib.Path | None = None) -> anyio.Path: - """Get the output path for a built integration. - - Args: - integration_name: The name of the integration. - src: Optional custom source path. - - Returns: - anyio.Path: The output path. - - """ - base_out: anyio.Path = anyio.Path(create_or_get_out_integrations_dir()) - if src: - return base_out / src.name / integration_name - return base_out / integration_name diff --git a/packages/mp/src/mp/describe/all_content.py b/packages/mp/src/mp/describe/all_content.py new file mode 100644 index 000000000..d61bc0b3f --- /dev/null +++ b/packages/mp/src/mp/describe/all_content.py @@ -0,0 +1,148 @@ +# Copyright 2026 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +from __future__ import annotations + +import asyncio +from pathlib import Path +from typing import TYPE_CHECKING + +import mp.core.config +from mp.describe.action.describe import DescribeAction +from mp.describe.common.describe_all import ( + MarketplaceOrchestratorBase, + get_all_integrations_paths, +) +from mp.describe.common.utils.paths import get_integration_path +from mp.describe.connector.describe import DescribeConnector +from mp.describe.integration.describe import DescribeIntegration +from mp.describe.job.describe import DescribeJob + +if TYPE_CHECKING: + from collections.abc import Callable + + from rich.progress import Progress + + +class AllContentDescriber: + """Describer for all content types in an integration.""" + + def __init__( + self, + integration: str, + *, + src: Path | None = None, + dst: Path | None = None, + override: bool = False, + ) -> None: + self.integration = integration + self.src = src + self.dst = dst + self.override = override + + @staticmethod + async def get_resources_count() -> int: + """Get the number of resources to describe. + + For all-content, we use 4 as a representative number of stages: + actions, connectors, jobs, and the integration metadata. + + Returns: + int: The number of stages. + + """ + return 4 + + async def describe( + self, + sem: asyncio.Semaphore | None = None, + on_done: Callable[[], None] | None = None, + progress: Progress | None = None, + ) -> None: + """Describe all content in an integration.""" + if sem is None: + sem = asyncio.Semaphore(mp.core.config.get_gemini_concurrency()) + + # 1. Describe actions + await DescribeAction( + self.integration, set(), src=self.src, dst=self.dst, override=self.override + ).describe(sem=sem, progress=progress) + + # 2. Describe connectors + await DescribeConnector( + self.integration, set(), src=self.src, dst=self.dst, override=self.override + ).describe(sem=sem, progress=progress) + + # 3. Describe jobs + await DescribeJob( + self.integration, set(), src=self.src, dst=self.dst, override=self.override + ).describe(sem=sem, progress=progress) + + # 4. Describe integration (last because it depends on previous results) + await DescribeIntegration( + self.integration, src=self.src, dst=self.dst, override=self.override + ).describe(sem=sem, progress=progress) + + if on_done: + on_done() + + +class AllContentMarketplaceOrchestrator(MarketplaceOrchestratorBase): + """Orchestrate all-content description across the entire marketplace.""" + + def _create_describer(self, integration_name: str) -> AllContentDescriber: + return AllContentDescriber( + integration=integration_name, + src=self.src, + dst=self.dst, + override=self.override, + ) + + +async def describe_all_content( + integration: str | None = None, + *, + integrations: list[str] | None = None, + src: Path | None = None, + dst: Path | None = None, + override: bool = False, +) -> None: + """Describe all content in one or more integrations. + + Args: + integration: Single integration name (backward compatibility). + integrations: List of integration names. + src: Optional custom source path. + dst: Optional custom destination path. + override: Whether to rewrite existing descriptions. + + """ + all_integrations: list[str] = [] + if integration: + all_integrations.append(integration) + if integrations: + all_integrations.extend(integrations) + + integrations_paths: list[Path] + if all_integrations: + integrations_paths = [ + Path(str(get_integration_path(name, src=src))) for name in all_integrations + ] + else: + integrations_paths = get_all_integrations_paths(src=src) + + orchestrator = AllContentMarketplaceOrchestrator( + src, integrations_paths, dst=dst, override=override + ) + await orchestrator.run() diff --git a/packages/mp/src/mp/describe/common/__init__.py b/packages/mp/src/mp/describe/common/__init__.py new file mode 100644 index 000000000..58d482ea3 --- /dev/null +++ b/packages/mp/src/mp/describe/common/__init__.py @@ -0,0 +1,13 @@ +# Copyright 2026 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. diff --git a/packages/mp/src/mp/describe/common/describe.py b/packages/mp/src/mp/describe/common/describe.py new file mode 100644 index 000000000..8c28acb61 --- /dev/null +++ b/packages/mp/src/mp/describe/common/describe.py @@ -0,0 +1,467 @@ +# Copyright 2026 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +from __future__ import annotations + +import abc +import asyncio +import contextlib +import logging +from typing import TYPE_CHECKING, Any, Generic, NamedTuple, TypeVar + +import anyio +import yaml +from pydantic import BaseModel +from rich.progress import TaskID, track + +from mp.core import constants +from mp.core.utils import folded_string_representer + +from .utils import llm, paths + +if TYPE_CHECKING: + import pathlib + from collections.abc import AsyncIterator, Callable + + from rich.progress import Progress + +logger: logging.Logger = logging.getLogger(__name__) + +T_Metadata = TypeVar("T_Metadata", bound=BaseModel) + + +class IntegrationStatus(NamedTuple): + is_built: bool + out_path: anyio.Path + + +class DescriptionResult(NamedTuple): + name: str + metadata: BaseModel | None + + +class RichParams(NamedTuple): + on_done: Callable[[], None] | None = None + progress: Progress | None = None + task_id: TaskID | None = None + + +def _merge_results(metadata: dict[str, Any], results: list[DescriptionResult]) -> None: + for result in results: + if result.metadata is not None: + metadata[result.name] = result.metadata.model_dump(mode="json") + + +def _create_notifier(rich_params: RichParams) -> Callable[[], None]: + """Create a notifier function to handle progress and callbacks. + + Args: + rich_params: Progress and callback parameters. + + Returns: + Callable[[], None]: A function that advances progress and calls the callback. + + """ + + def notify() -> None: + if rich_params.on_done: + rich_params.on_done() + if rich_params.progress and rich_params.task_id: + rich_params.progress.advance(rich_params.task_id) + + return notify + + +@contextlib.asynccontextmanager +async def _maybe_use_semaphore(sem: asyncio.Semaphore | None) -> AsyncIterator[None]: + """Context manager to optionally use a semaphore. + + Args: + sem: The semaphore to use, or None. + + Yields: + None + + """ + if sem: + async with sem: + yield + else: + yield + + +class DescribeBase(abc.ABC, Generic[T_Metadata]): + def __init__( + self, + integration_name: str, + resource_names: set[str], + *, + src: pathlib.Path | None = None, + dst: pathlib.Path | None = None, + override: bool = False, + ) -> None: + self.integration_name: str = integration_name + self.src: pathlib.Path | None = src + self.integration: anyio.Path = paths.get_integration_path(integration_name, src=src) + self.resource_names: set[str] = resource_names + self.override: bool = override + self.dst: pathlib.Path | None = dst + + @property + @abc.abstractmethod + def metadata_file_name(self) -> str: + """The name of the metadata file.""" + raise NotImplementedError + + @property + @abc.abstractmethod + def resource_type_name(self) -> str: + """The name of the resource type (e.g., 'action', 'integration').""" + raise NotImplementedError + + @property + @abc.abstractmethod + def response_schema(self) -> type[T_Metadata]: + """The schema for the LLM response.""" + raise NotImplementedError + + @abc.abstractmethod + async def _get_all_resources(self, status: IntegrationStatus) -> set[str]: + """Get all resources of the given type in the integration.""" + raise NotImplementedError + + @abc.abstractmethod + async def _construct_prompts( + self, resources: list[str], status: IntegrationStatus + ) -> list[str]: + """Construct prompts for the given resources.""" + raise NotImplementedError + + async def describe( + self, + sem: asyncio.Semaphore | None = None, + on_done: Callable[[], None] | None = None, + progress: Progress | None = None, + ) -> None: + """Describe resources in a given integration. + + Args: + sem: Optional semaphore to limit concurrent Gemini requests. + on_done: An optional callback is called when a resource is finished. + progress: An optional Progress object to use for progress reporting. + + """ + metadata, status = await asyncio.gather( + self._load_metadata(), self._get_integration_status() + ) + + resources_to_process: set[str] = await self._prepare_resources(status, metadata) + if not resources_to_process: + if not self.resource_names: + await self._save_metadata(metadata) + else: + logger.info( + "All %ss in %s already have descriptions. Skipping.", + self.resource_type_name, + self.integration_name, + ) + return + + if len(resources_to_process) == 1: + logger.info( + "Describing %s %s for %s", + self.resource_type_name, + next(iter(resources_to_process)), + self.integration_name, + ) + else: + logger.info( + "Describing %d %ss for %s", + len(resources_to_process), + self.resource_type_name, + self.integration_name, + ) + + results: list[DescriptionResult] = await self._execute_descriptions( + resources_to_process, status, sem, on_done, progress + ) + + _merge_results(metadata, results) + await self._save_metadata(metadata) + + async def get_resources_count(self) -> int: + """Get the number of resources in the integration. + + Returns: + int: The number of resources. + + """ + status, metadata = await asyncio.gather( + self._get_integration_status(), self._load_metadata() + ) + resources: set[str] = await self._prepare_resources(status, metadata) + return len(resources) + + async def _prepare_resources( + self, status: IntegrationStatus, metadata: dict[str, Any] + ) -> set[str]: + if not self.resource_names: + self.resource_names = await self._get_all_resources(status) + + # Prune metadata for resources that no longer exist + # Only for non-integration types which use resource names as keys + if self.resource_type_name != "integration": + for key in list(metadata.keys()): + if key not in self.resource_names: + del metadata[key] + + if not self.override: + resources_to_process: set[str] = { + res for res in self.resource_names if res not in metadata + } + skipped_count: int = len(self.resource_names) - len(resources_to_process) + if skipped_count > 0: + if skipped_count == 1: + logger.info( + "Skipping 1 %s that already has a description in %s", + self.resource_type_name, + self.integration_name, + ) + else: + logger.info( + "Skipping %d %ss that already have a description in %s", + skipped_count, + self.resource_type_name, + self.integration_name, + ) + return resources_to_process + + return self.resource_names + + async def _execute_descriptions( + self, + resources: set[str], + status: IntegrationStatus, + sem: asyncio.Semaphore | None = None, + on_done: Callable[[], None] | None = None, + progress: Progress | None = None, + ) -> list[DescriptionResult]: + resource_list = list(resources) + bulks = [ + resource_list[i : i + llm.DESCRIBE_BULK_SIZE] + for i in range(0, len(resource_list), llm.DESCRIBE_BULK_SIZE) + ] + + if len(resources) == 1: + description = ( + f"Describing {self.resource_type_name} {next(iter(resources))} for" + f" {self.integration_name}..." + ) + else: + description = f"Describing {self.resource_type_name}s for {self.integration_name}..." + + results: list[DescriptionResult] = [] + + if progress: + task_id: TaskID = progress.add_task(description, total=len(resources)) + rich_params = RichParams(on_done, progress, task_id) + tasks: list[asyncio.Task] = [ + asyncio.create_task(self._process_bulk_resources(bulk, status, sem, rich_params)) + for bulk in bulks + ] + for coro in asyncio.as_completed(tasks): + results.extend(await coro) + + progress.remove_task(task_id) + + else: + rich_params = RichParams(on_done) + tasks: list[asyncio.Task] = [ + asyncio.create_task(self._process_bulk_resources(bulk, status, sem, rich_params)) + for bulk in bulks + ] + results.extend([ + res + for bulk_res in track( + asyncio.as_completed(tasks), + description=description, + total=len(bulks), + ) + for res in await bulk_res + ]) + + return results + + async def _process_bulk_resources( + self, + resources: list[str], + status: IntegrationStatus, + sem: asyncio.Semaphore | None = None, + rich_params: RichParams | None = None, + ) -> list[DescriptionResult]: + if rich_params is None: + rich_params = RichParams() + + notify_done: Callable[[], None] = _create_notifier(rich_params) + try: + async with _maybe_use_semaphore(sem): + return await self._describe_resources_bulk_with_error_handling( + resources, status, notify_done + ) + + except Exception: + logger.exception( + "Failed to process bulk of %ss: %s", self.resource_type_name, resources + ) + for _ in resources: + notify_done() + + return [DescriptionResult(a, None) for a in resources] + + async def _describe_resources_bulk_with_error_handling( + self, + resources: list[str], + status: IntegrationStatus, + notify_done: Callable[[], None], + ) -> list[DescriptionResult]: + try: + results: list[DescriptionResult] = await self.describe_bulk(resources, status) + except Exception: + logger.exception("Failed to describe %ss bulk %s", self.resource_type_name, resources) + results: list[DescriptionResult] = [DescriptionResult(a, None) for a in resources] + + for _ in resources: + notify_done() + + return results + + async def describe_bulk( + self, + resources: list[str], + status: IntegrationStatus, + ) -> list[DescriptionResult]: + """Describe multiple resources of a given integration in bulk. + + Args: + resources: The names of the resources to describe. + status: The status of the integration. + + Returns: + list[DescriptionResult]: The descriptions of the resources. + + """ + prompts: list[str] = await self._construct_prompts(resources, status) + valid_indices: list[int] = [i for i, prompt in enumerate(prompts) if prompt] + + valid_prompts: list[str] = [prompts[i] for i in valid_indices] + if not valid_prompts: + return [DescriptionResult(a, None) for a in resources] + + llm_results: list[T_Metadata | str] = await llm.call_gemini_bulk( + valid_prompts, self.response_schema + ) + + return self._map_bulk_results_to_resources(resources, valid_indices, llm_results) + + def _map_bulk_results_to_resources( + self, + resources: list[str], + valid_indices: list[int], + results: list[T_Metadata | str], + ) -> list[DescriptionResult]: + """Map Gemini results back to resource names. + + Args: + resources: Original list of resource names. + valid_indices: Indices of resources that had valid prompts. + results: Results from Gemini for those valid prompts. + + Returns: + list[DescriptionResult]: The mapped results. + + """ + final_results: list[DescriptionResult] = [DescriptionResult(a, None) for a in resources] + + for i, result in zip(valid_indices, results, strict=True): + resource_name: str = resources[i] + if isinstance(result, str): + logger.error( + "Failed to describe %s %s: %s", self.resource_type_name, resource_name, result + ) + continue + + # Special case for Ping action as in DescribeAction + if ( + self.resource_type_name == "action" + and resource_name.casefold() == "Ping".casefold() + and hasattr(result, "categories") + ): + res_any: Any = result + res_any.categories.enrichment = False # ty: ignore[unresolved-attribute] + + final_results[i] = DescriptionResult(resource_name, result) + + return final_results + + async def _get_integration_status(self) -> IntegrationStatus: + out_path: anyio.Path = paths.get_out_path(self.integration_name, src=self.src) + is_built: bool = await out_path.exists() + + # If it's not built in the out directory, check if the integration itself is built + if not is_built: + # Look for any .def file in the integration directory + async for _f in self.integration.glob("Integration-*.def"): + is_built = True + out_path = self.integration + break + + return IntegrationStatus(is_built=is_built, out_path=out_path) + + async def _load_metadata(self) -> dict[str, Any]: + resource_ai_dir: anyio.Path = self.integration / constants.RESOURCES_DIR / constants.AI_DIR + metadata_file: anyio.Path = resource_ai_dir / self.metadata_file_name + + metadata: dict[str, Any] = {} + if await metadata_file.exists(): + content: str = await metadata_file.read_text() + with contextlib.suppress(yaml.YAMLError): + metadata = yaml.safe_load(content) or {} + + if self.dst: + dst_file: anyio.Path = anyio.Path(self.dst) / self.metadata_file_name + if await dst_file.exists(): + content: str = await dst_file.read_text() + with contextlib.suppress(yaml.YAMLError): + dst_metadata = yaml.safe_load(content) or {} + + metadata.update(dst_metadata) + + return metadata + + async def _save_metadata(self, metadata: dict[str, Any]) -> None: + if self.dst: + save_dir: anyio.Path = anyio.Path(self.dst) + else: + save_dir: anyio.Path = self.integration / constants.RESOURCES_DIR / constants.AI_DIR + + metadata_file: anyio.Path = save_dir / self.metadata_file_name + + if not metadata: + if await metadata_file.exists(): + await metadata_file.unlink() + return + + await save_dir.mkdir(parents=True, exist_ok=True) + yaml.add_representer(str, folded_string_representer, Dumper=yaml.SafeDumper) + await metadata_file.write_text(yaml.safe_dump(metadata)) diff --git a/packages/mp/src/mp/describe/common/describe_all.py b/packages/mp/src/mp/describe/common/describe_all.py new file mode 100644 index 000000000..e751cf47c --- /dev/null +++ b/packages/mp/src/mp/describe/common/describe_all.py @@ -0,0 +1,202 @@ +# Copyright 2026 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +from __future__ import annotations + +import abc +import asyncio +import collections +import logging +from typing import TYPE_CHECKING, NamedTuple, Protocol + +from rich.progress import ( + BarColumn, + Progress, + SpinnerColumn, + TaskID, + TextColumn, + TimeRemainingColumn, +) + +import mp.core.config +from mp.core.file_utils import ( + get_all_marketplace_integrations_paths, + get_integrations_from_paths, +) + +if TYPE_CHECKING: + from collections.abc import Callable + from pathlib import Path + + +class Describer(Protocol): + """Protocol for describer classes.""" + + async def get_resources_count(self) -> int: + """Get the number of resources to describe.""" + ... + + async def describe( + self, + sem: asyncio.Semaphore | None = None, + on_done: Callable[[], None] | None = None, + progress: Progress | None = None, + ) -> None: + """Describe resources.""" + ... + + +logger: logging.Logger = logging.getLogger(__name__) +MAX_ACTIVE_INTEGRATIONS: int = 3 +MAX_ACTIVE_TASKS: int = 3 + + +class IntegrationTask(NamedTuple): + task: asyncio.Task[None] + integration_name: str + initial_resource_count: int + + +class MarketplaceOrchestratorBase(abc.ABC): + def __init__( + self, + src: Path | None, + integrations_paths: list[Path], + *, + dst: Path | None = None, + override: bool = False, + ) -> None: + self.src: Path | None = src + self.dst: Path | None = dst + self.integrations_paths: list[Path] = integrations_paths + self.concurrency: int = mp.core.config.get_gemini_concurrency() + self.sem: asyncio.Semaphore = asyncio.Semaphore(self.concurrency) + self.max_active_integrations: int = max(MAX_ACTIVE_INTEGRATIONS, self.concurrency) + self.override: bool = override + + self.pending_paths: collections.deque[Path] = collections.deque(integrations_paths) + self.active_tasks: set[IntegrationTask] = set() + self.resources_in_flight: int = 0 + + def _on_resource_done(self) -> None: + self.resources_in_flight -= 1 + + def _can_start_more(self) -> bool: + """Check if we have capacity and space in UI to start new integrations. + + Returns: + bool: True if we can start more integrations, False otherwise. + + """ + return bool( + self.pending_paths + and ( + self.resources_in_flight < self.concurrency + or len(self.active_tasks) < MAX_ACTIVE_TASKS + ) + and len(self.active_tasks) < self.max_active_integrations + ) + + @abc.abstractmethod + def _create_describer(self, integration_name: str) -> Describer: + """Create a describer for the given integration.""" + raise NotImplementedError + + async def _start_next_integration(self, progress: Progress) -> None: + """Start describing the next integration in the queue.""" + path: Path = self.pending_paths.popleft() + describer: Describer = self._create_describer(path.name) + + # Pre-discover resource count to decide if we should start more + count: int = await describer.get_resources_count() + self.resources_in_flight += count + + task: asyncio.Task[None] = asyncio.create_task( + describer.describe(sem=self.sem, on_done=self._on_resource_done, progress=progress) + ) + self.active_tasks.add( + IntegrationTask( + task=task, + integration_name=path.name, + initial_resource_count=count, + ) + ) + + async def _wait_for_tasks(self) -> set[IntegrationTask]: + """Wait for at least one active task to complete and return done tasks. + + Returns: + set[IntegrationTask]: Set of completed tasks. + + """ + if not self.active_tasks: + return set() + + done_tasks, pending_tasks = await asyncio.wait( + {it.task for it in self.active_tasks}, return_when=asyncio.FIRST_COMPLETED + ) + + done_integration_tasks: set[IntegrationTask] = { + it for it in self.active_tasks if it.task in done_tasks + } + self.active_tasks: set[IntegrationTask] = { + it for it in self.active_tasks if it.task in pending_tasks + } + + return done_integration_tasks + + async def run(self) -> None: + """Run the orchestration loop.""" + with Progress( + SpinnerColumn(), + TextColumn("[progress.description]{task.description}"), + BarColumn(), + TextColumn("[progress.percentage]{task.percentage:>3.0f}%"), + TimeRemainingColumn(), + ) as progress: + main_task: TaskID = progress.add_task( + description="Describing integrations...", + total=len(self.integrations_paths), + ) + + while self.pending_paths or self.active_tasks: + while self._can_start_more(): + await self._start_next_integration(progress) + + if not self.active_tasks: + break + + done_integration_tasks: set[IntegrationTask] = await self._wait_for_tasks() + for it in done_integration_tasks: + progress.advance(main_task) + try: + await it.task + except Exception: + logger.exception("Failed to describe integration %s", it.integration_name) + + +def get_all_integrations_paths(src: Path | None = None) -> list[Path]: + """Get all integrations paths from the marketplace or a custom source. + + Args: + src: Optional custom source path. + + Returns: + list[Path]: The paths to the integrations. + + """ + if src: + return sorted(get_integrations_from_paths(src)) if src.exists() else [] + + return get_all_marketplace_integrations_paths() diff --git a/packages/mp/src/mp/describe/common/prompt_constructors/__init__.py b/packages/mp/src/mp/describe/common/prompt_constructors/__init__.py new file mode 100644 index 000000000..58d482ea3 --- /dev/null +++ b/packages/mp/src/mp/describe/common/prompt_constructors/__init__.py @@ -0,0 +1,13 @@ +# Copyright 2026 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. diff --git a/packages/mp/src/mp/describe/common/prompt_constructors/prompt_constructor.py b/packages/mp/src/mp/describe/common/prompt_constructors/prompt_constructor.py new file mode 100644 index 000000000..45afe38fb --- /dev/null +++ b/packages/mp/src/mp/describe/common/prompt_constructors/prompt_constructor.py @@ -0,0 +1,68 @@ +# Copyright 2026 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +from __future__ import annotations + +import abc +from typing import TYPE_CHECKING + +if TYPE_CHECKING: + from string import Template + + import anyio + + +class PromptConstructor(abc.ABC): + __slots__: tuple[str, ...] = ( + "integration", + "integration_name", + "out_path", + ) + + def __init__( + self, + integration: anyio.Path, + integration_name: str, + out_path: anyio.Path, + ) -> None: + self.integration: anyio.Path = integration + self.integration_name: str = integration_name + self.out_path: anyio.Path = out_path + + @staticmethod + @abc.abstractmethod + async def get_task_prompt() -> Template: + """Get the task prompt. + + Returns: + Template: The task prompt. + + """ + raise NotImplementedError + + @abc.abstractmethod + async def construct(self) -> str: + """Construct a prompt for generating AI descriptions. + + Returns: + str: The constructed prompt. + + """ + raise NotImplementedError + + @property + async def task_prompt(self) -> Template: + """Get the task prompt (compatibility property).""" + # Compatibility property + return await self.get_task_prompt() diff --git a/packages/mp/src/mp/describe/common/prompt_constructors/resource.py b/packages/mp/src/mp/describe/common/prompt_constructors/resource.py new file mode 100644 index 000000000..2f2cae200 --- /dev/null +++ b/packages/mp/src/mp/describe/common/prompt_constructors/resource.py @@ -0,0 +1,65 @@ +# Copyright 2026 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +from __future__ import annotations + +import abc +from typing import TYPE_CHECKING + +from .prompt_constructor import PromptConstructor as BasePromptConstructor + +if TYPE_CHECKING: + from string import Template + + import anyio + + +class ResourcePromptConstructor(BasePromptConstructor, abc.ABC): + __slots__: tuple[str, ...] = ( + "resource_file_name", + "resource_name", + ) + + def __init__( + self, + integration: anyio.Path, + integration_name: str, + resource_name: str, + resource_file_name: str, + out_path: anyio.Path, + ) -> None: + super().__init__(integration, integration_name, out_path) + self.resource_name: str = resource_name + self.resource_file_name: str = resource_file_name + + @staticmethod + @abc.abstractmethod + async def get_task_prompt() -> Template: + """Get the task prompt. + + Returns: + Template: The task prompt. + + """ + raise NotImplementedError + + @abc.abstractmethod + async def construct(self) -> str: + """Construct a prompt for generating AI descriptions. + + Returns: + str: The constructed prompt. + + """ + raise NotImplementedError diff --git a/packages/mp/src/mp/describe/common/prompts/system.md b/packages/mp/src/mp/describe/common/prompts/system.md new file mode 100644 index 000000000..50f6a4d4f --- /dev/null +++ b/packages/mp/src/mp/describe/common/prompts/system.md @@ -0,0 +1,24 @@ +**Role:** +You are a Technical Architect and expert in Security Orchestration, Automation, and Response (SOAR) integrations. Your specific expertise lies in analyzing Google SecOps (Chronicle) integrations, including their actions, connectors, jobs, and overall metadata. + +**Objective:** +Your goal is to analyze integration components (Python code, configurations, or previously generated AI metadata) to produce structured JSON summaries or classifications. These summaries help autonomous agents and users understand the purpose, capabilities, and side effects of the integration resources. + +**Resource Usage Strategy:** +Depending on the task, you will be provided with various inputs: + +1. **Python Script (`.py`):** Use this to determine the *logic flow*, identifying which external API calls are made and what SDK methods (e.g., `SiemplifyAction`, `TIPCommon`) are utilized. +2. **Configuration File (`.json` or `.yaml`):** Use this to identify input parameters, default values, and the *Entity Scopes* (e.g., IP, HASH) or other settings the resource supports. +3. **AI Descriptions:** Use previously generated AI summaries to perform higher-level classifications or cross-resource analysis. +4. **SDK/Library Docs:** Use provided documentation links to interpret specific method calls (e.g., distinguishing between `add_entity_insight` vs `add_result_json` vs `update_entities`). + +**Analysis Guidelines:** + +1. **Primary Purpose (Description):** Write a concise but detailed paragraph explaining *what* the component does. Focus on the business value (e.g., "Enriches reputation," "Blocks traffic," "Parses email"). Mention specific external services interacted with and specific data points retrieved. +2. **Technical Accuracy:** You must accurately determine capability flags and classifications based strictly on the provided data and task instructions. + * *Enrichment* implies fetching data without changing the external system state. + * *Mutation* implies changing state (e.g., blocking an IP, resetting a password). + * *Internal Mutation* refers to changing the SOAR case data (entities, case wall, insights). + +**Output Format:** +Return **strictly** a valid JSON object matching the provided schema. Do not include Markdown code blocks or conversational text. diff --git a/packages/mp/src/mp/describe/common/utils/__init__.py b/packages/mp/src/mp/describe/common/utils/__init__.py new file mode 100644 index 000000000..58d482ea3 --- /dev/null +++ b/packages/mp/src/mp/describe/common/utils/__init__.py @@ -0,0 +1,13 @@ +# Copyright 2026 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. diff --git a/packages/mp/src/mp/describe/action/utils/llm.py b/packages/mp/src/mp/describe/common/utils/llm.py similarity index 82% rename from packages/mp/src/mp/describe/action/utils/llm.py rename to packages/mp/src/mp/describe/common/utils/llm.py index b715c23a7..ff9729e33 100644 --- a/packages/mp/src/mp/describe/action/utils/llm.py +++ b/packages/mp/src/mp/describe/common/utils/llm.py @@ -18,8 +18,8 @@ from typing import TYPE_CHECKING, TypeVar import anyio +from pydantic import BaseModel -from mp.core.data_models.integrations.action.ai.metadata import ActionAiMetadata from mp.core.llm.gemini import Gemini, GeminiConfig if TYPE_CHECKING: @@ -27,27 +27,30 @@ from mp.core.llm.sdk import LlmConfig, LlmSdk -GEMINI_MODEL_NAME: str = "gemini-3-flash-preview" +GEMINI_MODEL_NAME: str = "gemini-3.1-flash-lite-preview" GEMINI_TEMPERATURE: float = 0.1 DESCRIBE_BULK_SIZE: int = 4 -T_Schema = TypeVar("T_Schema") +T_Schema = TypeVar("T_Schema", bound=BaseModel) -async def call_gemini_bulk(prompts: list[str]) -> list[ActionAiMetadata | str]: +async def call_gemini_bulk( + prompts: list[str], response_json_schema: type[T_Schema] +) -> list[T_Schema | str]: """Call Gemini to describe multiple prompts in bulk. Args: prompts: The prompts to send. + response_json_schema: The schema for the response. Returns: - list[ActionAiMetadata | str]: The responses from Gemini. + list[T_Schema | str]: The responses from Gemini. """ async with create_llm_session() as gemini: return await gemini.send_bulk_messages( prompts, - response_json_schema=ActionAiMetadata, + response_json_schema=response_json_schema, ) diff --git a/packages/mp/src/mp/describe/common/utils/paths.py b/packages/mp/src/mp/describe/common/utils/paths.py new file mode 100644 index 000000000..ed9ceb5b4 --- /dev/null +++ b/packages/mp/src/mp/describe/common/utils/paths.py @@ -0,0 +1,143 @@ +# Copyright 2026 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +from __future__ import annotations + +import contextlib +import logging +import pathlib +import tomllib +from typing import Any + +import anyio +import typer +import yaml + +from mp.core import constants +from mp.core.file_utils import ( + create_or_get_out_integrations_dir, + get_marketplace_integration_path, + is_built, +) + +logger: logging.Logger = logging.getLogger(__name__) + + +def get_integration_path(name: str, *, src: pathlib.Path | None = None) -> anyio.Path: + """Get the path to an integration. + + Args: + name: The name of the integration. + src: Optional custom source path. + + Returns: + anyio.Path: The path to the integration. + + """ + return ( + _get_source_integration_path(name, src) if src else _get_marketplace_integration_path(name) + ) + + +def _get_source_integration_path(name: str, src: pathlib.Path) -> anyio.Path: + if (path := src / name).exists(): + return anyio.Path(path) + + logger.error("Integration '%s' not found in source '%s'", name, src) + raise typer.Exit(1) + + +def _get_marketplace_integration_path(name: str) -> anyio.Path: + if (path := get_marketplace_integration_path(name)) is not None: + return anyio.Path(path) + + logger.error("Integration '%s' not found in marketplace", name) + raise typer.Exit(1) + + +def get_out_path(integration_name: str, src: pathlib.Path | None = None) -> anyio.Path: + """Get the output path for a built integration. + + Args: + integration_name: The name of the integration. + src: Optional custom source path. + + Returns: + anyio.Path: The output path. + + """ + base_out: pathlib.Path = create_or_get_out_integrations_dir() + if src: + return anyio.Path(base_out / src.name / integration_name) + + identifier: str = _resolve_integration_identifier(integration_name) + + for identifier_to_try in (identifier, integration_name): + if (path := _find_built_integration_in_repos(base_out, identifier_to_try)) is not None: + return path + + if (path := base_out / identifier).exists() and is_built(path): + return anyio.Path(path) + + return anyio.Path(base_out / integration_name) + + +def _resolve_integration_identifier(integration_name: str) -> str: + with contextlib.suppress(Exception): + if source_p := get_marketplace_integration_path(integration_name): + source_path = pathlib.Path(source_p) + return _get_identifier_from_source(source_path) + return integration_name + + +def _find_built_integration_in_repos(base_out: pathlib.Path, identifier: str) -> anyio.Path | None: + for repo_type in ( + constants.COMMERCIAL_REPO_NAME, + constants.THIRD_PARTY_REPO_NAME, + constants.CUSTOM_REPO_NAME, + ): + if (path := base_out / repo_type / identifier).exists() and is_built(path): + return anyio.Path(path) + + return None + + +def _get_identifier_from_source(source_path: pathlib.Path) -> str: + if identifier := _get_identifier_from_definition(source_path): + return identifier + + if identifier := _get_identifier_from_pyproject(source_path): + return identifier + + return source_path.name + + +def _get_identifier_from_definition(source_path: pathlib.Path) -> str | None: + if (definition_file := source_path / constants.DEFINITION_FILE).exists(): + with definition_file.open("r", encoding="utf-8") as f: + data: dict[str, Any] = yaml.safe_load(f) + if data and (identifier := data.get("identifier")): + return identifier + + return None + + +def _get_identifier_from_pyproject(source_path: pathlib.Path) -> str | None: + if (pyproject_file := source_path / constants.PROJECT_FILE).exists(): + with pyproject_file.open("rb") as f: + data: dict[str, Any] = tomllib.load(f) + if (project := data.get("project")) and (identifier := project.get("name")): + return identifier + + return None diff --git a/packages/mp/src/mp/describe/connector/__init__.py b/packages/mp/src/mp/describe/connector/__init__.py new file mode 100644 index 000000000..58d482ea3 --- /dev/null +++ b/packages/mp/src/mp/describe/connector/__init__.py @@ -0,0 +1,13 @@ +# Copyright 2026 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. diff --git a/packages/mp/src/mp/describe/connector/describe.py b/packages/mp/src/mp/describe/connector/describe.py new file mode 100644 index 000000000..02c67999e --- /dev/null +++ b/packages/mp/src/mp/describe/connector/describe.py @@ -0,0 +1,144 @@ +# Copyright 2026 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +from __future__ import annotations + +import json +import logging +from typing import TYPE_CHECKING, NamedTuple + +import yaml + +from mp.core import constants +from mp.core.data_models.integrations.connector.ai.metadata import ConnectorAiMetadata +from mp.describe.common.describe import DescribeBase, IntegrationStatus + +from .prompt_constructors.built import BuiltPromptConstructor +from .prompt_constructors.source import SourcePromptConstructor + +if TYPE_CHECKING: + import pathlib + + import anyio + +logger: logging.Logger = logging.getLogger(__name__) + + +class DescriptionParams(NamedTuple): + integration: anyio.Path + integration_name: str + connector_name: str + connector_file_name: str + status: IntegrationStatus + + +class DescribeConnector(DescribeBase[ConnectorAiMetadata]): + def __init__( + self, + integration: str, + connectors: set[str], + *, + src: pathlib.Path | None = None, + dst: pathlib.Path | None = None, + override: bool = False, + ) -> None: + super().__init__(integration, connectors, src=src, dst=dst, override=override) + self._connector_name_to_file_stem: dict[str, str] = {} + + @property + def metadata_file_name(self) -> str: + """Get the name of the metadata file.""" + return constants.CONNECTORS_AI_DESCRIPTION_FILE + + @property + def resource_type_name(self) -> str: + """Get the resource type name.""" + return "connector" + + @property + def response_schema(self) -> type[ConnectorAiMetadata]: + """Get the response schema.""" + return ConnectorAiMetadata + + async def _get_all_resources(self, status: IntegrationStatus) -> set[str]: + connectors: set[str] = set() + if status.is_built: + await self._get_all_built_connectors(status.out_path, connectors) + else: + await self._get_all_non_built_connectors(connectors) + return connectors + + async def _get_all_built_connectors(self, out_path: anyio.Path, connectors: set[str]) -> None: + path: anyio.Path = out_path / constants.OUT_CONNECTORS_META_DIR + if await path.exists(): + async for file in path.glob(f"*{constants.CONNECTORS_META_SUFFIX}"): + content: str = await file.read_text(encoding="utf-8") + try: + data: dict = json.loads(content) + name: str = data["Name"] + self._connector_name_to_file_stem[name] = file.stem + connectors.add(name) + except (json.JSONDecodeError, KeyError): + logger.warning("Failed to parse built connector metadata %s", file.name) + + async def _get_all_non_built_connectors(self, connectors: set[str]) -> None: + path: anyio.Path = self.integration / constants.CONNECTORS_DIR + if await path.exists(): + async for file in path.glob(f"*{constants.YAML_SUFFIX}"): + content: str = await file.read_text(encoding="utf-8") + try: + data: dict = yaml.safe_load(content) + name: str = data["name"] + self._connector_name_to_file_stem[name] = file.stem + connectors.add(name) + except (yaml.YAMLError, KeyError): + logger.warning("Failed to parse non-built connector metadata %s", file.name) + + async def _construct_prompts( + self, resources: list[str], status: IntegrationStatus + ) -> list[str]: + prompts: list[str] = [] + for connector_name in resources: + params = DescriptionParams( + self.integration, + self.integration_name, + connector_name, + self._connector_name_to_file_stem.get(connector_name, connector_name), + status, + ) + constructor: BuiltPromptConstructor | SourcePromptConstructor = ( + _create_prompt_constructor(params) + ) + prompts.append(await constructor.construct()) + return prompts + + +def _create_prompt_constructor( + params: DescriptionParams, +) -> BuiltPromptConstructor | SourcePromptConstructor: + if params.status.is_built: + return BuiltPromptConstructor( + params.integration, + params.integration_name, + params.connector_name, + params.connector_file_name, + params.status.out_path, + ) + return SourcePromptConstructor( + params.integration, + params.integration_name, + params.connector_name, + params.connector_file_name, + params.status.out_path, + ) diff --git a/packages/mp/src/mp/describe/connector/describe_all.py b/packages/mp/src/mp/describe/connector/describe_all.py new file mode 100644 index 000000000..c7a804602 --- /dev/null +++ b/packages/mp/src/mp/describe/connector/describe_all.py @@ -0,0 +1,56 @@ +# Copyright 2026 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +from __future__ import annotations + +from pathlib import Path + +from mp.describe.common.describe_all import ( + MarketplaceOrchestratorBase, + get_all_integrations_paths, +) +from mp.describe.common.utils.paths import get_integration_path + +from .describe import DescribeConnector + + +async def describe_all_connectors( + src: Path | None = None, + dst: Path | None = None, + *, + override: bool = False, + integrations: list[str] | None = None, +) -> None: + """Describe all connectors in all integrations in the marketplace or specific ones.""" + integrations_paths: list[Path] + if integrations: + integrations_paths = [ + Path(str(get_integration_path(name, src=src))) for name in integrations + ] + else: + integrations_paths = get_all_integrations_paths(src=src) + + orchestrator = _MarketplaceOrchestrator(src, integrations_paths, dst=dst, override=override) + await orchestrator.run() + + +class _MarketplaceOrchestrator(MarketplaceOrchestratorBase): + def _create_describer(self, integration_name: str) -> DescribeConnector: + return DescribeConnector( + integration=integration_name, + connectors=set(), + src=self.src, + dst=self.dst, + override=self.override, + ) diff --git a/packages/mp/src/mp/describe/connector/prompt_constructors/__init__.py b/packages/mp/src/mp/describe/connector/prompt_constructors/__init__.py new file mode 100644 index 000000000..58d482ea3 --- /dev/null +++ b/packages/mp/src/mp/describe/connector/prompt_constructors/__init__.py @@ -0,0 +1,13 @@ +# Copyright 2026 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. diff --git a/packages/mp/src/mp/describe/connector/prompt_constructors/built.py b/packages/mp/src/mp/describe/connector/prompt_constructors/built.py new file mode 100644 index 000000000..d69c82452 --- /dev/null +++ b/packages/mp/src/mp/describe/connector/prompt_constructors/built.py @@ -0,0 +1,84 @@ +# Copyright 2026 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +from __future__ import annotations + +import io +from typing import TYPE_CHECKING + +from mp.core import constants + +from .connector import ConnectorPromptConstructor + +if TYPE_CHECKING: + from string import Template + + import anyio + +DEFAULT_FILE_CONTENT: str = "N/A" + + +class BuiltPromptConstructor(ConnectorPromptConstructor): + __slots__: tuple[str, ...] = () + + async def construct(self) -> str: + """Construct the prompt for built connectors. + + Returns: + str: The constructed prompt. + + """ + manager_names, manager_content = await self._get_managers_names_and_content() + template: Template = await self.task_prompt + return template.safe_substitute({ + "json_file_name": f"{self.resource_file_name}.json", + "json_file_content": await self._get_built_connector_def_content(), + "python_file_name": f"{self.resource_file_name}.py", + "python_file_content": await self._get_built_connector_content(), + "manager_file_names": manager_names or DEFAULT_FILE_CONTENT, + "manager_files_content": manager_content or DEFAULT_FILE_CONTENT, + }) + + async def _get_managers_names_and_content(self) -> tuple[str, str]: + names: list[str] = [] + content: io.StringIO = io.StringIO() + managers_dir: anyio.Path = self.out_path / constants.OUT_MANAGERS_SCRIPTS_DIR + if await managers_dir.exists(): + async for core_file in managers_dir.glob("*.py"): + names.append(core_file.name) + content.write("```python\n") + content.write(await core_file.read_text(encoding="utf-8")) + content.write("\n```\n\n") + + return ", ".join(names), content.getvalue() + + async def _get_built_connector_def_content(self) -> str: + connector_def: anyio.Path = ( + self.out_path + / constants.OUT_CONNECTORS_META_DIR + / f"{self.resource_file_name}{constants.CONNECTORS_META_SUFFIX}" + ) + if await connector_def.exists(): + return await connector_def.read_text(encoding="utf-8") + + return DEFAULT_FILE_CONTENT + + async def _get_built_connector_content(self) -> str: + connector_script: anyio.Path = ( + self.out_path / constants.OUT_CONNECTOR_SCRIPTS_DIR / f"{self.resource_file_name}.py" + ) + if await connector_script.exists(): + return await connector_script.read_text(encoding="utf-8") + + return DEFAULT_FILE_CONTENT diff --git a/packages/mp/src/mp/describe/connector/prompt_constructors/connector.py b/packages/mp/src/mp/describe/connector/prompt_constructors/connector.py new file mode 100644 index 000000000..3d54b7124 --- /dev/null +++ b/packages/mp/src/mp/describe/connector/prompt_constructors/connector.py @@ -0,0 +1,37 @@ +# Copyright 2026 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +from __future__ import annotations + +from abc import ABC +from string import Template + +import anyio + +from mp.describe.common.prompt_constructors.resource import ResourcePromptConstructor + + +class ConnectorPromptConstructor(ResourcePromptConstructor, ABC): + __slots__: tuple[str, ...] = () + + @staticmethod + async def get_task_prompt() -> Template: + """Get the task prompt. + + Returns: + Template: The task prompt. + + """ + prompt_file: anyio.Path = anyio.Path(__file__).parent.parent / "prompts" / "task.md" + return Template(await prompt_file.read_text(encoding="utf-8")) diff --git a/packages/mp/src/mp/describe/connector/prompt_constructors/source.py b/packages/mp/src/mp/describe/connector/prompt_constructors/source.py new file mode 100644 index 000000000..970f70652 --- /dev/null +++ b/packages/mp/src/mp/describe/connector/prompt_constructors/source.py @@ -0,0 +1,84 @@ +# Copyright 2026 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +from __future__ import annotations + +import io +from typing import TYPE_CHECKING + +from mp.core import constants + +from .connector import ConnectorPromptConstructor + +if TYPE_CHECKING: + from string import Template + + import anyio + +DEFAULT_FILE_CONTENT: str = "N/A" + + +class SourcePromptConstructor(ConnectorPromptConstructor): + __slots__: tuple[str, ...] = () + + async def construct(self) -> str: + """Construct the prompt for non-built connectors. + + Returns: + str: The constructed prompt. + + """ + core_names, core_content = await self._get_core_modules_names_and_content() + template: Template = await self.task_prompt + return template.safe_substitute({ + "json_file_name": f"{self.resource_file_name}.yaml", + "json_file_content": await self._get_non_built_connector_def_content(), + "python_file_name": f"{self.resource_file_name}.py", + "python_file_content": await self._get_non_built_connector_content(), + "manager_file_names": core_names or DEFAULT_FILE_CONTENT, + "manager_files_content": core_content or DEFAULT_FILE_CONTENT, + }) + + async def _get_core_modules_names_and_content(self) -> tuple[str, str]: + names: list[str] = [] + content: io.StringIO = io.StringIO() + core_dir: anyio.Path = self.integration / constants.CORE_SCRIPTS_DIR + if await core_dir.exists(): + async for core_file in core_dir.glob("*.py"): + names.append(core_file.name) + content.write("```python\n") + content.write(await core_file.read_text(encoding="utf-8")) + content.write("\n```\n\n") + + return ", ".join(names), content.getvalue() + + async def _get_non_built_connector_def_content(self) -> str: + connector_yaml: anyio.Path = ( + self.integration + / constants.CONNECTORS_DIR + / f"{self.resource_file_name}{constants.YAML_SUFFIX}" + ) + if await connector_yaml.exists(): + return await connector_yaml.read_text(encoding="utf-8") + + return DEFAULT_FILE_CONTENT + + async def _get_non_built_connector_content(self) -> str: + connector_script: anyio.Path = ( + self.integration / constants.CONNECTORS_DIR / f"{self.resource_file_name}.py" + ) + if await connector_script.exists(): + return await connector_script.read_text(encoding="utf-8") + + return DEFAULT_FILE_CONTENT diff --git a/packages/mp/src/mp/describe/connector/prompts/task.md b/packages/mp/src/mp/describe/connector/prompts/task.md new file mode 100644 index 000000000..b380d13a0 --- /dev/null +++ b/packages/mp/src/mp/describe/connector/prompts/task.md @@ -0,0 +1,61 @@ +**Input Data:** +I have provided the following files for a Google SecOps connector: + +1. `Script Code`: The Python logic. +2. `Script Settings`: The JSON/YAML metadata containing parameters and configuration. + +**Reference Documentation:** + +* **SOAR SDK:** https://github.com/chronicle/soar-sdk/tree/main/src/soar_sdk +* **TIPCommon:** https://github.com/chronicle/content-hub/tree/main/packages/tipcommon/TIPCommon +* **SOAR SDK Docs:** + * https://docs.cloud.google.com/chronicle/docs/soar/reference/siemplify-connectors-module + +**Instructions:** + +1. **Analyze the Description:** Synthesize the `Script Code` logic and `Script Settings` description to create a detailed AI description. + * *Style:* Active voice. Concise yet informative. + * *Content:* Explain the connector's purpose, what kind of data it pulls (e.g., alerts, logs, events), and from which external service. + * *Sections:* + * **General description**: A high-level overview of the connector's purpose and the service it integrates with. + * **Parameters description**: A markdown table describing the configuration parameters (name, expected type, mandatory status, and description). + * **Flow description**: A numbered or bulleted list describing the data ingestion flow (how it connects, what it fetches, how it filters, and how it creates cases/alerts in SOAR). + +2. **Format the Output:** The result must be a JSON object with a single field `ai_description` containing the markdown-formatted description. + +**Example Output:** + +```json +{ + "ai_description": "### General Description\nThis connector fetches alerts from VirusTotal and creates cases in Google SecOps. It allows monitoring for malicious activity seen globally.\n\n### Parameters Description\n| Parameter | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| API Key | String | Yes | Your VirusTotal API key. |\n| Threshold | Integer | No | Minimum score to fetch. |\n\n### Flow Description\n1. Connects to VirusTotal API using the provided API Key.\n2. Queries for recent alerts matching the configured threshold.\n3. Maps each alert to a Google SecOps case format.\n4. Ingests cases into the system." +} +``` + +**Current Task Input:** + +— START OF FILE ${json_file_name}— + +``` +${json_file_content} +``` + +— END OF FILE ${json_file_name}— + +— START OF FILE ${python_file_name}— + +```python +${python_file_content} +``` + +— END OF FILE ${python_file_name}— + +— START OF FILE ${manager_file_names}— +${manager_files_content} +— END OF FILE ${manager_file_names}— + +**Final Instructions:** +Based strictly on the provided "Current Task Input": + +1. Analyze the code flow and settings. +2. Construct the AI Description. +3. Ensure valid JSON syntax. diff --git a/packages/mp/src/mp/describe/connector/typer_app.py b/packages/mp/src/mp/describe/connector/typer_app.py new file mode 100644 index 000000000..e9c7c6d44 --- /dev/null +++ b/packages/mp/src/mp/describe/connector/typer_app.py @@ -0,0 +1,132 @@ +# Copyright 2026 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +from __future__ import annotations + +import asyncio +import pathlib # noqa: TC003 +from typing import Annotated + +import rich +import typer + +import mp.core.config + +from .describe import DescribeConnector +from .describe_all import describe_all_connectors + +app = typer.Typer(help="Describe connectors in the marketplace.") + + +@app.command( + name="connector", + help="Describe connectors in an integration or across the entire marketplace using Gemini.", + no_args_is_help=True, +) +def describe( # noqa: PLR0913 + connectors: Annotated[list[str] | None, typer.Argument(help="Connector names")] = None, + integration: Annotated[ + str | None, typer.Option("-i", "--integration", help="Integration name") + ] = None, + *, + all_marketplace: Annotated[ + bool, + typer.Option( + "-a", + "--all", + help=( + "Describe all integrations in the marketplace, or all connectors if an" + " integration is specified" + ), + ), + ] = False, + src: Annotated[ + pathlib.Path | None, + typer.Option( + help="The path to the marketplace. If not provided, the configured path will be used." + ), + ] = None, + dst: Annotated[ + pathlib.Path | None, + typer.Option( + help=( + "The path to save the descriptions to. If not provided, they will be" + " saved in the marketplace." + ) + ), + ] = None, + override: Annotated[ + bool, + typer.Option( + "--override", + "-o", + help="Whether to override existing descriptions.", + ), + ] = False, + quiet: Annotated[ + bool, + typer.Option( + "--quiet", + "-q", + help="Log less on runtime.", + ), + ] = False, + verbose: Annotated[ + bool, + typer.Option( + "--verbose", + "-v", + help="Log more on runtime.", + ), + ] = False, +) -> None: + """Describe connectors in a given integration. + + Args: + connectors: The names of the connectors to describe. + integration: The name of the integration to describe connectors for. + all_marketplace: Whether to describe all integrations or all connectors for the integration. + src: The path to the marketplace. + dst: The path to save the descriptions to. + override: Whether to override existing descriptions. + quiet: Log less on runtime. + verbose: Log more on runtime. + + Raises: + typer.Exit: If neither --integration nor --all is specified. + + """ + run_params: mp.core.config.RuntimeParams = mp.core.config.RuntimeParams(quiet, verbose) + run_params.set_in_config() + + sem = asyncio.Semaphore(mp.core.config.get_gemini_concurrency()) + if integration: + target_connector_file_names: set[str] = set(connectors) if connectors else set() + if all_marketplace: + target_connector_file_names = set() + + asyncio.run( + DescribeConnector( + integration, + target_connector_file_names, + src=src, + dst=dst, + override=override, + ).describe(sem=sem) + ) + elif all_marketplace: + asyncio.run(describe_all_connectors(src=src, dst=dst, override=override)) + else: + rich.print("[red]Please specify either --integration or --all[/red]") + raise typer.Exit(code=1) diff --git a/packages/mp/src/mp/describe/integration/__init__.py b/packages/mp/src/mp/describe/integration/__init__.py new file mode 100644 index 000000000..58d482ea3 --- /dev/null +++ b/packages/mp/src/mp/describe/integration/__init__.py @@ -0,0 +1,13 @@ +# Copyright 2026 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. diff --git a/packages/mp/src/mp/describe/integration/describe.py b/packages/mp/src/mp/describe/integration/describe.py new file mode 100644 index 000000000..9c5e9b8c9 --- /dev/null +++ b/packages/mp/src/mp/describe/integration/describe.py @@ -0,0 +1,130 @@ +# Copyright 2026 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +from __future__ import annotations + +import contextlib +import logging +from typing import TYPE_CHECKING, Any + +import anyio +import yaml + +from mp.core import constants +from mp.core.data_models.integrations.integration_meta.ai.metadata import IntegrationAiMetadata +from mp.core.utils import folded_string_representer +from mp.describe.common.describe import DescribeBase, IntegrationStatus + +from .prompt_constructors.integration import IntegrationPromptConstructor + +if TYPE_CHECKING: + import pathlib + + +logger: logging.Logger = logging.getLogger(__name__) + + +class DescribeIntegration(DescribeBase[IntegrationAiMetadata]): + def __init__( + self, + integration: str, + *, + src: pathlib.Path | None = None, + dst: pathlib.Path | None = None, + override: bool = False, + ) -> None: + super().__init__(integration, {integration}, src=src, dst=dst, override=override) + + @property + def metadata_file_name(self) -> str: + """Get the name of the metadata file.""" + return constants.INTEGRATIONS_AI_DESCRIPTION_FILE + + @property + def resource_type_name(self) -> str: + """Get the resource type name.""" + return "integration" + + @property + def response_schema(self) -> type[IntegrationAiMetadata]: + """Get the response schema.""" + return IntegrationAiMetadata + + async def _get_all_resources(self, status: IntegrationStatus) -> set[str]: + """Get all resources (only the integration itself). + + Args: + status: The status of the integration. + + Returns: + set[str]: The set of resource names. + + """ + del status # Unused + # There's only one integration to describe per integration folder. + return {self.integration_name} + + async def _construct_prompts( + self, resources: list[str], status: IntegrationStatus + ) -> list[str]: + # resources will be [self.integration_name] + prompts: list[str] = [] + for integration_name in resources: + constructor = IntegrationPromptConstructor( + self.integration, integration_name, status.out_path + ) + prompts.append(await constructor.construct()) + + return prompts + + async def _load_metadata(self) -> dict[str, Any]: + resource_ai_dir: anyio.Path = self.integration / constants.RESOURCES_DIR / constants.AI_DIR + metadata_file: anyio.Path = resource_ai_dir / self.metadata_file_name + + metadata: dict[str, Any] = {} + if await metadata_file.exists(): + content: str = await metadata_file.read_text() + with contextlib.suppress(yaml.YAMLError): + # For integrations, the file is NOT keyed by integration name + if raw_metadata := yaml.safe_load(content) or {}: + metadata: dict[str, Any] = {self.integration_name: raw_metadata} + + if self.dst: + dst_file: anyio.Path = anyio.Path(self.dst) / self.metadata_file_name + if await dst_file.exists(): + content: str = await dst_file.read_text() + with contextlib.suppress(yaml.YAMLError): + if dst_raw_metadata := yaml.safe_load(content) or {}: + metadata.update({self.integration_name: dst_raw_metadata}) + + return metadata + + async def _save_metadata(self, metadata: dict[str, Any]) -> None: + if self.dst: + save_dir: anyio.Path = anyio.Path(self.dst) + else: + save_dir: anyio.Path = self.integration / constants.RESOURCES_DIR / constants.AI_DIR + + metadata_file: anyio.Path = save_dir / self.metadata_file_name + + # For integrations, we don't want to key it by integration name in the file + if not (integration_metadata := metadata.get(self.integration_name)): + if await metadata_file.exists(): + await metadata_file.unlink() + + return + + await save_dir.mkdir(parents=True, exist_ok=True) + yaml.add_representer(str, folded_string_representer, Dumper=yaml.SafeDumper) + await metadata_file.write_text(yaml.safe_dump(integration_metadata)) diff --git a/packages/mp/src/mp/describe/integration/describe_all.py b/packages/mp/src/mp/describe/integration/describe_all.py new file mode 100644 index 000000000..b36ee68cc --- /dev/null +++ b/packages/mp/src/mp/describe/integration/describe_all.py @@ -0,0 +1,63 @@ +# Copyright 2026 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +from __future__ import annotations + +from pathlib import Path + +from mp.describe.common.describe_all import ( + MarketplaceOrchestratorBase, + get_all_integrations_paths, +) +from mp.describe.common.utils.paths import get_integration_path + +from .describe import DescribeIntegration + + +async def describe_all_integrations( + src: Path | None = None, + dst: Path | None = None, + *, + override: bool = False, + integrations: list[str] | None = None, +) -> None: + """Describe all integrations in the marketplace or specific ones. + + Args: + src: Optional custom source path. + dst: Optional custom destination path. + override: Whether to rewrite existing descriptions. + integrations: Optional list of integration names to describe. + + """ + integrations_paths: list[Path] + if integrations: + integrations_paths = [ + Path(str(get_integration_path(name, src=src))) for name in integrations + ] + else: + integrations_paths = get_all_integrations_paths(src=src) + + orchestrator = _MarketplaceOrchestrator(src, integrations_paths, dst=dst, override=override) + await orchestrator.run() + + +class _MarketplaceOrchestrator(MarketplaceOrchestratorBase): + def _create_describer(self, integration_name: str) -> DescribeIntegration: + return DescribeIntegration( + integration=integration_name, + src=self.src, + dst=self.dst, + override=self.override, + ) diff --git a/packages/mp/src/mp/describe/integration/prompt_constructors/__init__.py b/packages/mp/src/mp/describe/integration/prompt_constructors/__init__.py new file mode 100644 index 000000000..58d482ea3 --- /dev/null +++ b/packages/mp/src/mp/describe/integration/prompt_constructors/__init__.py @@ -0,0 +1,13 @@ +# Copyright 2026 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. diff --git a/packages/mp/src/mp/describe/integration/prompt_constructors/integration.py b/packages/mp/src/mp/describe/integration/prompt_constructors/integration.py new file mode 100644 index 000000000..93d6d64bf --- /dev/null +++ b/packages/mp/src/mp/describe/integration/prompt_constructors/integration.py @@ -0,0 +1,140 @@ +# Copyright 2026 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +from __future__ import annotations + +import contextlib +import logging +import tomllib +from string import Template +from typing import TYPE_CHECKING, Any + +import anyio +import yaml + +from mp.core import constants +from mp.describe.common.prompt_constructors.prompt_constructor import PromptConstructor + +if TYPE_CHECKING: + from mp.core.data_models.integrations.integration_meta.metadata import ( + NonBuiltIntegrationMetadata, + ) + +logger: logging.Logger = logging.getLogger(__name__) + + +class IntegrationPromptConstructor(PromptConstructor): + @staticmethod + async def get_task_prompt() -> Template: + """Get the task prompt. + + Returns: + Template: The task prompt. + + """ + prompt_file: anyio.Path = anyio.Path(__file__).parent.parent / "prompts" / "task.md" + return Template(await prompt_file.read_text(encoding="utf-8")) + + async def construct(self) -> str: + """Construct the prompt for integrations. + + Returns: + str: The constructed prompt. + + """ + template: Template = await self.get_task_prompt() + return template.safe_substitute({ + "integration_name": self.integration_name, + "integration_description": await self._get_integration_description(), + "actions_ai_descriptions": await self._get_actions_ai_descriptions(), + "connectors_ai_descriptions": await self._get_connectors_ai_descriptions(), + "jobs_ai_descriptions": await self._get_jobs_ai_descriptions(), + }) + + async def _get_integration_description(self) -> str: + # Try to find the description in various metadata files. + # Order: .def file (built), definition.yaml (source), pyproject.toml (source) + + # 1. Check for built integration metadata (.def file) + if desc := await self._get_description_from_def(): + return desc + + # 2. Check for source integration metadata (definition.yaml) + if desc := await self._get_description_from_definition(): + return desc + + # 3. Check for pyproject.toml (standard PEP 621) + if desc := await self._get_description_from_pyproject(): + return desc + + return "N/A" + + async def _get_description_from_def(self) -> str | None: + # Search for any .def file in the root + async for def_file in self.integration.glob("Integration-*.def"): + content: str = await def_file.read_text(encoding="utf-8") + with contextlib.suppress(yaml.YAMLError): + data: NonBuiltIntegrationMetadata = yaml.safe_load(content) + if data and "description" in data: + return data["description"] + + return None + + async def _get_description_from_definition(self) -> str | None: + definition_file: anyio.Path = self.integration / constants.DEFINITION_FILE + if not await definition_file.exists(): + return None + + content: str = await definition_file.read_text(encoding="utf-8") + with contextlib.suppress(yaml.YAMLError): + data: NonBuiltIntegrationMetadata = yaml.safe_load(content) + return data.get("description") + + logger.warning("Failed to parse definition file %s", definition_file) + return None + + async def _get_description_from_pyproject(self) -> str | None: + pyproject_file: anyio.Path = self.integration / constants.PROJECT_FILE + if not await pyproject_file.exists(): + return None + + content: str = await pyproject_file.read_text(encoding="utf-8") + with contextlib.suppress(Exception): + data: dict[str, Any] = tomllib.loads(content) + if project_data := data.get("project"): + return project_data.get("description") + + logger.warning("Failed to parse pyproject file %s", pyproject_file) + return None + + async def _get_actions_ai_descriptions(self) -> str: + ai_dir: anyio.Path = self.integration / constants.RESOURCES_DIR / constants.AI_DIR + actions_ai_file: anyio.Path = ai_dir / constants.ACTIONS_AI_DESCRIPTION_FILE + if await actions_ai_file.exists(): + return await actions_ai_file.read_text(encoding="utf-8") + return "N/A" + + async def _get_connectors_ai_descriptions(self) -> str: + ai_dir: anyio.Path = self.integration / constants.RESOURCES_DIR / constants.AI_DIR + connectors_ai_file: anyio.Path = ai_dir / constants.CONNECTORS_AI_DESCRIPTION_FILE + if await connectors_ai_file.exists(): + return await connectors_ai_file.read_text(encoding="utf-8") + return "N/A" + + async def _get_jobs_ai_descriptions(self) -> str: + ai_dir: anyio.Path = self.integration / constants.RESOURCES_DIR / constants.AI_DIR + jobs_ai_file: anyio.Path = ai_dir / constants.JOBS_AI_DESCRIPTION_FILE + if await jobs_ai_file.exists(): + return await jobs_ai_file.read_text(encoding="utf-8") + return "N/A" diff --git a/packages/mp/src/mp/describe/integration/prompts/task.md b/packages/mp/src/mp/describe/integration/prompts/task.md new file mode 100644 index 000000000..f7eb84bb9 --- /dev/null +++ b/packages/mp/src/mp/describe/integration/prompts/task.md @@ -0,0 +1,48 @@ +**Input Data:** +I have provided the following information for a Google SecOps integration: + +1. `Integration Name`: The name of the integration. +2. `Integration Description`: The original description of the integration. +3. `Actions AI Descriptions`: A collection of AI-generated descriptions for all actions in this integration. +4. `Connectors AI Descriptions`: A collection of AI-generated descriptions for all connectors in this integration. +5. `Jobs AI Descriptions`: A collection of AI-generated descriptions for all jobs in this integration. + +**Integration Product Categories Definitions:** +Review these categories carefully. An integration can belong to multiple categories if its actions/connectors fulfill the criteria. +- **SIEM**: Use when you need to find the activity related to Assets, Users or see if an IOC has been seen globally across your logs in the last 90 days. Expected Outcome: Returns a timeline of activity, lists all internal assets that touched an IOC, and identifies source of the suspicious activity. +- **EDR**: Use when the investigation involves a specific host (workstation/server) and you need to see deep process-level activity. Expected Outcome: Returns the process tree (Parent/Child), retrieves suspicious files for analysis, or contains the host by isolating it from the network. +- **Network Security**: Use when an internal asset is communicating with a known malicious external IP or to verify if a web-based attack was blocked. Expected Outcome: Returns firewall/WAF permit/deny logs and allows the agent to block malicious IPs/URLs at the gateway. +- **Threat Intelligence**: Use as the first step of enrichment for any external indicator (IP, Hash, URL) to determine its reputation. Expected Outcome: Returns risk scores, malware family names, and historical "last seen" data to confirm if an alert is a True Positive. +- **Email Security**: Use when the alert involves a phishing report, a suspicious attachment, or a link delivered via email. Expected Outcome: Returns a list of all affected users who received the same email and allows the agent to manage emails in all inboxes. +- **IAM & Identity Management**: Use when a user account is showing suspicious behavior and you want to manage identity. Expected Outcome: Returns user or identity group/privilege levels and allows the agent to suspend accounts, force password resets, reset service accounts. +- **Cloud Security**: Use for alerts involving cloud-native resources GCP/AWS/Azure. Expected Outcome: Returns resource configuration states, findings and identifies rogue cloud instances or API keys. +- **ITSM**: Use to document the investigation, assign tasks to other teams. Expected Outcome: Creates/updates tickets, assigns tasks to specific departments. +- **Vulnerability Management**: Use to verify if a targeted asset is actually susceptible to the exploit seen in the alert. Expected Outcome: Returns CVE information and a list of missing patches on the target host to determine if the attack had a high probability of success. +- **Asset Inventory**: Use when you want to get more information about an internal asset. Expected Outcome: Returns the asset owner, department, business criticality, and whether the device is managed by IT. +- **Collaboration**: Use when an automated action requires a "Human-in-the-Loop" approval or when the SOC needs to be notified of a critical find. Expected Outcome: Sends interactive alerts to Slack/Teams for manual approval and notifies stakeholders of critical findings. + +**Instructions:** +Analyze the provided information and determine the product categories that best describe the integration's capabilities. +Connectors are especially important for determining if the integration is a SIEM or EDR, as they handle the data ingestion. +**Reasoning First:** You MUST write out your step-by-step reasoning in the `reasoning` field before populating the boolean flags. Discuss why the integration matches or fails to match specific categories based on the definitions provided above. + +**Current Task Input:** + +Integration Name: ${integration_name} +Integration Description: ${integration_description} + +Actions AI Descriptions: +${actions_ai_descriptions} + +Connectors AI Descriptions: +${connectors_ai_descriptions} + +Jobs AI Descriptions: +${jobs_ai_descriptions} + +**Final Instructions:** +Based on the input data, return an IntegrationAiMetadata object containing the product categories. +A category should be marked as true if the integration has capabilities that match its "When to Use" and "Expected Outcome" descriptions. +Many integrations will have multiple categories. +If no categories match, all should be false. +Provide your response in JSON format matching the IntegrationAiMetadata schema. diff --git a/packages/mp/src/mp/describe/integration/typer_app.py b/packages/mp/src/mp/describe/integration/typer_app.py new file mode 100644 index 000000000..f5e8c902d --- /dev/null +++ b/packages/mp/src/mp/describe/integration/typer_app.py @@ -0,0 +1,114 @@ +# Copyright 2026 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +from __future__ import annotations + +import asyncio +import pathlib # noqa: TC003 +from typing import Annotated + +import rich +import typer + +import mp.core.config + +from .describe_all import describe_all_integrations + +app = typer.Typer(help="Commands for describing integrations") + + +@app.command( + name="integration", + help="Describe integrations using Gemini.", + epilog=( + "Examples:\n\n" + " $ mp describe integration aws_ec2\n\n" + " $ mp describe integration --all\n\n" + " $ mp describe integration --all --src ./custom_folder\n\n" + ), + no_args_is_help=True, +) +def describe( # noqa: PLR0913 + integrations: Annotated[list[str] | None, typer.Argument(help="Integration names")] = None, + *, + all_marketplace: Annotated[ + bool, + typer.Option( + "-a", + "--all", + help="Describe all integrations in the marketplace", + ), + ] = False, + src: Annotated[ + pathlib.Path | None, + typer.Option(help="Customize source folder to describe from."), + ] = None, + dst: Annotated[ + pathlib.Path | None, + typer.Option(help="Customize destination folder to save the AI descriptions."), + ] = None, + quiet: Annotated[ + bool, + typer.Option( + "--quiet", + "-q", + help="Log less on runtime.", + ), + ] = False, + verbose: Annotated[ + bool, + typer.Option( + "--verbose", + "-v", + help="Log more on runtime.", + ), + ] = False, + override: Annotated[ + bool, + typer.Option( + "--override", + "-o", + help="Rewrite integrations that already have their description.", + ), + ] = False, +) -> None: + """Describe integrations. + + Args: + integrations: The names of the integrations. + all_marketplace: Whether to describe all integrations in the marketplace. + src: Customize the source folder to describe from. + dst: Customize destination folder to save the AI descriptions. + quiet: Quiet log options. + verbose: Verbose log options. + override: Whether to rewrite existing descriptions. + + Raises: + typer.Exit: If neither integrations nor --all is specified. + + """ + run_params: mp.core.config.RuntimeParams = mp.core.config.RuntimeParams(quiet, verbose) + run_params.set_in_config() + + if integrations and not all_marketplace: + asyncio.run( + describe_all_integrations( + src=src, dst=dst, override=override, integrations=integrations + ) + ) + elif all_marketplace: + asyncio.run(describe_all_integrations(src=src, dst=dst, override=override)) + else: + rich.print("[red]Please specify either integrations or --all[/red]") + raise typer.Exit(code=1) diff --git a/packages/mp/src/mp/describe/job/__init__.py b/packages/mp/src/mp/describe/job/__init__.py new file mode 100644 index 000000000..58d482ea3 --- /dev/null +++ b/packages/mp/src/mp/describe/job/__init__.py @@ -0,0 +1,13 @@ +# Copyright 2026 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. diff --git a/packages/mp/src/mp/describe/job/describe.py b/packages/mp/src/mp/describe/job/describe.py new file mode 100644 index 000000000..d287bef30 --- /dev/null +++ b/packages/mp/src/mp/describe/job/describe.py @@ -0,0 +1,144 @@ +# Copyright 2026 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +from __future__ import annotations + +import json +import logging +from typing import TYPE_CHECKING, NamedTuple + +import yaml + +from mp.core import constants +from mp.core.data_models.integrations.job.ai.metadata import JobAiMetadata +from mp.describe.common.describe import DescribeBase, IntegrationStatus + +from .prompt_constructors.built import BuiltPromptConstructor +from .prompt_constructors.source import SourcePromptConstructor + +if TYPE_CHECKING: + import pathlib + + import anyio + +logger: logging.Logger = logging.getLogger(__name__) + + +class DescriptionParams(NamedTuple): + integration: anyio.Path + integration_name: str + job_name: str + job_file_name: str + status: IntegrationStatus + + +class DescribeJob(DescribeBase[JobAiMetadata]): + def __init__( + self, + integration: str, + jobs: set[str], + *, + src: pathlib.Path | None = None, + dst: pathlib.Path | None = None, + override: bool = False, + ) -> None: + super().__init__(integration, jobs, src=src, dst=dst, override=override) + self._job_name_to_file_stem: dict[str, str] = {} + + @property + def metadata_file_name(self) -> str: + """Get the name of the metadata file.""" + return constants.JOBS_AI_DESCRIPTION_FILE + + @property + def resource_type_name(self) -> str: + """Get the resource type name.""" + return "job" + + @property + def response_schema(self) -> type[JobAiMetadata]: + """Get the response schema.""" + return JobAiMetadata + + async def _get_all_resources(self, status: IntegrationStatus) -> set[str]: + jobs: set[str] = set() + if status.is_built: + await self._get_all_built_jobs(status.out_path, jobs) + else: + await self._get_all_non_built_jobs(jobs) + return jobs + + async def _get_all_built_jobs(self, out_path: anyio.Path, jobs: set[str]) -> None: + path: anyio.Path = out_path / constants.OUT_JOBS_META_DIR + if await path.exists(): + async for file in path.glob(f"*{constants.JOBS_META_SUFFIX}"): + content: str = await file.read_text(encoding="utf-8") + try: + data: dict = json.loads(content) + name: str = data["Name"] + self._job_name_to_file_stem[name] = file.stem + jobs.add(name) + except (json.JSONDecodeError, KeyError): + logger.warning("Failed to parse built job metadata %s", file.name) + + async def _get_all_non_built_jobs(self, jobs: set[str]) -> None: + path: anyio.Path = self.integration / constants.JOBS_DIR + if await path.exists(): + async for file in path.glob(f"*{constants.YAML_SUFFIX}"): + content: str = await file.read_text(encoding="utf-8") + try: + data: dict = yaml.safe_load(content) + name: str = data["name"] + self._job_name_to_file_stem[name] = file.stem + jobs.add(name) + except (yaml.YAMLError, KeyError): + logger.warning("Failed to parse non-built job metadata %s", file.name) + + async def _construct_prompts( + self, resources: list[str], status: IntegrationStatus + ) -> list[str]: + prompts: list[str] = [] + for job_name in resources: + params = DescriptionParams( + self.integration, + self.integration_name, + job_name, + self._job_name_to_file_stem.get(job_name, job_name), + status, + ) + constructor: BuiltPromptConstructor | SourcePromptConstructor = ( + _create_prompt_constructor(params) + ) + prompts.append(await constructor.construct()) + return prompts + + +def _create_prompt_constructor( + params: DescriptionParams, +) -> BuiltPromptConstructor | SourcePromptConstructor: + if params.status.is_built: + return BuiltPromptConstructor( + params.integration, + params.integration_name, + params.job_name, + params.job_file_name, + params.status.out_path, + ) + return SourcePromptConstructor( + params.integration, + params.integration_name, + params.job_name, + params.job_file_name, + params.status.out_path, + ) diff --git a/packages/mp/src/mp/describe/job/describe_all.py b/packages/mp/src/mp/describe/job/describe_all.py new file mode 100644 index 000000000..9080f35dd --- /dev/null +++ b/packages/mp/src/mp/describe/job/describe_all.py @@ -0,0 +1,56 @@ +# Copyright 2026 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +from __future__ import annotations + +from pathlib import Path + +from mp.describe.common.describe_all import ( + MarketplaceOrchestratorBase, + get_all_integrations_paths, +) +from mp.describe.common.utils.paths import get_integration_path + +from .describe import DescribeJob + + +async def describe_all_jobs( + src: Path | None = None, + dst: Path | None = None, + *, + override: bool = False, + integrations: list[str] | None = None, +) -> None: + """Describe all jobs in all integrations in the marketplace or specific ones.""" + integrations_paths: list[Path] + if integrations: + integrations_paths = [ + Path(str(get_integration_path(name, src=src))) for name in integrations + ] + else: + integrations_paths = get_all_integrations_paths(src=src) + + orchestrator = _MarketplaceOrchestrator(src, integrations_paths, dst=dst, override=override) + await orchestrator.run() + + +class _MarketplaceOrchestrator(MarketplaceOrchestratorBase): + def _create_describer(self, integration_name: str) -> DescribeJob: + return DescribeJob( + integration=integration_name, + jobs=set(), + src=self.src, + dst=self.dst, + override=self.override, + ) diff --git a/packages/mp/src/mp/describe/job/prompt_constructors/__init__.py b/packages/mp/src/mp/describe/job/prompt_constructors/__init__.py new file mode 100644 index 000000000..58d482ea3 --- /dev/null +++ b/packages/mp/src/mp/describe/job/prompt_constructors/__init__.py @@ -0,0 +1,13 @@ +# Copyright 2026 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. diff --git a/packages/mp/src/mp/describe/job/prompt_constructors/built.py b/packages/mp/src/mp/describe/job/prompt_constructors/built.py new file mode 100644 index 000000000..6008811d2 --- /dev/null +++ b/packages/mp/src/mp/describe/job/prompt_constructors/built.py @@ -0,0 +1,84 @@ +# Copyright 2026 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +from __future__ import annotations + +import io +from typing import TYPE_CHECKING + +from mp.core import constants + +from .job import JobPromptConstructor + +if TYPE_CHECKING: + from string import Template + + import anyio + +DEFAULT_FILE_CONTENT: str = "N/A" + + +class BuiltPromptConstructor(JobPromptConstructor): + __slots__: tuple[str, ...] = () + + async def construct(self) -> str: + """Construct the prompt for built jobs. + + Returns: + str: The constructed prompt. + + """ + manager_names, manager_content = await self._get_managers_names_and_content() + template: Template = await self.task_prompt + return template.safe_substitute({ + "json_file_name": f"{self.resource_file_name}.json", + "json_file_content": await self._get_built_job_def_content(), + "python_file_name": f"{self.resource_file_name}.py", + "python_file_content": await self._get_built_job_content(), + "manager_file_names": manager_names or DEFAULT_FILE_CONTENT, + "manager_files_content": manager_content or DEFAULT_FILE_CONTENT, + }) + + async def _get_managers_names_and_content(self) -> tuple[str, str]: + names: list[str] = [] + content: io.StringIO = io.StringIO() + managers_dir: anyio.Path = self.out_path / constants.OUT_MANAGERS_SCRIPTS_DIR + if await managers_dir.exists(): + async for core_file in managers_dir.glob("*.py"): + names.append(core_file.name) + content.write("```python\n") + content.write(await core_file.read_text(encoding="utf-8")) + content.write("\n```\n\n") + + return ", ".join(names), content.getvalue() + + async def _get_built_job_def_content(self) -> str: + job_def: anyio.Path = ( + self.out_path + / constants.OUT_JOBS_META_DIR + / f"{self.resource_file_name}{constants.JOBS_META_SUFFIX}" + ) + if await job_def.exists(): + return await job_def.read_text(encoding="utf-8") + + return DEFAULT_FILE_CONTENT + + async def _get_built_job_content(self) -> str: + job_script: anyio.Path = ( + self.out_path / constants.OUT_JOB_SCRIPTS_DIR / f"{self.resource_file_name}.py" + ) + if await job_script.exists(): + return await job_script.read_text(encoding="utf-8") + + return DEFAULT_FILE_CONTENT diff --git a/packages/mp/src/mp/describe/job/prompt_constructors/job.py b/packages/mp/src/mp/describe/job/prompt_constructors/job.py new file mode 100644 index 000000000..7c260d12c --- /dev/null +++ b/packages/mp/src/mp/describe/job/prompt_constructors/job.py @@ -0,0 +1,37 @@ +# Copyright 2026 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +from __future__ import annotations + +from abc import ABC +from string import Template + +import anyio + +from mp.describe.common.prompt_constructors.resource import ResourcePromptConstructor + + +class JobPromptConstructor(ResourcePromptConstructor, ABC): + __slots__: tuple[str, ...] = () + + @staticmethod + async def get_task_prompt() -> Template: + """Get the task prompt. + + Returns: + Template: The task prompt. + + """ + prompt_file: anyio.Path = anyio.Path(__file__).parent.parent / "prompts" / "task.md" + return Template(await prompt_file.read_text(encoding="utf-8")) diff --git a/packages/mp/src/mp/describe/job/prompt_constructors/source.py b/packages/mp/src/mp/describe/job/prompt_constructors/source.py new file mode 100644 index 000000000..4e9cc07f7 --- /dev/null +++ b/packages/mp/src/mp/describe/job/prompt_constructors/source.py @@ -0,0 +1,84 @@ +# Copyright 2026 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +from __future__ import annotations + +import io +from typing import TYPE_CHECKING + +from mp.core import constants + +from .job import JobPromptConstructor + +if TYPE_CHECKING: + from string import Template + + import anyio + +DEFAULT_FILE_CONTENT: str = "N/A" + + +class SourcePromptConstructor(JobPromptConstructor): + __slots__: tuple[str, ...] = () + + async def construct(self) -> str: + """Construct the prompt for non-built jobs. + + Returns: + str: The constructed prompt. + + """ + core_names, core_content = await self._get_core_modules_names_and_content() + template: Template = await self.task_prompt + return template.safe_substitute({ + "json_file_name": f"{self.resource_file_name}.yaml", + "json_file_content": await self._get_non_built_job_def_content(), + "python_file_name": f"{self.resource_file_name}.py", + "python_file_content": await self._get_non_built_job_content(), + "manager_file_names": core_names or DEFAULT_FILE_CONTENT, + "manager_files_content": core_content or DEFAULT_FILE_CONTENT, + }) + + async def _get_core_modules_names_and_content(self) -> tuple[str, str]: + names: list[str] = [] + content: io.StringIO = io.StringIO() + core_dir: anyio.Path = self.integration / constants.CORE_SCRIPTS_DIR + if await core_dir.exists(): + async for core_file in core_dir.glob("*.py"): + names.append(core_file.name) + content.write("```python\n") + content.write(await core_file.read_text(encoding="utf-8")) + content.write("\n```\n\n") + + return ", ".join(names), content.getvalue() + + async def _get_non_built_job_def_content(self) -> str: + job_yaml: anyio.Path = ( + self.integration + / constants.JOBS_DIR + / f"{self.resource_file_name}{constants.YAML_SUFFIX}" + ) + if await job_yaml.exists(): + return await job_yaml.read_text(encoding="utf-8") + + return DEFAULT_FILE_CONTENT + + async def _get_non_built_job_content(self) -> str: + job_script: anyio.Path = ( + self.integration / constants.JOBS_DIR / f"{self.resource_file_name}.py" + ) + if await job_script.exists(): + return await job_script.read_text(encoding="utf-8") + + return DEFAULT_FILE_CONTENT diff --git a/packages/mp/src/mp/describe/job/prompts/task.md b/packages/mp/src/mp/describe/job/prompts/task.md new file mode 100644 index 000000000..a419723cd --- /dev/null +++ b/packages/mp/src/mp/describe/job/prompts/task.md @@ -0,0 +1,61 @@ +**Input Data:** +I have provided the following files for a Google SecOps job: + +1. `Script Code`: The Python logic. +2. `Script Settings`: The JSON/YAML metadata containing parameters and configuration. + +**Reference Documentation:** + +* **SOAR SDK:** https://github.com/chronicle/soar-sdk/tree/main/src/soar_sdk +* **TIPCommon:** https://github.com/chronicle/content-hub/tree/main/packages/tipcommon/TIPCommon +* **SOAR SDK Docs:** + * https://docs.cloud.google.com/chronicle/docs/soar/reference/siemplify-job-module + +**Instructions:** + +1. **Analyze the Description:** Synthesize the `Script Code` logic and `Script Settings` description to create a detailed AI description. + * *Style:* Active voice. Concise yet informative. + * *Content:* Explain the job's purpose, what it does (e.g., maintenance, enrichment, synchronization), and how it interacts with external services or SOAR data. + * *Sections:* + * **General description**: A high-level overview of the job's purpose. + * **Parameters description**: A markdown table describing the configuration parameters (name, expected type, mandatory status, and description). + * **Flow description**: A numbered or bulleted list describing the job's execution flow. + +2. **Format the Output:** The result must be a JSON object with a single field `ai_description` containing the markdown-formatted description. + +**Example Output:** + +```json +{ + "ai_description": "### General Description\nThis job synchronizes assets from an external CMDB to Google SecOps. It ensures that asset information is kept up to date for investigations.\n\n### Parameters Description\n| Parameter | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| CMDB URL | String | Yes | The URL of the CMDB service. |\n| Sync Interval | Integer | No | Minutes between sync runs. |\n\n### Flow Description\n1. Queries the external CMDB for assets modified since the last run.\n2. Compares fetched assets with existing assets in SOAR.\n3. Updates or creates asset records in SOAR accordingly." +} +``` + +**Current Task Input:** + +— START OF FILE ${json_file_name}— + +``` +${json_file_content} +``` + +— END OF FILE ${json_file_name}— + +— START OF FILE ${python_file_name}— + +```python +${python_file_content} +``` + +— END OF FILE ${python_file_name}— + +— START OF FILE ${manager_file_names}— +${manager_files_content} +— END OF FILE ${manager_file_names}— + +**Final Instructions:** +Based strictly on the provided "Current Task Input": + +1. Analyze the code flow and settings. +2. Construct the AI Description. +3. Ensure valid JSON syntax. diff --git a/packages/mp/src/mp/describe/job/typer_app.py b/packages/mp/src/mp/describe/job/typer_app.py new file mode 100644 index 000000000..f66624b8a --- /dev/null +++ b/packages/mp/src/mp/describe/job/typer_app.py @@ -0,0 +1,132 @@ +# Copyright 2026 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +from __future__ import annotations + +import asyncio +import pathlib # noqa: TC003 +from typing import Annotated + +import rich +import typer + +import mp.core.config + +from .describe import DescribeJob +from .describe_all import describe_all_jobs + +app = typer.Typer(help="Describe jobs in the marketplace.") + + +@app.command( + name="job", + help="Describe jobs in an integration or across the entire marketplace using Gemini.", + no_args_is_help=True, +) +def describe( # noqa: PLR0913 + jobs: Annotated[list[str] | None, typer.Argument(help="Job names")] = None, + integration: Annotated[ + str | None, typer.Option("-i", "--integration", help="Integration name") + ] = None, + *, + all_marketplace: Annotated[ + bool, + typer.Option( + "-a", + "--all", + help=( + "Describe all integrations in the marketplace, or all jobs if an" + " integration is specified" + ), + ), + ] = False, + src: Annotated[ + pathlib.Path | None, + typer.Option( + help="The path to the marketplace. If not provided, the configured path will be used." + ), + ] = None, + dst: Annotated[ + pathlib.Path | None, + typer.Option( + help=( + "The path to save the descriptions to. If not provided, they will be" + " saved in the marketplace." + ) + ), + ] = None, + override: Annotated[ + bool, + typer.Option( + "--override", + "-o", + help="Whether to override existing descriptions.", + ), + ] = False, + quiet: Annotated[ + bool, + typer.Option( + "--quiet", + "-q", + help="Log less on runtime.", + ), + ] = False, + verbose: Annotated[ + bool, + typer.Option( + "--verbose", + "-v", + help="Log more on runtime.", + ), + ] = False, +) -> None: + """Describe jobs in a given integration. + + Args: + jobs: The names of the jobs to describe. + integration: The name of the integration to describe jobs for. + all_marketplace: Whether to describe all integrations or all jobs for the integration. + src: The path to the marketplace. + dst: The path to save the descriptions to. + override: Whether to override existing descriptions. + quiet: Log less on runtime. + verbose: Log more on runtime. + + Raises: + typer.Exit: If neither --integration nor --all is specified. + + """ + run_params: mp.core.config.RuntimeParams = mp.core.config.RuntimeParams(quiet, verbose) + run_params.set_in_config() + + sem = asyncio.Semaphore(mp.core.config.get_gemini_concurrency()) + if integration: + target_job_file_names: set[str] = set(jobs) if jobs else set() + if all_marketplace: + target_job_file_names = set() + + asyncio.run( + DescribeJob( + integration, + target_job_file_names, + src=src, + dst=dst, + override=override, + ).describe(sem=sem) + ) + elif all_marketplace: + asyncio.run(describe_all_jobs(src=src, dst=dst, override=override)) + else: + rich.print("[red]Please specify either --integration or --all[/red]") + raise typer.Exit(code=1) diff --git a/packages/mp/src/mp/describe/typer_app.py b/packages/mp/src/mp/describe/typer_app.py index 70e256dda..1f803c80c 100644 --- a/packages/mp/src/mp/describe/typer_app.py +++ b/packages/mp/src/mp/describe/typer_app.py @@ -13,10 +13,95 @@ # limitations under the License. from __future__ import annotations +import asyncio +import pathlib # noqa: TC003 +from typing import Annotated + +import rich import typer +import mp.core.config + from .action.typer_app import app as action_app +from .all_content import describe_all_content +from .connector.typer_app import app as connector_app +from .integration.typer_app import app as integration_app +from .job.typer_app import app as job_app app: typer.Typer = typer.Typer(help="Commands for creating description for content using Gemini") app.add_typer(action_app) +app.add_typer(connector_app) +app.add_typer(integration_app) +app.add_typer(job_app) + + +@app.command( + name="all-content", + help=( + "Describe all content (actions, connectors, jobs, and the integration) for integrations." + ), + no_args_is_help=True, +) +def all_content( # noqa: PLR0913 + integrations: Annotated[list[str] | None, typer.Argument(help="Integration names")] = None, + *, + all_marketplace: Annotated[ + bool, + typer.Option( + "-a", + "--all", + help="Describe all content for all integrations in the marketplace", + ), + ] = False, + src: Annotated[ + pathlib.Path | None, + typer.Option(help="Customize source folder to describe from."), + ] = None, + dst: Annotated[ + pathlib.Path | None, + typer.Option(help="Customize destination folder to save the AI descriptions."), + ] = None, + quiet: Annotated[ + bool, + typer.Option( + "--quiet", + "-q", + help="Log less on runtime.", + ), + ] = False, + verbose: Annotated[ + bool, + typer.Option( + "--verbose", + "-v", + help="Log more on runtime.", + ), + ] = False, + override: Annotated[ + bool, + typer.Option( + "--override", + "-o", + help="Rewrite content that already have their description.", + ), + ] = False, +) -> None: + """Describe all content in integrations. + + Raises: + typer.Exit: If neither integrations nor --all is specified. + + """ + run_params: mp.core.config.RuntimeParams = mp.core.config.RuntimeParams(quiet, verbose) + run_params.set_in_config() + + if integrations and not all_marketplace: + asyncio.run( + describe_all_content(src=src, dst=dst, override=override, integrations=integrations) + ) + elif all_marketplace: + asyncio.run(describe_all_content(src=src, dst=dst, override=override)) + else: + rich.print("[red]Please specify either an integration or --all[/red]") + raise typer.Exit(code=1) diff --git a/packages/mp/tests/test_mp/conftest.py b/packages/mp/tests/test_mp/conftest.py index 2ba801d77..31aa2c3cc 100644 --- a/packages/mp/tests/test_mp/conftest.py +++ b/packages/mp/tests/test_mp/conftest.py @@ -31,7 +31,11 @@ @pytest.fixture(autouse=True) -def set_runtime_params() -> None: +def set_runtime_params(tmp_path: Path, monkeypatch: pytest.MonkeyPatch) -> None: + # Use a temporary config file for tests to avoid race conditions and home dir pollution + temp_config: Path = tmp_path / ".mp_config" + monkeypatch.setattr("mp.core.config.CONFIG_PATH", temp_config) + params: RuntimeParams = RuntimeParams(quiet=True, verbose=False) params.set_in_config() diff --git a/packages/mp/tests/test_mp/mock_content_hub/response_integrations/google/mock_integration/ActionsDefinitions/ping.actiondef b/packages/mp/tests/test_mp/mock_content_hub/response_integrations/google/mock_integration/ActionsDefinitions/ping.actiondef index c1d24b4ea..1aa3463a0 100644 --- a/packages/mp/tests/test_mp/mock_content_hub/response_integrations/google/mock_integration/ActionsDefinitions/ping.actiondef +++ b/packages/mp/tests/test_mp/mock_content_hub/response_integrations/google/mock_integration/ActionsDefinitions/ping.actiondef @@ -1,4 +1,5 @@ { + "AIDescription": "Mock AI description for ping action", "Creator": "admin", "Description": "This action will do something.", "DynamicResultsMetadata": [ @@ -16,12 +17,15 @@ "Description": "A Description.", "IsMandatory": true, "Name": "API Root", + "OptionalValues": null, "Type": 0, "Value": "" } ], + "ActionProductCategories": [ + "Enrich IOC (Indicator of Compromise)" + ], "ScriptResultName": "is_success", "SimulationDataJson": "{\"Entities\": []}", - "Type": 0, "Version": 1.0 } \ No newline at end of file diff --git a/packages/mp/tests/test_mp/mock_content_hub/response_integrations/google/mock_integration/Integration-mock_integration.def b/packages/mp/tests/test_mp/mock_content_hub/response_integrations/google/mock_integration/Integration-mock_integration.def index f118fbc32..472e712be 100644 --- a/packages/mp/tests/test_mp/mock_content_hub/response_integrations/google/mock_integration/Integration-mock_integration.def +++ b/packages/mp/tests/test_mp/mock_content_hub/response_integrations/google/mock_integration/Integration-mock_integration.def @@ -42,6 +42,10 @@ "IsPowerUp": false, "MarketingDisplayName": "Mock Integration", "MinimumSystemVersion": 5.3, + "ProductCategories": [ + "SIEM", + "Network Security" + ], "PythonVersion": 3, "SVGImage": "\n\n \n\n", "ShouldInstalledInSystem": false, diff --git a/packages/mp/tests/test_mp/mock_content_hub/response_integrations/google/mock_integration/resources/ai/actions_ai_description.yaml b/packages/mp/tests/test_mp/mock_content_hub/response_integrations/google/mock_integration/resources/ai/actions_ai_description.yaml new file mode 100644 index 000000000..f61de5141 --- /dev/null +++ b/packages/mp/tests/test_mp/mock_content_hub/response_integrations/google/mock_integration/resources/ai/actions_ai_description.yaml @@ -0,0 +1,61 @@ +ping: + ai_description: Mock AI description for ping action + capabilities: + can_create_case_comments: false + can_create_insight: false + can_modify_alert_data: false + can_mutate_external_data: false + can_mutate_internal_data: false + can_update_entities: false + external_data_mutation_explanation: null + fetches_data: false + internal_data_mutation_explanation: null + reasoning: Some reason + categories: + enrichment: false + reasoning: Some reason + entity_usage: + entity_types: [ ] + filters_by_additional_properties: false + filters_by_alert_identifier: false + filters_by_case_identifier: false + filters_by_creation_time: false + filters_by_entity_type: false + filters_by_identifier: false + filters_by_is_artifact: false + filters_by_is_enriched: false + filters_by_is_internal: false + filters_by_is_pivot: false + filters_by_is_suspicious: false + filters_by_is_vulnerable: false + filters_by_modification_time: false + reasoning: Some reason + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + get_alert_information: false + reasoning: Some reason + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false diff --git a/packages/mp/tests/test_mp/mock_content_hub/response_integrations/google/mock_integration/resources/ai/connectors_ai_description.yaml b/packages/mp/tests/test_mp/mock_content_hub/response_integrations/google/mock_integration/resources/ai/connectors_ai_description.yaml new file mode 100644 index 000000000..8f25619f2 --- /dev/null +++ b/packages/mp/tests/test_mp/mock_content_hub/response_integrations/google/mock_integration/resources/ai/connectors_ai_description.yaml @@ -0,0 +1,2 @@ +connector: + ai_description: Mock AI description for connector diff --git a/packages/mp/tests/test_mp/mock_content_hub/response_integrations/google/mock_integration/resources/ai/integration_ai_description.yaml b/packages/mp/tests/test_mp/mock_content_hub/response_integrations/google/mock_integration/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..5a6a3c0de --- /dev/null +++ b/packages/mp/tests/test_mp/mock_content_hub/response_integrations/google/mock_integration/resources/ai/integration_ai_description.yaml @@ -0,0 +1,13 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: true + reasoning: Some reason + siem: true + threat_intelligence: false + vulnerability_management: false diff --git a/packages/mp/tests/test_mp/mock_content_hub/response_integrations/google/mock_integration/resources/ai/jobs_ai_description.yaml b/packages/mp/tests/test_mp/mock_content_hub/response_integrations/google/mock_integration/resources/ai/jobs_ai_description.yaml new file mode 100644 index 000000000..32e9f4451 --- /dev/null +++ b/packages/mp/tests/test_mp/mock_content_hub/response_integrations/google/mock_integration/resources/ai/jobs_ai_description.yaml @@ -0,0 +1,2 @@ +job: + ai_description: Mock AI description for job diff --git a/packages/mp/tests/test_mp/mock_content_hub/response_integrations/mock_built_integration/marketplace.json b/packages/mp/tests/test_mp/mock_content_hub/response_integrations/mock_built_integration/marketplace.json index ae941ccb1..84a99a75d 100644 --- a/packages/mp/tests/test_mp/mock_content_hub/response_integrations/mock_built_integration/marketplace.json +++ b/packages/mp/tests/test_mp/mock_content_hub/response_integrations/mock_built_integration/marketplace.json @@ -46,6 +46,10 @@ "MarketingDisplayName": "Mock Integration", "MinimumSystemVersion": 5.3, "NewNotificationExpired": 1721865600000, + "ProductCategories": [ + "SIEM", + "Network Security" + ], "PythonVersion": 3, "SVGImage": "\n\n \n\n", "ShouldInstalledInSystem": false, diff --git a/packages/mp/tests/test_mp/mock_content_hub/response_integrations/mock_built_integration/mock_integration/ActionsDefinitions/ping.actiondef b/packages/mp/tests/test_mp/mock_content_hub/response_integrations/mock_built_integration/mock_integration/ActionsDefinitions/ping.actiondef index c1d24b4ea..899597a1e 100644 --- a/packages/mp/tests/test_mp/mock_content_hub/response_integrations/mock_built_integration/mock_integration/ActionsDefinitions/ping.actiondef +++ b/packages/mp/tests/test_mp/mock_content_hub/response_integrations/mock_built_integration/mock_integration/ActionsDefinitions/ping.actiondef @@ -1,14 +1,18 @@ { + "AIDescription": "Mock AI description for ping action", "Creator": "admin", "Description": "This action will do something.", "DynamicResultsMetadata": [ { - "ResultExample": "{\n \"Example\": \"Json Example\"\n }", + "ResultExample": "{\"Example\": \"Json Example\"}", "ResultName": "JsonResult", "ShowResult": true } ], "IntegrationIdentifier": "MockIntegration", + "IsAsync": false, + "IsCustom": false, + "IsEnabled": true, "Name": "Ping", "Parameters": [ { @@ -16,12 +20,15 @@ "Description": "A Description.", "IsMandatory": true, "Name": "API Root", + "OptionalValues": null, "Type": 0, "Value": "" } ], + "ActionProductCategories": [ + "Enrich IOC (Indicator of Compromise)" + ], "ScriptResultName": "is_success", "SimulationDataJson": "{\"Entities\": []}", - "Type": 0, "Version": 1.0 } \ No newline at end of file diff --git a/packages/mp/tests/test_mp/mock_content_hub/response_integrations/mock_built_integration/mock_integration/Integration-mock_integration.def b/packages/mp/tests/test_mp/mock_content_hub/response_integrations/mock_built_integration/mock_integration/Integration-mock_integration.def index f118fbc32..472e712be 100644 --- a/packages/mp/tests/test_mp/mock_content_hub/response_integrations/mock_built_integration/mock_integration/Integration-mock_integration.def +++ b/packages/mp/tests/test_mp/mock_content_hub/response_integrations/mock_built_integration/mock_integration/Integration-mock_integration.def @@ -42,6 +42,10 @@ "IsPowerUp": false, "MarketingDisplayName": "Mock Integration", "MinimumSystemVersion": 5.3, + "ProductCategories": [ + "SIEM", + "Network Security" + ], "PythonVersion": 3, "SVGImage": "\n\n \n\n", "ShouldInstalledInSystem": false, diff --git a/packages/mp/tests/test_mp/mock_content_hub/response_integrations/mock_built_integration/mock_integration/resources/ai/actions_ai_description.yaml b/packages/mp/tests/test_mp/mock_content_hub/response_integrations/mock_built_integration/mock_integration/resources/ai/actions_ai_description.yaml new file mode 100644 index 000000000..f61de5141 --- /dev/null +++ b/packages/mp/tests/test_mp/mock_content_hub/response_integrations/mock_built_integration/mock_integration/resources/ai/actions_ai_description.yaml @@ -0,0 +1,61 @@ +ping: + ai_description: Mock AI description for ping action + capabilities: + can_create_case_comments: false + can_create_insight: false + can_modify_alert_data: false + can_mutate_external_data: false + can_mutate_internal_data: false + can_update_entities: false + external_data_mutation_explanation: null + fetches_data: false + internal_data_mutation_explanation: null + reasoning: Some reason + categories: + enrichment: false + reasoning: Some reason + entity_usage: + entity_types: [ ] + filters_by_additional_properties: false + filters_by_alert_identifier: false + filters_by_case_identifier: false + filters_by_creation_time: false + filters_by_entity_type: false + filters_by_identifier: false + filters_by_is_artifact: false + filters_by_is_enriched: false + filters_by_is_internal: false + filters_by_is_pivot: false + filters_by_is_suspicious: false + filters_by_is_vulnerable: false + filters_by_modification_time: false + reasoning: Some reason + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + get_alert_information: false + reasoning: Some reason + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false diff --git a/packages/mp/tests/test_mp/mock_content_hub/response_integrations/mock_built_integration/mock_integration/resources/ai/connectors_ai_description.yaml b/packages/mp/tests/test_mp/mock_content_hub/response_integrations/mock_built_integration/mock_integration/resources/ai/connectors_ai_description.yaml new file mode 100644 index 000000000..8f25619f2 --- /dev/null +++ b/packages/mp/tests/test_mp/mock_content_hub/response_integrations/mock_built_integration/mock_integration/resources/ai/connectors_ai_description.yaml @@ -0,0 +1,2 @@ +connector: + ai_description: Mock AI description for connector diff --git a/packages/mp/tests/test_mp/mock_content_hub/response_integrations/mock_built_integration/mock_integration/resources/ai/integration_ai_description.yaml b/packages/mp/tests/test_mp/mock_content_hub/response_integrations/mock_built_integration/mock_integration/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..5a6a3c0de --- /dev/null +++ b/packages/mp/tests/test_mp/mock_content_hub/response_integrations/mock_built_integration/mock_integration/resources/ai/integration_ai_description.yaml @@ -0,0 +1,13 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: true + reasoning: Some reason + siem: true + threat_intelligence: false + vulnerability_management: false diff --git a/packages/mp/tests/test_mp/mock_content_hub/response_integrations/mock_built_integration/mock_integration/resources/ai/jobs_ai_description.yaml b/packages/mp/tests/test_mp/mock_content_hub/response_integrations/mock_built_integration/mock_integration/resources/ai/jobs_ai_description.yaml new file mode 100644 index 000000000..32e9f4451 --- /dev/null +++ b/packages/mp/tests/test_mp/mock_content_hub/response_integrations/mock_built_integration/mock_integration/resources/ai/jobs_ai_description.yaml @@ -0,0 +1,2 @@ +job: + ai_description: Mock AI description for job diff --git a/packages/mp/tests/test_mp/mock_content_hub/response_integrations/third_party/mock_integration/resources/ai/actions_ai_description.yaml b/packages/mp/tests/test_mp/mock_content_hub/response_integrations/third_party/mock_integration/resources/ai/actions_ai_description.yaml new file mode 100644 index 000000000..f61de5141 --- /dev/null +++ b/packages/mp/tests/test_mp/mock_content_hub/response_integrations/third_party/mock_integration/resources/ai/actions_ai_description.yaml @@ -0,0 +1,61 @@ +ping: + ai_description: Mock AI description for ping action + capabilities: + can_create_case_comments: false + can_create_insight: false + can_modify_alert_data: false + can_mutate_external_data: false + can_mutate_internal_data: false + can_update_entities: false + external_data_mutation_explanation: null + fetches_data: false + internal_data_mutation_explanation: null + reasoning: Some reason + categories: + enrichment: false + reasoning: Some reason + entity_usage: + entity_types: [ ] + filters_by_additional_properties: false + filters_by_alert_identifier: false + filters_by_case_identifier: false + filters_by_creation_time: false + filters_by_entity_type: false + filters_by_identifier: false + filters_by_is_artifact: false + filters_by_is_enriched: false + filters_by_is_internal: false + filters_by_is_pivot: false + filters_by_is_suspicious: false + filters_by_is_vulnerable: false + filters_by_modification_time: false + reasoning: Some reason + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + get_alert_information: false + reasoning: Some reason + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false diff --git a/packages/mp/tests/test_mp/mock_content_hub/response_integrations/third_party/mock_integration/resources/ai/connectors_ai_description.yaml b/packages/mp/tests/test_mp/mock_content_hub/response_integrations/third_party/mock_integration/resources/ai/connectors_ai_description.yaml new file mode 100644 index 000000000..8f25619f2 --- /dev/null +++ b/packages/mp/tests/test_mp/mock_content_hub/response_integrations/third_party/mock_integration/resources/ai/connectors_ai_description.yaml @@ -0,0 +1,2 @@ +connector: + ai_description: Mock AI description for connector diff --git a/packages/mp/tests/test_mp/mock_content_hub/response_integrations/third_party/mock_integration/resources/ai/integration_ai_description.yaml b/packages/mp/tests/test_mp/mock_content_hub/response_integrations/third_party/mock_integration/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..5a6a3c0de --- /dev/null +++ b/packages/mp/tests/test_mp/mock_content_hub/response_integrations/third_party/mock_integration/resources/ai/integration_ai_description.yaml @@ -0,0 +1,13 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: true + reasoning: Some reason + siem: true + threat_intelligence: false + vulnerability_management: false diff --git a/packages/mp/tests/test_mp/mock_content_hub/response_integrations/third_party/mock_integration/resources/ai/jobs_ai_description.yaml b/packages/mp/tests/test_mp/mock_content_hub/response_integrations/third_party/mock_integration/resources/ai/jobs_ai_description.yaml new file mode 100644 index 000000000..32e9f4451 --- /dev/null +++ b/packages/mp/tests/test_mp/mock_content_hub/response_integrations/third_party/mock_integration/resources/ai/jobs_ai_description.yaml @@ -0,0 +1,2 @@ +job: + ai_description: Mock AI description for job diff --git a/packages/mp/tests/test_mp/test_build_project/test_content_repo/test_integrations_repo/test_build.py b/packages/mp/tests/test_mp/test_build_project/test_content_repo/test_integrations_repo/test_build.py index 5f4953299..1f8a67b30 100644 --- a/packages/mp/tests/test_mp/test_build_project/test_content_repo/test_integrations_repo/test_build.py +++ b/packages/mp/tests/test_mp/test_build_project/test_content_repo/test_integrations_repo/test_build.py @@ -129,6 +129,20 @@ def wrapper(integration_path: Path) -> None: ) assert actual == expected + # Check action definitions + expected_actions_dir: Path = built_integration / mp.core.constants.OUT_ACTIONS_META_DIR + actual_actions_dir: Path = out_integration / mp.core.constants.OUT_ACTIONS_META_DIR + if expected_actions_dir.exists(): + for expected_action_file in expected_actions_dir.rglob( + f"*{mp.core.constants.ACTIONS_META_SUFFIX}" + ): + actual_action_file = actual_actions_dir / expected_action_file.name + actual_action, expected_action = test_mp.common.get_json_content( + expected=expected_action_file, + actual=actual_action_file, + ) + assert actual_action == expected_action + actual, expected = test_mp.common.get_json_content( expected=( built_integration diff --git a/packages/mp/tests/test_mp/test_core/test_data_models/utils.py b/packages/mp/tests/test_mp/test_core/test_data_models/utils.py index 53d433e0d..eeeb32bd7 100644 --- a/packages/mp/tests/test_mp/test_core/test_data_models/utils.py +++ b/packages/mp/tests/test_mp/test_core/test_data_models/utils.py @@ -110,7 +110,7 @@ def st_valid_non_built_param_type(param_type: type[Enum]) -> SearchStrategy[dict return st.sampled_from(param_type).map(lambda e: e.to_string()) -def st_valid_built_param_type(param_type: type[Enum]) -> SearchStrategy[dict[str, Any]]: +def st_valid_built_param_type(param_type: type[Enum]) -> SearchStrategy[Any | str]: return st.sampled_from(param_type).flatmap(lambda e: st.sampled_from([e.value, str(e.value)])) diff --git a/packages/mp/tests/test_mp/test_core/test_file_utils/test_integrations_file_utils.py b/packages/mp/tests/test_mp/test_core/test_file_utils/test_integrations_file_utils.py index 2ac321db1..08fae8ea4 100644 --- a/packages/mp/tests/test_mp/test_core/test_file_utils/test_integrations_file_utils.py +++ b/packages/mp/tests/test_mp/test_core/test_file_utils/test_integrations_file_utils.py @@ -135,6 +135,7 @@ def test_get_integration_base_folders_paths(tmp_path: Path) -> None: third_party = tmp_path / mp.core.constants.THIRD_PARTY_REPO_NAME expected_third_party_paths = [ + third_party, tmp_path / mp.core.constants.POWERUPS_DIR_NAME, third_party / mp.core.constants.COMMUNITY_DIR_NAME, third_party / mp.core.constants.PARTNER_DIR_NAME, diff --git a/packages/mp/tests/test_mp/test_describe/__init__.py b/packages/mp/tests/test_mp/test_describe/__init__.py new file mode 100644 index 000000000..58d482ea3 --- /dev/null +++ b/packages/mp/tests/test_mp/test_describe/__init__.py @@ -0,0 +1,13 @@ +# Copyright 2026 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. diff --git a/packages/mp/tests/test_mp/test_describe/test_all_content.py b/packages/mp/tests/test_mp/test_describe/test_all_content.py new file mode 100644 index 000000000..1e50ef64a --- /dev/null +++ b/packages/mp/tests/test_mp/test_describe/test_all_content.py @@ -0,0 +1,162 @@ +# Copyright 2026 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +from __future__ import annotations + +from typing import TYPE_CHECKING +from unittest import mock + +import pytest +import yaml + +from mp.core import constants +from mp.describe.all_content import describe_all_content + +if TYPE_CHECKING: + from pathlib import Path + + +@pytest.fixture +def mock_integration_full(tmp_path: Path) -> Path: + integration_path = tmp_path / "mock_integration" + integration_path.mkdir() + + # Create actions + actions_dir = integration_path / constants.ACTIONS_DIR + actions_dir.mkdir() + (actions_dir / "test_action.yaml").write_text( + yaml.safe_dump({"name": "Test Action", "description": "A test action"}), + encoding="utf-8", + ) + (actions_dir / "test_action.py").write_text("def action(): pass", encoding="utf-8") + + # Create connectors + connectors_dir = integration_path / constants.CONNECTORS_DIR + connectors_dir.mkdir() + (connectors_dir / "test_connector.yaml").write_text( + yaml.safe_dump({"name": "Test Connector", "description": "A test connector"}), + encoding="utf-8", + ) + (connectors_dir / "test_connector.py").write_text("class Connector: pass", encoding="utf-8") + + # Create jobs + jobs_dir = integration_path / constants.JOBS_DIR + jobs_dir.mkdir() + (jobs_dir / "test_job.yaml").write_text( + yaml.safe_dump({"name": "Test Job", "description": "A test job"}), encoding="utf-8" + ) + (jobs_dir / "test_job.py").write_text("class Job: pass", encoding="utf-8") + + # Create definition.yaml + (integration_path / constants.DEFINITION_FILE).write_text( + yaml.safe_dump({"description": "Mock integration description"}), encoding="utf-8" + ) + + # Create pyproject.toml + (integration_path / constants.PROJECT_FILE).write_text( + '[project]\nname = "mock_integration"\n', encoding="utf-8" + ) + + return integration_path + + +@pytest.fixture +def mock_integration_another(tmp_path: Path) -> Path: + integration_path = tmp_path / "another_integration" + integration_path.mkdir() + + # Only integration definition + (integration_path / constants.DEFINITION_FILE).write_text( + yaml.safe_dump({"description": "Another integration"}), encoding="utf-8" + ) + + # Create pyproject.toml + (integration_path / constants.PROJECT_FILE).write_text( + '[project]\nname = "another_integration"\n', encoding="utf-8" + ) + + return integration_path + + +@pytest.mark.anyio +async def test_describe_all_content(mock_integration_full: Path) -> None: + # We need to mock call_gemini_bulk to return appropriate objects for each call. + # DescribeAction, DescribeConnector, DescribeJob, and finally DescribeIntegration. + + action_response = mock.Mock() + action_response.model_dump.return_value = {"ai_description": "Action AI"} + + connector_response = mock.Mock() + connector_response.model_dump.return_value = {"ai_description": "Connector AI"} + + job_response = mock.Mock() + job_response.model_dump.return_value = {"ai_description": "Job AI"} + + integration_response = mock.Mock() + # IntegrationAiMetadata (just some categories) + integration_response.model_dump.return_value = {"endpoint_security": True} + + responses = [ + [action_response], + [connector_response], + [job_response], + [integration_response], + ] + + with mock.patch("mp.describe.common.utils.llm.call_gemini_bulk", side_effect=responses): + await describe_all_content( + integration="mock_integration", + src=mock_integration_full.parent, + ) + + # Check if all files were created + ai_dir = mock_integration_full / constants.RESOURCES_DIR / constants.AI_DIR + assert (ai_dir / constants.ACTIONS_AI_DESCRIPTION_FILE).exists() + assert (ai_dir / constants.CONNECTORS_AI_DESCRIPTION_FILE).exists() + assert (ai_dir / constants.JOBS_AI_DESCRIPTION_FILE).exists() + assert (ai_dir / constants.INTEGRATIONS_AI_DESCRIPTION_FILE).exists() + + # Verify integration AI description + content = yaml.safe_load((ai_dir / constants.INTEGRATIONS_AI_DESCRIPTION_FILE).read_text()) + assert content["endpoint_security"] is True + + +@pytest.mark.anyio +async def test_describe_marketplace_all_content( + mock_integration_full: Path, mock_integration_another: Path +) -> None: + # Mock LLM response to avoid API calls + integration_response = mock.Mock() + integration_response.model_dump.return_value = {"endpoint_security": True} + + with mock.patch( + "mp.describe.common.utils.llm.call_gemini_bulk", return_value=[integration_response] + ): + await describe_all_content( + src=mock_integration_full.parent, + ) + + # Verify both were processed + assert ( + mock_integration_full + / constants.RESOURCES_DIR + / constants.AI_DIR + / constants.INTEGRATIONS_AI_DESCRIPTION_FILE + ).exists() + assert ( + mock_integration_another + / constants.RESOURCES_DIR + / constants.AI_DIR + / constants.INTEGRATIONS_AI_DESCRIPTION_FILE + ).exists() diff --git a/packages/mp/tests/test_mp/test_describe/test_describe_cli.py b/packages/mp/tests/test_mp/test_describe/test_describe_cli.py new file mode 100644 index 000000000..bc58e467b --- /dev/null +++ b/packages/mp/tests/test_mp/test_describe/test_describe_cli.py @@ -0,0 +1,125 @@ +# Copyright 2026 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +from __future__ import annotations + +from typing import TYPE_CHECKING +from unittest import mock + +import pytest +from typer.testing import CliRunner + +from mp.describe.typer_app import app + +if TYPE_CHECKING: + from collections.abc import Generator + +runner = CliRunner() + + +@pytest.fixture +def mock_describe_action() -> Generator[mock.MagicMock, None, None]: + with mock.patch("mp.describe.action.typer_app.DescribeAction") as mock_class: + mock_class.return_value.describe_actions = mock.AsyncMock() + yield mock_class + + +@pytest.fixture +def mock_describe_connector() -> Generator[mock.MagicMock, None, None]: + with mock.patch("mp.describe.connector.typer_app.DescribeConnector") as mock_class: + mock_class.return_value.describe = mock.AsyncMock() + yield mock_class + + +@pytest.fixture +def mock_describe_job() -> Generator[mock.MagicMock, None, None]: + with mock.patch("mp.describe.job.typer_app.DescribeJob") as mock_class: + mock_class.return_value.describe = mock.AsyncMock() + yield mock_class + + +@pytest.fixture +def mock_describe_integration() -> Generator[mock.MagicMock, None, None]: + with mock.patch("mp.describe.integration.typer_app.DescribeIntegration") as mock_class: + mock_class.return_value.describe = mock.AsyncMock() + yield mock_class + + +@pytest.fixture +def mock_describe_all_integrations() -> Generator[mock.MagicMock, None, None]: + with mock.patch("mp.describe.integration.typer_app.describe_all_integrations") as mock_func: + mock_func.return_value = mock.AsyncMock() + yield mock_func + + +def test_describe_action_cli(mock_describe_action: mock.MagicMock) -> None: + # mp describe action [ACTIONS]... -i INTEGRATION + result = runner.invoke(app, ["action", "ping", "get_logs", "-i", "aws_ec2"]) + assert result.exit_code == 0 + mock_describe_action.assert_called_once() + args, _ = mock_describe_action.call_args + assert args[0] == "aws_ec2" + assert args[1] == {"ping", "get_logs"} + + +def test_describe_connector_cli(mock_describe_connector: mock.MagicMock) -> None: + # mp describe connector [CONNECTORS]... -i INTEGRATION + result = runner.invoke(app, ["connector", "my_conn", "-i", "my_int"]) + assert result.exit_code == 0 + mock_describe_connector.assert_called_once() + args, _ = mock_describe_connector.call_args + assert args[0] == "my_int" + assert args[1] == {"my_conn"} + + +def test_describe_job_cli(mock_describe_job: mock.MagicMock) -> None: + # mp describe job [JOBS]... -i INTEGRATION + result = runner.invoke(app, ["job", "my_job", "-i", "my_int"]) + assert result.exit_code == 0 + mock_describe_job.assert_called_once() + args, _ = mock_describe_job.call_args + assert args[0] == "my_int" + assert args[1] == {"my_job"} + + +def test_describe_integration_cli(mock_describe_all_integrations: mock.MagicMock) -> None: + # mp describe integration [INTEGRATIONS]... + result = runner.invoke(app, ["integration", "int1", "int2"]) + assert result.exit_code == 0 + mock_describe_all_integrations.assert_called_once_with( + src=None, dst=None, override=False, integrations=["int1", "int2"] + ) + + +def test_describe_integration_all_cli(mock_describe_all_integrations: mock.MagicMock) -> None: + # mp describe integration --all + result = runner.invoke(app, ["integration", "--all"]) + assert result.exit_code == 0 + mock_describe_all_integrations.assert_called_once_with(src=None, dst=None, override=False) + + +def test_all_content_cli() -> None: + with mock.patch("mp.describe.typer_app.describe_all_content") as mock_all: + result = runner.invoke(app, ["all-content", "my_int"]) + assert result.exit_code == 0 + mock_all.assert_called_once_with( + src=None, dst=None, override=False, integrations=["my_int"] + ) + + +def test_all_content_all_cli() -> None: + with mock.patch("mp.describe.typer_app.describe_all_content") as mock_all: + result = runner.invoke(app, ["all-content", "--all"]) + assert result.exit_code == 0 + mock_all.assert_called_once_with(src=None, dst=None, override=False) diff --git a/packages/mp/tests/test_mp/test_describe/test_describe_integration.py b/packages/mp/tests/test_mp/test_describe/test_describe_integration.py new file mode 100644 index 000000000..32f3713ec --- /dev/null +++ b/packages/mp/tests/test_mp/test_describe/test_describe_integration.py @@ -0,0 +1,91 @@ +# Copyright 2026 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +from __future__ import annotations + +import shutil +from typing import TYPE_CHECKING +from unittest.mock import AsyncMock, patch + +import anyio +from typer.testing import CliRunner + +from mp.core import constants +from mp.core.data_models.integrations.integration_meta.ai.metadata import IntegrationAiMetadata +from mp.core.data_models.integrations.integration_meta.ai.product_categories import ( + IntegrationProductCategories, +) +from mp.describe.integration.typer_app import app + +if TYPE_CHECKING: + from pathlib import Path + +runner = CliRunner() + + +def test_describe_integration_command(tmp_path: Path, non_built_integration: Path) -> None: + integration: Path = ( + shutil.copytree(non_built_integration, tmp_path, dirs_exist_ok=True) + / non_built_integration.name + ) + integration_name = "mock_integration" + + # Create AI_DIR if it doesn't exist to avoid issues, + # though the code should handle it. + + with patch( + "mp.describe.common.utils.llm.call_gemini_bulk", new_callable=AsyncMock + ) as mock_bulk: + mock_bulk.return_value = [ + IntegrationAiMetadata( + product_categories=IntegrationProductCategories( + siem=False, + edr=False, + network_security=True, + threat_intelligence=False, + email_security=False, + iam_and_identity_management=False, + cloud_security=False, + itsm=False, + vulnerability_management=False, + asset_inventory=False, + collaboration=False, + reasoning="Some reason", + ) + ) + ] + + # We need to mock get_integration_path and get_out_path + with ( + patch("mp.describe.common.utils.paths.get_integration_path") as mock_get_path, + patch("mp.describe.common.utils.paths.get_out_path") as mock_get_out_path, + patch("mp.describe.integration.describe_all.get_integration_path", new=mock_get_path), + ): + mock_get_path.return_value = anyio.Path(integration) + mock_get_out_path.return_value = anyio.Path(integration) + + # Run the command + result = runner.invoke(app, [integration_name, "--override"]) + + assert result.exit_code == 0 + mock_bulk.assert_called_once() + + # Check if the file was created + ai_file = ( + integration + / constants.RESOURCES_DIR + / constants.AI_DIR + / constants.INTEGRATIONS_AI_DESCRIPTION_FILE + ) + assert ai_file.exists() diff --git a/packages/mp/tests/test_mp/test_describe/test_describe_resources.py b/packages/mp/tests/test_mp/test_describe/test_describe_resources.py new file mode 100644 index 000000000..8317921e1 --- /dev/null +++ b/packages/mp/tests/test_mp/test_describe/test_describe_resources.py @@ -0,0 +1,162 @@ +# Copyright 2026 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +from __future__ import annotations + +import shutil +from typing import TYPE_CHECKING +from unittest import mock + +import anyio +import pytest +import yaml + +from mp.core import constants +from mp.describe.connector.describe import DescribeConnector +from mp.describe.integration.describe import DescribeIntegration +from mp.describe.job.describe import DescribeJob + +if TYPE_CHECKING: + from pathlib import Path + + +@pytest.fixture +def mock_integration_path(tmp_path: Path) -> Path: + integration_path = tmp_path / "mock_integration" + integration_path.mkdir() + + # Create connectors dir + connectors_dir = integration_path / constants.CONNECTORS_DIR + connectors_dir.mkdir() + (connectors_dir / "test_connector.yaml").write_text( + yaml.safe_dump({"name": "Test Connector", "description": "A test connector"}), + encoding="utf-8", + ) + (connectors_dir / "test_connector.py").write_text("class TestConnector: pass", encoding="utf-8") + + # Create jobs dir + jobs_dir = integration_path / constants.JOBS_DIR + jobs_dir.mkdir() + (jobs_dir / "test_job.yaml").write_text( + yaml.safe_dump({"name": "Test Job", "description": "A test job"}), encoding="utf-8" + ) + (jobs_dir / "test_job.py").write_text("class TestJob: pass", encoding="utf-8") + + return integration_path + + +@pytest.mark.anyio +async def test_describe_connector(tmp_path: Path, mock_integration_path: Path) -> None: + describer = DescribeConnector( + integration="mock_integration", + connectors={"Test Connector"}, + src=shutil.copytree(mock_integration_path, tmp_path, dirs_exist_ok=True), + ) + + mock_response = mock.Mock() + mock_response.ai_description = "AI-generated connector description" + mock_response.model_dump.return_value = {"ai_description": "AI-generated connector description"} + + with mock.patch("mp.describe.common.utils.llm.call_gemini_bulk", return_value=[mock_response]): + await describer.describe() + + # Verify output file + ai_dir: Path = ( + tmp_path / mock_integration_path.name / constants.RESOURCES_DIR / constants.AI_DIR + ) + output_file = ai_dir / constants.CONNECTORS_AI_DESCRIPTION_FILE + assert output_file.exists() + + content = yaml.safe_load(output_file.read_text(encoding="utf-8")) + assert "Test Connector" in content + assert content["Test Connector"]["ai_description"] == "AI-generated connector description" + + +@pytest.mark.anyio +async def test_describe_job(tmp_path: Path, mock_integration_path: Path) -> None: + describer = DescribeJob( + integration="mock_integration", + jobs={"Test Job"}, + src=shutil.copytree(mock_integration_path, tmp_path, dirs_exist_ok=True), + ) + + mock_response = mock.Mock() + mock_response.ai_description = "AI-generated job description" + mock_response.model_dump.return_value = {"ai_description": "AI-generated job description"} + + with mock.patch("mp.describe.common.utils.llm.call_gemini_bulk", return_value=[mock_response]): + await describer.describe() + + # Verify output file + ai_dir: Path = ( + tmp_path / mock_integration_path.name / constants.RESOURCES_DIR / constants.AI_DIR + ) + output_file = ai_dir / constants.JOBS_AI_DESCRIPTION_FILE + assert output_file.exists() + + content = yaml.safe_load(output_file.read_text(encoding="utf-8")) + assert "Test Job" in content + assert content["Test Job"]["ai_description"] == "AI-generated job description" + + +@pytest.mark.anyio +async def test_describe_integration(tmp_path: Path, mock_integration_path: Path) -> None: + # 1. Create AI description files for context + ai_dir: Path = ( + shutil.copytree(mock_integration_path, tmp_path, dirs_exist_ok=True) + / mock_integration_path.name + / constants.RESOURCES_DIR + / constants.AI_DIR + ) + await anyio.Path(ai_dir).mkdir(parents=True, exist_ok=True) + + (ai_dir / constants.ACTIONS_AI_DESCRIPTION_FILE).write_text( + yaml.safe_dump({"test_action": {"description": "Action description"}}), + encoding="utf-8", + ) + (ai_dir / constants.CONNECTORS_AI_DESCRIPTION_FILE).write_text( + yaml.safe_dump({"test_connector": {"description": "Connector description"}}), + encoding="utf-8", + ) + (ai_dir / constants.JOBS_AI_DESCRIPTION_FILE).write_text( + yaml.safe_dump({"test_job": {"description": "Job description"}}), encoding="utf-8" + ) + + # 2. Add description to definition.yaml + (mock_integration_path / constants.DEFINITION_FILE).write_text( + yaml.safe_dump({"name": "mock_integration", "description": "integration_description"}), + encoding="utf-8", + ) + + describer = DescribeIntegration( + integration="mock_integration", + src=mock_integration_path.parent, + ) + + mock_response = mock.Mock() + mock_response.model_dump.return_value = { + "product_categories": ["SIEM"], + "summary": "Integration summary", + } + + with mock.patch("mp.describe.common.utils.llm.call_gemini_bulk", return_value=[mock_response]): + await describer.describe() + + # 3. Verify output file + output_file = ai_dir / constants.INTEGRATIONS_AI_DESCRIPTION_FILE + assert output_file.exists() + + content = yaml.safe_load(output_file.read_text(encoding="utf-8")) + assert content["product_categories"] == ["SIEM"] + assert content["summary"] == "Integration summary" diff --git a/packages/mp/tests/test_mp/test_dev_env/test_utils/test_minor_version_bump.py b/packages/mp/tests/test_mp/test_dev_env/test_utils/test_minor_version_bump.py index 30f9f62bb..3e23aa89d 100644 --- a/packages/mp/tests/test_mp/test_dev_env/test_utils/test_minor_version_bump.py +++ b/packages/mp/tests/test_mp/test_dev_env/test_utils/test_minor_version_bump.py @@ -30,7 +30,9 @@ from collections.abc import Iterator from pathlib import Path -INTEGRATIONS_CACHE_FOLDER_PATH: Path = get_marketplace_path() / ".integrations_cache" + +def get_integrations_cache_folder_path() -> Path: + return get_marketplace_path() / ".integrations_cache" @pytest.fixture @@ -70,7 +72,7 @@ def sandbox( shutil.move(built_dst / "Integration-mock_integration.def", def_path) version_cache_path: Path = ( - INTEGRATIONS_CACHE_FOLDER_PATH / integration_name / "version_cache.yaml" + get_integrations_cache_folder_path() / integration_name / "version_cache.yaml" ) try: @@ -82,14 +84,14 @@ def sandbox( "TMP_ROOT": tmp_path, } finally: - shutil.rmtree(INTEGRATIONS_CACHE_FOLDER_PATH / integration_name, ignore_errors=True) + shutil.rmtree(get_integrations_cache_folder_path() / integration_name, ignore_errors=True) class TestMinorVersionBump: def test_run_first_time_success(self, sandbox: dict[str, Path]) -> None: minor_version_bump(sandbox["BUILT"], sandbox["NON_BUILT"], sandbox["BUILT"].name) - assert INTEGRATIONS_CACHE_FOLDER_PATH.exists() + assert get_integrations_cache_folder_path().exists() assert sandbox["VERSION_CACHE"].exists() assert _load_cached_version(sandbox["VERSION_CACHE"]) == 2.2 assert _load_built_version(sandbox["DEF_FILE"]) == 2.2 @@ -166,8 +168,14 @@ def test_def_file_missing_raises_error_fail(self, sandbox: dict[str, Path]) -> N def _load_cached_version(version_cache_path: Path) -> float: + if not version_cache_path.exists(): + pytest.fail(f"Version cache file not found: {version_cache_path}") + with version_cache_path.open("r", encoding="utf-8") as f: versions_cache = yaml.safe_load(f) + if not versions_cache or "version" not in versions_cache: + pytest.fail(f"Version key not found in cache: {versions_cache}") + return versions_cache["version"] diff --git a/packages/mp/tests/test_mp/test_path_discovery.py b/packages/mp/tests/test_mp/test_path_discovery.py new file mode 100644 index 000000000..2462d355f --- /dev/null +++ b/packages/mp/tests/test_mp/test_path_discovery.py @@ -0,0 +1,93 @@ +# Copyright 2026 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +from __future__ import annotations + +import pathlib +from typing import TYPE_CHECKING + +import pytest + +from mp.describe.common.describe_all import get_all_integrations_paths +from mp.describe.common.utils import paths + +if TYPE_CHECKING: + from _pytest.monkeypatch import MonkeyPatch + + +@pytest.fixture +def mock_integration(tmp_path: pathlib.Path) -> pathlib.Path: + integration_path = tmp_path / "mock_integration" + integration_path.mkdir() + (integration_path / "pyproject.toml").write_text("[project]\nname = 'Mock Integration'") + return integration_path + + +def test_get_integration_path_by_direct_path(mock_integration: pathlib.Path) -> None: + # Test that we can find an integration by its direct path + path = paths.get_integration_path(str(mock_integration)) + assert pathlib.Path(str(path)) == mock_integration + + +def test_get_integration_path_by_relative_path( + mock_integration: pathlib.Path, monkeypatch: MonkeyPatch +) -> None: + # Test that we can find an integration by its relative path from CWD + monkeypatch.chdir(mock_integration.parent) + path = paths.get_integration_path("mock_integration") + assert pathlib.Path(str(path)).resolve() == mock_integration.resolve() + + +def test_get_integration_path_custom_repo(tmp_path: pathlib.Path, monkeypatch: MonkeyPatch) -> None: + # Test discovery in custom repo + marketplace = tmp_path / "marketplace" + content = marketplace / "content" / "response_integrations" + custom = content / "custom" + custom.mkdir(parents=True) + + integration = custom / "custom_int" + integration.mkdir() + (integration / "pyproject.toml").write_text("[project]\nname = 'Custom Int'") + + # Configure mp to use this marketplace + monkeypatch.setattr("mp.core.config.get_marketplace_path", lambda: marketplace) + + path = paths.get_integration_path("custom_int") + assert pathlib.Path(str(path)).resolve() == integration.resolve() + + +def test_get_all_integrations_paths_custom_repo( + tmp_path: pathlib.Path, monkeypatch: MonkeyPatch +) -> None: + # Test bulk discovery in custom repo + marketplace = tmp_path / "marketplace" + content = marketplace / "content" / "response_integrations" + custom = content / "custom" + custom.mkdir(parents=True) + + int1 = custom / "int1" + int1.mkdir() + (int1 / "pyproject.toml").write_text("[project]\nname = 'Int 1'") + + int2 = custom / "int2" + int2.mkdir() + (int2 / "pyproject.toml").write_text("[project]\nname = 'Int 2'") + + # Configure mp to use this marketplace + monkeypatch.setattr("mp.core.config.get_marketplace_path", lambda: marketplace) + + all_paths = get_all_integrations_paths() + assert len(all_paths) == 2 + assert int1.resolve() in [p.resolve() for p in all_paths] + assert int2.resolve() in [p.resolve() for p in all_paths] diff --git a/packages/mp/uv.lock b/packages/mp/uv.lock index b9e651451..ea706e031 100644 --- a/packages/mp/uv.lock +++ b/packages/mp/uv.lock @@ -68,39 +68,39 @@ wheels = [ [[package]] name = "charset-normalizer" -version = "3.4.6" -source = { registry = "https://pypi.org/simple" } -sdist = { url = "https://files.pythonhosted.org/packages/7b/60/e3bec1881450851b087e301bedc3daa9377a4d45f1c26aa90b0b235e38aa/charset_normalizer-3.4.6.tar.gz", hash = "sha256:1ae6b62897110aa7c79ea2f5dd38d1abca6db663687c0b1ad9aed6f6bae3d9d6", size = 143363, upload-time = "2026-03-15T18:53:25.478Z" } -wheels = [ - { url = "https://files.pythonhosted.org/packages/62/28/ff6f234e628a2de61c458be2779cb182bc03f6eec12200d4a525bbfc9741/charset_normalizer-3.4.6-cp311-cp311-macosx_10_9_universal2.whl", hash = "sha256:82060f995ab5003a2d6e0f4ad29065b7672b6593c8c63559beefe5b443242c3e", size = 293582, upload-time = "2026-03-15T18:50:25.454Z" }, - { url = "https://files.pythonhosted.org/packages/1c/b7/b1a117e5385cbdb3205f6055403c2a2a220c5ea80b8716c324eaf75c5c95/charset_normalizer-3.4.6-cp311-cp311-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:60c74963d8350241a79cb8feea80e54d518f72c26db618862a8f53e5023deaf9", size = 197240, upload-time = "2026-03-15T18:50:27.196Z" }, - { url = "https://files.pythonhosted.org/packages/a1/5f/2574f0f09f3c3bc1b2f992e20bce6546cb1f17e111c5be07308dc5427956/charset_normalizer-3.4.6-cp311-cp311-manylinux2014_ppc64le.manylinux_2_17_ppc64le.manylinux_2_28_ppc64le.whl", hash = "sha256:f6e4333fb15c83f7d1482a76d45a0818897b3d33f00efd215528ff7c51b8e35d", size = 217363, upload-time = "2026-03-15T18:50:28.601Z" }, - { url = "https://files.pythonhosted.org/packages/4a/d1/0ae20ad77bc949ddd39b51bf383b6ca932f2916074c95cad34ae465ab71f/charset_normalizer-3.4.6-cp311-cp311-manylinux2014_s390x.manylinux_2_17_s390x.manylinux_2_28_s390x.whl", hash = "sha256:bc72863f4d9aba2e8fd9085e63548a324ba706d2ea2c83b260da08a59b9482de", size = 212994, upload-time = "2026-03-15T18:50:30.102Z" }, - { url = "https://files.pythonhosted.org/packages/60/ac/3233d262a310c1b12633536a07cde5ddd16985e6e7e238e9f3f9423d8eb9/charset_normalizer-3.4.6-cp311-cp311-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:9cc4fc6c196d6a8b76629a70ddfcd4635a6898756e2d9cac5565cf0654605d73", size = 204697, upload-time = "2026-03-15T18:50:31.654Z" }, - { url = "https://files.pythonhosted.org/packages/25/3c/8a18fc411f085b82303cfb7154eed5bd49c77035eb7608d049468b53f87c/charset_normalizer-3.4.6-cp311-cp311-manylinux_2_31_armv7l.whl", hash = "sha256:0c173ce3a681f309f31b87125fecec7a5d1347261ea11ebbb856fa6006b23c8c", size = 191673, upload-time = "2026-03-15T18:50:33.433Z" }, - { url = "https://files.pythonhosted.org/packages/ff/a7/11cfe61d6c5c5c7438d6ba40919d0306ed83c9ab957f3d4da2277ff67836/charset_normalizer-3.4.6-cp311-cp311-manylinux_2_31_riscv64.manylinux_2_39_riscv64.whl", hash = "sha256:c907cdc8109f6c619e6254212e794d6548373cc40e1ec75e6e3823d9135d29cc", size = 201120, upload-time = "2026-03-15T18:50:35.105Z" }, - { url = "https://files.pythonhosted.org/packages/b5/10/cf491fa1abd47c02f69687046b896c950b92b6cd7337a27e6548adbec8e4/charset_normalizer-3.4.6-cp311-cp311-musllinux_1_2_aarch64.whl", hash = "sha256:404a1e552cf5b675a87f0651f8b79f5f1e6fd100ee88dc612f89aa16abd4486f", size = 200911, upload-time = "2026-03-15T18:50:36.819Z" }, - { url = "https://files.pythonhosted.org/packages/28/70/039796160b48b18ed466fde0af84c1b090c4e288fae26cd674ad04a2d703/charset_normalizer-3.4.6-cp311-cp311-musllinux_1_2_armv7l.whl", hash = "sha256:e3c701e954abf6fc03a49f7c579cc80c2c6cc52525340ca3186c41d3f33482ef", size = 192516, upload-time = "2026-03-15T18:50:38.228Z" }, - { url = "https://files.pythonhosted.org/packages/ff/34/c56f3223393d6ff3124b9e78f7de738047c2d6bc40a4f16ac0c9d7a1cb3c/charset_normalizer-3.4.6-cp311-cp311-musllinux_1_2_ppc64le.whl", hash = "sha256:7a6967aaf043bceabab5412ed6bd6bd26603dae84d5cb75bf8d9a74a4959d398", size = 218795, upload-time = "2026-03-15T18:50:39.664Z" }, - { url = "https://files.pythonhosted.org/packages/e8/3b/ce2d4f86c5282191a041fdc5a4ce18f1c6bd40a5bd1f74cf8625f08d51c1/charset_normalizer-3.4.6-cp311-cp311-musllinux_1_2_riscv64.whl", hash = "sha256:5feb91325bbceade6afab43eb3b508c63ee53579fe896c77137ded51c6b6958e", size = 201833, upload-time = "2026-03-15T18:50:41.552Z" }, - { url = "https://files.pythonhosted.org/packages/3b/9b/b6a9f76b0fd7c5b5ec58b228ff7e85095370282150f0bd50b3126f5506d6/charset_normalizer-3.4.6-cp311-cp311-musllinux_1_2_s390x.whl", hash = "sha256:f820f24b09e3e779fe84c3c456cb4108a7aa639b0d1f02c28046e11bfcd088ed", size = 213920, upload-time = "2026-03-15T18:50:43.33Z" }, - { url = "https://files.pythonhosted.org/packages/ae/98/7bc23513a33d8172365ed30ee3a3b3fe1ece14a395e5fc94129541fc6003/charset_normalizer-3.4.6-cp311-cp311-musllinux_1_2_x86_64.whl", hash = "sha256:b35b200d6a71b9839a46b9b7fff66b6638bb52fc9658aa58796b0326595d3021", size = 206951, upload-time = "2026-03-15T18:50:44.789Z" }, - { url = "https://files.pythonhosted.org/packages/32/73/c0b86f3d1458468e11aec870e6b3feac931facbe105a894b552b0e518e79/charset_normalizer-3.4.6-cp311-cp311-win32.whl", hash = "sha256:9ca4c0b502ab399ef89248a2c84c54954f77a070f28e546a85e91da627d1301e", size = 143703, upload-time = "2026-03-15T18:50:46.103Z" }, - { url = "https://files.pythonhosted.org/packages/c6/e3/76f2facfe8eddee0bbd38d2594e709033338eae44ebf1738bcefe0a06185/charset_normalizer-3.4.6-cp311-cp311-win_amd64.whl", hash = "sha256:a9e68c9d88823b274cf1e72f28cb5dc89c990edf430b0bfd3e2fb0785bfeabf4", size = 153857, upload-time = "2026-03-15T18:50:47.563Z" }, - { url = "https://files.pythonhosted.org/packages/e2/dc/9abe19c9b27e6cd3636036b9d1b387b78c40dedbf0b47f9366737684b4b0/charset_normalizer-3.4.6-cp311-cp311-win_arm64.whl", hash = "sha256:97d0235baafca5f2b09cf332cc275f021e694e8362c6bb9c96fc9a0eb74fc316", size = 142751, upload-time = "2026-03-15T18:50:49.234Z" }, - { url = "https://files.pythonhosted.org/packages/2a/68/687187c7e26cb24ccbd88e5069f5ef00eba804d36dde11d99aad0838ab45/charset_normalizer-3.4.6-py3-none-any.whl", hash = "sha256:947cf925bc916d90adba35a64c82aace04fa39b46b52d4630ece166655905a69", size = 61455, upload-time = "2026-03-15T18:53:23.833Z" }, +version = "3.4.7" +source = { registry = "https://pypi.org/simple" } +sdist = { url = "https://files.pythonhosted.org/packages/e7/a1/67fe25fac3c7642725500a3f6cfe5821ad557c3abb11c9d20d12c7008d3e/charset_normalizer-3.4.7.tar.gz", hash = "sha256:ae89db9e5f98a11a4bf50407d4363e7b09b31e55bc117b4f7d80aab97ba009e5", size = 144271, upload-time = "2026-04-02T09:28:39.342Z" } +wheels = [ + { url = "https://files.pythonhosted.org/packages/c2/d7/b5b7020a0565c2e9fa8c09f4b5fa6232feb326b8c20081ccded47ea368fd/charset_normalizer-3.4.7-cp311-cp311-macosx_10_9_universal2.whl", hash = "sha256:7641bb8895e77f921102f72833904dcd9901df5d6d72a2ab8f31d04b7e51e4e7", size = 309705, upload-time = "2026-04-02T09:26:02.191Z" }, + { url = "https://files.pythonhosted.org/packages/5a/53/58c29116c340e5456724ecd2fff4196d236b98f3da97b404bc5e51ac3493/charset_normalizer-3.4.7-cp311-cp311-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:202389074300232baeb53ae2569a60901f7efadd4245cf3a3bf0617d60b439d7", size = 206419, upload-time = "2026-04-02T09:26:03.583Z" }, + { url = "https://files.pythonhosted.org/packages/b2/02/e8146dc6591a37a00e5144c63f29fb7c97a734ea8a111190783c0e60ab63/charset_normalizer-3.4.7-cp311-cp311-manylinux2014_ppc64le.manylinux_2_17_ppc64le.manylinux_2_28_ppc64le.whl", hash = "sha256:30b8d1d8c52a48c2c5690e152c169b673487a2a58de1ec7393196753063fcd5e", size = 227901, upload-time = "2026-04-02T09:26:04.738Z" }, + { url = "https://files.pythonhosted.org/packages/fb/73/77486c4cd58f1267bf17db420e930c9afa1b3be3fe8c8b8ebbebc9624359/charset_normalizer-3.4.7-cp311-cp311-manylinux2014_s390x.manylinux_2_17_s390x.manylinux_2_28_s390x.whl", hash = "sha256:532bc9bf33a68613fd7d65e4b1c71a6a38d7d42604ecf239c77392e9b4e8998c", size = 222742, upload-time = "2026-04-02T09:26:06.36Z" }, + { url = "https://files.pythonhosted.org/packages/a1/fa/f74eb381a7d94ded44739e9d94de18dc5edc9c17fb8c11f0a6890696c0a9/charset_normalizer-3.4.7-cp311-cp311-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:2fe249cb4651fd12605b7288b24751d8bfd46d35f12a20b1ba33dea122e690df", size = 214061, upload-time = "2026-04-02T09:26:08.347Z" }, + { url = "https://files.pythonhosted.org/packages/dc/92/42bd3cefcf7687253fb86694b45f37b733c97f59af3724f356fa92b8c344/charset_normalizer-3.4.7-cp311-cp311-manylinux_2_31_armv7l.whl", hash = "sha256:65bcd23054beab4d166035cabbc868a09c1a49d1efe458fe8e4361215df40265", size = 199239, upload-time = "2026-04-02T09:26:09.823Z" }, + { url = "https://files.pythonhosted.org/packages/4c/3d/069e7184e2aa3b3cddc700e3dd267413dc259854adc3380421c805c6a17d/charset_normalizer-3.4.7-cp311-cp311-manylinux_2_31_riscv64.manylinux_2_39_riscv64.whl", hash = "sha256:08e721811161356f97b4059a9ba7bafb23ea5ee2255402c42881c214e173c6b4", size = 210173, upload-time = "2026-04-02T09:26:10.953Z" }, + { url = "https://files.pythonhosted.org/packages/62/51/9d56feb5f2e7074c46f93e0ebdbe61f0848ee246e2f0d89f8e20b89ebb8f/charset_normalizer-3.4.7-cp311-cp311-musllinux_1_2_aarch64.whl", hash = "sha256:e060d01aec0a910bdccb8be71faf34e7799ce36950f8294c8bf612cba65a2c9e", size = 209841, upload-time = "2026-04-02T09:26:12.142Z" }, + { url = "https://files.pythonhosted.org/packages/d2/59/893d8f99cc4c837dda1fe2f1139079703deb9f321aabcb032355de13b6c7/charset_normalizer-3.4.7-cp311-cp311-musllinux_1_2_armv7l.whl", hash = "sha256:38c0109396c4cfc574d502df99742a45c72c08eff0a36158b6f04000043dbf38", size = 200304, upload-time = "2026-04-02T09:26:13.711Z" }, + { url = "https://files.pythonhosted.org/packages/7d/1d/ee6f3be3464247578d1ed5c46de545ccc3d3ff933695395c402c21fa6b77/charset_normalizer-3.4.7-cp311-cp311-musllinux_1_2_ppc64le.whl", hash = "sha256:1c2a768fdd44ee4a9339a9b0b130049139b8ce3c01d2ce09f67f5a68048d477c", size = 229455, upload-time = "2026-04-02T09:26:14.941Z" }, + { url = "https://files.pythonhosted.org/packages/54/bb/8fb0a946296ea96a488928bdce8ef99023998c48e4713af533e9bb98ef07/charset_normalizer-3.4.7-cp311-cp311-musllinux_1_2_riscv64.whl", hash = "sha256:1a87ca9d5df6fe460483d9a5bbf2b18f620cbed41b432e2bddb686228282d10b", size = 210036, upload-time = "2026-04-02T09:26:16.478Z" }, + { url = "https://files.pythonhosted.org/packages/9a/bc/015b2387f913749f82afd4fcba07846d05b6d784dd16123cb66860e0237d/charset_normalizer-3.4.7-cp311-cp311-musllinux_1_2_s390x.whl", hash = "sha256:d635aab80466bc95771bb78d5370e74d36d1fe31467b6b29b8b57b2a3cd7d22c", size = 224739, upload-time = "2026-04-02T09:26:17.751Z" }, + { url = "https://files.pythonhosted.org/packages/17/ab/63133691f56baae417493cba6b7c641571a2130eb7bceba6773367ab9ec5/charset_normalizer-3.4.7-cp311-cp311-musllinux_1_2_x86_64.whl", hash = "sha256:ae196f021b5e7c78e918242d217db021ed2a6ace2bc6ae94c0fc596221c7f58d", size = 216277, upload-time = "2026-04-02T09:26:18.981Z" }, + { url = "https://files.pythonhosted.org/packages/06/6d/3be70e827977f20db77c12a97e6a9f973631a45b8d186c084527e53e77a4/charset_normalizer-3.4.7-cp311-cp311-win32.whl", hash = "sha256:adb2597b428735679446b46c8badf467b4ca5f5056aae4d51a19f9570301b1ad", size = 147819, upload-time = "2026-04-02T09:26:20.295Z" }, + { url = "https://files.pythonhosted.org/packages/20/d9/5f67790f06b735d7c7637171bbfd89882ad67201891b7275e51116ed8207/charset_normalizer-3.4.7-cp311-cp311-win_amd64.whl", hash = "sha256:8e385e4267ab76874ae30db04c627faaaf0b509e1ccc11a95b3fc3e83f855c00", size = 159281, upload-time = "2026-04-02T09:26:21.74Z" }, + { url = "https://files.pythonhosted.org/packages/ca/83/6413f36c5a34afead88ce6f66684d943d91f233d76dd083798f9602b75ae/charset_normalizer-3.4.7-cp311-cp311-win_arm64.whl", hash = "sha256:d4a48e5b3c2a489fae013b7589308a40146ee081f6f509e047e0e096084ceca1", size = 147843, upload-time = "2026-04-02T09:26:22.901Z" }, + { url = "https://files.pythonhosted.org/packages/db/8f/61959034484a4a7c527811f4721e75d02d653a35afb0b6054474d8185d4c/charset_normalizer-3.4.7-py3-none-any.whl", hash = "sha256:3dce51d0f5e7951f8bb4900c257dad282f49190fdbebecd4ba99bcc41fef404d", size = 61958, upload-time = "2026-04-02T09:28:37.794Z" }, ] [[package]] name = "click" -version = "8.3.1" +version = "8.3.2" source = { registry = "https://pypi.org/simple" } dependencies = [ { name = "colorama", marker = "sys_platform == 'win32'" }, ] -sdist = { url = "https://files.pythonhosted.org/packages/3d/fa/656b739db8587d7b5dfa22e22ed02566950fbfbcdc20311993483657a5c0/click-8.3.1.tar.gz", hash = "sha256:12ff4785d337a1bb490bb7e9c2b1ee5da3112e94a8622f26a6c77f5d2fc6842a", size = 295065, upload-time = "2025-11-15T20:45:42.706Z" } +sdist = { url = "https://files.pythonhosted.org/packages/57/75/31212c6bf2503fdf920d87fee5d7a86a2e3bcf444984126f13d8e4016804/click-8.3.2.tar.gz", hash = "sha256:14162b8b3b3550a7d479eafa77dfd3c38d9dc8951f6f69c78913a8f9a7540fd5", size = 302856, upload-time = "2026-04-03T19:14:45.118Z" } wheels = [ - { url = "https://files.pythonhosted.org/packages/98/78/01c019cdb5d6498122777c1a43056ebb3ebfeef2076d9d026bfe15583b2b/click-8.3.1-py3-none-any.whl", hash = "sha256:981153a64e25f12d547d3426c367a4857371575ee7ad18df2a6183ab0545b2a6", size = 108274, upload-time = "2025-11-15T20:45:41.139Z" }, + { url = "https://files.pythonhosted.org/packages/e4/20/71885d8b97d4f3dde17b1fdb92dbd4908b00541c5a3379787137285f602e/click-8.3.2-py3-none-any.whl", hash = "sha256:1924d2c27c5653561cd2cae4548d1406039cb79b858b747cfea24924bbc1616d", size = 108379, upload-time = "2026-04-03T19:14:43.505Z" }, ] [[package]] @@ -143,47 +143,47 @@ toml = [ [[package]] name = "cryptography" -version = "46.0.6" +version = "46.0.7" source = { registry = "https://pypi.org/simple" } dependencies = [ { name = "cffi", marker = "platform_python_implementation != 'PyPy'" }, ] -sdist = { url = "https://files.pythonhosted.org/packages/a4/ba/04b1bd4218cbc58dc90ce967106d51582371b898690f3ae0402876cc4f34/cryptography-46.0.6.tar.gz", hash = "sha256:27550628a518c5c6c903d84f637fbecf287f6cb9ced3804838a1295dc1fd0759", size = 750542, upload-time = "2026-03-25T23:34:53.396Z" } -wheels = [ - { url = "https://files.pythonhosted.org/packages/47/23/9285e15e3bc57325b0a72e592921983a701efc1ee8f91c06c5f0235d86d9/cryptography-46.0.6-cp311-abi3-macosx_10_9_universal2.whl", hash = "sha256:64235194bad039a10bb6d2d930ab3323baaec67e2ce36215fd0952fad0930ca8", size = 7176401, upload-time = "2026-03-25T23:33:22.096Z" }, - { url = "https://files.pythonhosted.org/packages/60/f8/e61f8f13950ab6195b31913b42d39f0f9afc7d93f76710f299b5ec286ae6/cryptography-46.0.6-cp311-abi3-manylinux2014_aarch64.manylinux_2_17_aarch64.whl", hash = "sha256:26031f1e5ca62fcb9d1fcb34b2b60b390d1aacaa15dc8b895a9ed00968b97b30", size = 4275275, upload-time = "2026-03-25T23:33:23.844Z" }, - { url = "https://files.pythonhosted.org/packages/19/69/732a736d12c2631e140be2348b4ad3d226302df63ef64d30dfdb8db7ad1c/cryptography-46.0.6-cp311-abi3-manylinux2014_x86_64.manylinux_2_17_x86_64.whl", hash = "sha256:9a693028b9cbe51b5a1136232ee8f2bc242e4e19d456ded3fa7c86e43c713b4a", size = 4425320, upload-time = "2026-03-25T23:33:25.703Z" }, - { url = "https://files.pythonhosted.org/packages/d4/12/123be7292674abf76b21ac1fc0e1af50661f0e5b8f0ec8285faac18eb99e/cryptography-46.0.6-cp311-abi3-manylinux_2_28_aarch64.whl", hash = "sha256:67177e8a9f421aa2d3a170c3e56eca4e0128883cf52a071a7cbf53297f18b175", size = 4278082, upload-time = "2026-03-25T23:33:27.423Z" }, - { url = "https://files.pythonhosted.org/packages/5b/ba/d5e27f8d68c24951b0a484924a84c7cdaed7502bac9f18601cd357f8b1d2/cryptography-46.0.6-cp311-abi3-manylinux_2_28_ppc64le.whl", hash = "sha256:d9528b535a6c4f8ff37847144b8986a9a143585f0540fbcb1a98115b543aa463", size = 4926514, upload-time = "2026-03-25T23:33:29.206Z" }, - { url = "https://files.pythonhosted.org/packages/34/71/1ea5a7352ae516d5512d17babe7e1b87d9db5150b21f794b1377eac1edc0/cryptography-46.0.6-cp311-abi3-manylinux_2_28_x86_64.whl", hash = "sha256:22259338084d6ae497a19bae5d4c66b7ca1387d3264d1c2c0e72d9e9b6a77b97", size = 4457766, upload-time = "2026-03-25T23:33:30.834Z" }, - { url = "https://files.pythonhosted.org/packages/01/59/562be1e653accee4fdad92c7a2e88fced26b3fdfce144047519bbebc299e/cryptography-46.0.6-cp311-abi3-manylinux_2_31_armv7l.whl", hash = "sha256:760997a4b950ff00d418398ad73fbc91aa2894b5c1db7ccb45b4f68b42a63b3c", size = 3986535, upload-time = "2026-03-25T23:33:33.02Z" }, - { url = "https://files.pythonhosted.org/packages/d6/8b/b1ebfeb788bf4624d36e45ed2662b8bd43a05ff62157093c1539c1288a18/cryptography-46.0.6-cp311-abi3-manylinux_2_34_aarch64.whl", hash = "sha256:3dfa6567f2e9e4c5dceb8ccb5a708158a2a871052fa75c8b78cb0977063f1507", size = 4277618, upload-time = "2026-03-25T23:33:34.567Z" }, - { url = "https://files.pythonhosted.org/packages/dd/52/a005f8eabdb28df57c20f84c44d397a755782d6ff6d455f05baa2785bd91/cryptography-46.0.6-cp311-abi3-manylinux_2_34_ppc64le.whl", hash = "sha256:cdcd3edcbc5d55757e5f5f3d330dd00007ae463a7e7aa5bf132d1f22a4b62b19", size = 4890802, upload-time = "2026-03-25T23:33:37.034Z" }, - { url = "https://files.pythonhosted.org/packages/ec/4d/8e7d7245c79c617d08724e2efa397737715ca0ec830ecb3c91e547302555/cryptography-46.0.6-cp311-abi3-manylinux_2_34_x86_64.whl", hash = "sha256:d4e4aadb7fc1f88687f47ca20bb7227981b03afaae69287029da08096853b738", size = 4457425, upload-time = "2026-03-25T23:33:38.904Z" }, - { url = "https://files.pythonhosted.org/packages/1d/5c/f6c3596a1430cec6f949085f0e1a970638d76f81c3ea56d93d564d04c340/cryptography-46.0.6-cp311-abi3-musllinux_1_2_aarch64.whl", hash = "sha256:2b417edbe8877cda9022dde3a008e2deb50be9c407eef034aeeb3a8b11d9db3c", size = 4405530, upload-time = "2026-03-25T23:33:40.842Z" }, - { url = "https://files.pythonhosted.org/packages/7e/c9/9f9cea13ee2dbde070424e0c4f621c091a91ffcc504ffea5e74f0e1daeff/cryptography-46.0.6-cp311-abi3-musllinux_1_2_x86_64.whl", hash = "sha256:380343e0653b1c9d7e1f55b52aaa2dbb2fdf2730088d48c43ca1c7c0abb7cc2f", size = 4667896, upload-time = "2026-03-25T23:33:42.781Z" }, - { url = "https://files.pythonhosted.org/packages/ad/b5/1895bc0821226f129bc74d00eccfc6a5969e2028f8617c09790bf89c185e/cryptography-46.0.6-cp311-abi3-win32.whl", hash = "sha256:bcb87663e1f7b075e48c3be3ecb5f0b46c8fc50b50a97cf264e7f60242dca3f2", size = 3026348, upload-time = "2026-03-25T23:33:45.021Z" }, - { url = "https://files.pythonhosted.org/packages/c3/f8/c9bcbf0d3e6ad288b9d9aa0b1dee04b063d19e8c4f871855a03ab3a297ab/cryptography-46.0.6-cp311-abi3-win_amd64.whl", hash = "sha256:6739d56300662c468fddb0e5e291f9b4d084bead381667b9e654c7dd81705124", size = 3483896, upload-time = "2026-03-25T23:33:46.649Z" }, - { url = "https://files.pythonhosted.org/packages/c4/cc/f330e982852403da79008552de9906804568ae9230da8432f7496ce02b71/cryptography-46.0.6-cp38-abi3-macosx_10_9_universal2.whl", hash = "sha256:12cae594e9473bca1a7aceb90536060643128bb274fcea0fc459ab90f7d1ae7a", size = 7162776, upload-time = "2026-03-25T23:34:13.308Z" }, - { url = "https://files.pythonhosted.org/packages/49/b3/dc27efd8dcc4bff583b3f01d4a3943cd8b5821777a58b3a6a5f054d61b79/cryptography-46.0.6-cp38-abi3-manylinux2014_aarch64.manylinux_2_17_aarch64.whl", hash = "sha256:639301950939d844a9e1c4464d7e07f902fe9a7f6b215bb0d4f28584729935d8", size = 4270529, upload-time = "2026-03-25T23:34:15.019Z" }, - { url = "https://files.pythonhosted.org/packages/e6/05/e8d0e6eb4f0d83365b3cb0e00eb3c484f7348db0266652ccd84632a3d58d/cryptography-46.0.6-cp38-abi3-manylinux2014_x86_64.manylinux_2_17_x86_64.whl", hash = "sha256:ed3775295fb91f70b4027aeba878d79b3e55c0b3e97eaa4de71f8f23a9f2eb77", size = 4414827, upload-time = "2026-03-25T23:34:16.604Z" }, - { url = "https://files.pythonhosted.org/packages/2f/97/daba0f5d2dc6d855e2dcb70733c812558a7977a55dd4a6722756628c44d1/cryptography-46.0.6-cp38-abi3-manylinux_2_28_aarch64.whl", hash = "sha256:8927ccfbe967c7df312ade694f987e7e9e22b2425976ddbf28271d7e58845290", size = 4271265, upload-time = "2026-03-25T23:34:18.586Z" }, - { url = "https://files.pythonhosted.org/packages/89/06/fe1fce39a37ac452e58d04b43b0855261dac320a2ebf8f5260dd55b201a9/cryptography-46.0.6-cp38-abi3-manylinux_2_28_ppc64le.whl", hash = "sha256:b12c6b1e1651e42ab5de8b1e00dc3b6354fdfd778e7fa60541ddacc27cd21410", size = 4916800, upload-time = "2026-03-25T23:34:20.561Z" }, - { url = "https://files.pythonhosted.org/packages/ff/8a/b14f3101fe9c3592603339eb5d94046c3ce5f7fc76d6512a2d40efd9724e/cryptography-46.0.6-cp38-abi3-manylinux_2_28_x86_64.whl", hash = "sha256:063b67749f338ca9c5a0b7fe438a52c25f9526b851e24e6c9310e7195aad3b4d", size = 4448771, upload-time = "2026-03-25T23:34:22.406Z" }, - { url = "https://files.pythonhosted.org/packages/01/b3/0796998056a66d1973fd52ee89dc1bb3b6581960a91ad4ac705f182d398f/cryptography-46.0.6-cp38-abi3-manylinux_2_31_armv7l.whl", hash = "sha256:02fad249cb0e090b574e30b276a3da6a149e04ee2f049725b1f69e7b8351ec70", size = 3978333, upload-time = "2026-03-25T23:34:24.281Z" }, - { url = "https://files.pythonhosted.org/packages/c5/3d/db200af5a4ffd08918cd55c08399dc6c9c50b0bc72c00a3246e099d3a849/cryptography-46.0.6-cp38-abi3-manylinux_2_34_aarch64.whl", hash = "sha256:7e6142674f2a9291463e5e150090b95a8519b2fb6e6aaec8917dd8d094ce750d", size = 4271069, upload-time = "2026-03-25T23:34:25.895Z" }, - { url = "https://files.pythonhosted.org/packages/d7/18/61acfd5b414309d74ee838be321c636fe71815436f53c9f0334bf19064fa/cryptography-46.0.6-cp38-abi3-manylinux_2_34_ppc64le.whl", hash = "sha256:456b3215172aeefb9284550b162801d62f5f264a081049a3e94307fe20792cfa", size = 4878358, upload-time = "2026-03-25T23:34:27.67Z" }, - { url = "https://files.pythonhosted.org/packages/8b/65/5bf43286d566f8171917cae23ac6add941654ccf085d739195a4eacf1674/cryptography-46.0.6-cp38-abi3-manylinux_2_34_x86_64.whl", hash = "sha256:341359d6c9e68834e204ceaf25936dffeafea3829ab80e9503860dcc4f4dac58", size = 4448061, upload-time = "2026-03-25T23:34:29.375Z" }, - { url = "https://files.pythonhosted.org/packages/e0/25/7e49c0fa7205cf3597e525d156a6bce5b5c9de1fd7e8cb01120e459f205a/cryptography-46.0.6-cp38-abi3-musllinux_1_2_aarch64.whl", hash = "sha256:9a9c42a2723999a710445bc0d974e345c32adfd8d2fac6d8a251fa829ad31cfb", size = 4399103, upload-time = "2026-03-25T23:34:32.036Z" }, - { url = "https://files.pythonhosted.org/packages/44/46/466269e833f1c4718d6cd496ffe20c56c9c8d013486ff66b4f69c302a68d/cryptography-46.0.6-cp38-abi3-musllinux_1_2_x86_64.whl", hash = "sha256:6617f67b1606dfd9fe4dbfa354a9508d4a6d37afe30306fe6c101b7ce3274b72", size = 4659255, upload-time = "2026-03-25T23:34:33.679Z" }, - { url = "https://files.pythonhosted.org/packages/0a/09/ddc5f630cc32287d2c953fc5d32705e63ec73e37308e5120955316f53827/cryptography-46.0.6-cp38-abi3-win32.whl", hash = "sha256:7f6690b6c55e9c5332c0b59b9c8a3fb232ebf059094c17f9019a51e9827df91c", size = 3010660, upload-time = "2026-03-25T23:34:35.418Z" }, - { url = "https://files.pythonhosted.org/packages/1b/82/ca4893968aeb2709aacfb57a30dec6fa2ab25b10fa9f064b8882ce33f599/cryptography-46.0.6-cp38-abi3-win_amd64.whl", hash = "sha256:79e865c642cfc5c0b3eb12af83c35c5aeff4fa5c672dc28c43721c2c9fdd2f0f", size = 3471160, upload-time = "2026-03-25T23:34:37.191Z" }, - { url = "https://files.pythonhosted.org/packages/2e/84/7ccff00ced5bac74b775ce0beb7d1be4e8637536b522b5df9b73ada42da2/cryptography-46.0.6-pp311-pypy311_pp73-macosx_11_0_arm64.whl", hash = "sha256:2ea0f37e9a9cf0df2952893ad145fd9627d326a59daec9b0802480fa3bcd2ead", size = 3475444, upload-time = "2026-03-25T23:34:38.944Z" }, - { url = "https://files.pythonhosted.org/packages/bc/1f/4c926f50df7749f000f20eede0c896769509895e2648db5da0ed55db711d/cryptography-46.0.6-pp311-pypy311_pp73-manylinux_2_28_aarch64.whl", hash = "sha256:a3e84d5ec9ba01f8fd03802b2147ba77f0c8f2617b2aff254cedd551844209c8", size = 4218227, upload-time = "2026-03-25T23:34:40.871Z" }, - { url = "https://files.pythonhosted.org/packages/c6/65/707be3ffbd5f786028665c3223e86e11c4cda86023adbc56bd72b1b6bab5/cryptography-46.0.6-pp311-pypy311_pp73-manylinux_2_28_x86_64.whl", hash = "sha256:12f0fa16cc247b13c43d56d7b35287ff1569b5b1f4c5e87e92cc4fcc00cd10c0", size = 4381399, upload-time = "2026-03-25T23:34:42.609Z" }, - { url = "https://files.pythonhosted.org/packages/f3/6d/73557ed0ef7d73d04d9aba745d2c8e95218213687ee5e76b7d236a5030fc/cryptography-46.0.6-pp311-pypy311_pp73-manylinux_2_34_aarch64.whl", hash = "sha256:50575a76e2951fe7dbd1f56d181f8c5ceeeb075e9ff88e7ad997d2f42af06e7b", size = 4217595, upload-time = "2026-03-25T23:34:44.205Z" }, - { url = "https://files.pythonhosted.org/packages/9e/c5/e1594c4eec66a567c3ac4400008108a415808be2ce13dcb9a9045c92f1a0/cryptography-46.0.6-pp311-pypy311_pp73-manylinux_2_34_x86_64.whl", hash = "sha256:90e5f0a7b3be5f40c3a0a0eafb32c681d8d2c181fc2a1bdabe9b3f611d9f6b1a", size = 4380912, upload-time = "2026-03-25T23:34:46.328Z" }, - { url = "https://files.pythonhosted.org/packages/1a/89/843b53614b47f97fe1abc13f9a86efa5ec9e275292c457af1d4a60dc80e0/cryptography-46.0.6-pp311-pypy311_pp73-win_amd64.whl", hash = "sha256:6728c49e3b2c180ef26f8e9f0a883a2c585638db64cf265b49c9ba10652d430e", size = 3409955, upload-time = "2026-03-25T23:34:48.465Z" }, +sdist = { url = "https://files.pythonhosted.org/packages/47/93/ac8f3d5ff04d54bc814e961a43ae5b0b146154c89c61b47bb07557679b18/cryptography-46.0.7.tar.gz", hash = "sha256:e4cfd68c5f3e0bfdad0d38e023239b96a2fe84146481852dffbcca442c245aa5", size = 750652, upload-time = "2026-04-08T01:57:54.692Z" } +wheels = [ + { url = "https://files.pythonhosted.org/packages/0b/5d/4a8f770695d73be252331e60e526291e3df0c9b27556a90a6b47bccca4c2/cryptography-46.0.7-cp311-abi3-macosx_10_9_universal2.whl", hash = "sha256:ea42cbe97209df307fdc3b155f1b6fa2577c0defa8f1f7d3be7d31d189108ad4", size = 7179869, upload-time = "2026-04-08T01:56:17.157Z" }, + { url = "https://files.pythonhosted.org/packages/5f/45/6d80dc379b0bbc1f9d1e429f42e4cb9e1d319c7a8201beffd967c516ea01/cryptography-46.0.7-cp311-abi3-manylinux2014_aarch64.manylinux_2_17_aarch64.whl", hash = "sha256:b36a4695e29fe69215d75960b22577197aca3f7a25b9cf9d165dcfe9d80bc325", size = 4275492, upload-time = "2026-04-08T01:56:19.36Z" }, + { url = "https://files.pythonhosted.org/packages/4a/9a/1765afe9f572e239c3469f2cb429f3ba7b31878c893b246b4b2994ffe2fe/cryptography-46.0.7-cp311-abi3-manylinux2014_x86_64.manylinux_2_17_x86_64.whl", hash = "sha256:5ad9ef796328c5e3c4ceed237a183f5d41d21150f972455a9d926593a1dcb308", size = 4426670, upload-time = "2026-04-08T01:56:21.415Z" }, + { url = "https://files.pythonhosted.org/packages/8f/3e/af9246aaf23cd4ee060699adab1e47ced3f5f7e7a8ffdd339f817b446462/cryptography-46.0.7-cp311-abi3-manylinux_2_28_aarch64.whl", hash = "sha256:73510b83623e080a2c35c62c15298096e2a5dc8d51c3b4e1740211839d0dea77", size = 4280275, upload-time = "2026-04-08T01:56:23.539Z" }, + { url = "https://files.pythonhosted.org/packages/0f/54/6bbbfc5efe86f9d71041827b793c24811a017c6ac0fd12883e4caa86b8ed/cryptography-46.0.7-cp311-abi3-manylinux_2_28_ppc64le.whl", hash = "sha256:cbd5fb06b62bd0721e1170273d3f4d5a277044c47ca27ee257025146c34cbdd1", size = 4928402, upload-time = "2026-04-08T01:56:25.624Z" }, + { url = "https://files.pythonhosted.org/packages/2d/cf/054b9d8220f81509939599c8bdbc0c408dbd2bdd41688616a20731371fe0/cryptography-46.0.7-cp311-abi3-manylinux_2_28_x86_64.whl", hash = "sha256:420b1e4109cc95f0e5700eed79908cef9268265c773d3a66f7af1eef53d409ef", size = 4459985, upload-time = "2026-04-08T01:56:27.309Z" }, + { url = "https://files.pythonhosted.org/packages/f9/46/4e4e9c6040fb01c7467d47217d2f882daddeb8828f7df800cb806d8a2288/cryptography-46.0.7-cp311-abi3-manylinux_2_31_armv7l.whl", hash = "sha256:24402210aa54baae71d99441d15bb5a1919c195398a87b563df84468160a65de", size = 3990652, upload-time = "2026-04-08T01:56:29.095Z" }, + { url = "https://files.pythonhosted.org/packages/36/5f/313586c3be5a2fbe87e4c9a254207b860155a8e1f3cca99f9910008e7d08/cryptography-46.0.7-cp311-abi3-manylinux_2_34_aarch64.whl", hash = "sha256:8a469028a86f12eb7d2fe97162d0634026d92a21f3ae0ac87ed1c4a447886c83", size = 4279805, upload-time = "2026-04-08T01:56:30.928Z" }, + { url = "https://files.pythonhosted.org/packages/69/33/60dfc4595f334a2082749673386a4d05e4f0cf4df8248e63b2c3437585f2/cryptography-46.0.7-cp311-abi3-manylinux_2_34_ppc64le.whl", hash = "sha256:9694078c5d44c157ef3162e3bf3946510b857df5a3955458381d1c7cfc143ddb", size = 4892883, upload-time = "2026-04-08T01:56:32.614Z" }, + { url = "https://files.pythonhosted.org/packages/c7/0b/333ddab4270c4f5b972f980adef4faa66951a4aaf646ca067af597f15563/cryptography-46.0.7-cp311-abi3-manylinux_2_34_x86_64.whl", hash = "sha256:42a1e5f98abb6391717978baf9f90dc28a743b7d9be7f0751a6f56a75d14065b", size = 4459756, upload-time = "2026-04-08T01:56:34.306Z" }, + { url = "https://files.pythonhosted.org/packages/d2/14/633913398b43b75f1234834170947957c6b623d1701ffc7a9600da907e89/cryptography-46.0.7-cp311-abi3-musllinux_1_2_aarch64.whl", hash = "sha256:91bbcb08347344f810cbe49065914fe048949648f6bd5c2519f34619142bbe85", size = 4410244, upload-time = "2026-04-08T01:56:35.977Z" }, + { url = "https://files.pythonhosted.org/packages/10/f2/19ceb3b3dc14009373432af0c13f46aa08e3ce334ec6eff13492e1812ccd/cryptography-46.0.7-cp311-abi3-musllinux_1_2_x86_64.whl", hash = "sha256:5d1c02a14ceb9148cc7816249f64f623fbfee39e8c03b3650d842ad3f34d637e", size = 4674868, upload-time = "2026-04-08T01:56:38.034Z" }, + { url = "https://files.pythonhosted.org/packages/1a/bb/a5c213c19ee94b15dfccc48f363738633a493812687f5567addbcbba9f6f/cryptography-46.0.7-cp311-abi3-win32.whl", hash = "sha256:d23c8ca48e44ee015cd0a54aeccdf9f09004eba9fc96f38c911011d9ff1bd457", size = 3026504, upload-time = "2026-04-08T01:56:39.666Z" }, + { url = "https://files.pythonhosted.org/packages/2b/02/7788f9fefa1d060ca68717c3901ae7fffa21ee087a90b7f23c7a603c32ae/cryptography-46.0.7-cp311-abi3-win_amd64.whl", hash = "sha256:397655da831414d165029da9bc483bed2fe0e75dde6a1523ec2fe63f3c46046b", size = 3488363, upload-time = "2026-04-08T01:56:41.893Z" }, + { url = "https://files.pythonhosted.org/packages/a7/7f/cd42fc3614386bc0c12f0cb3c4ae1fc2bbca5c9662dfed031514911d513d/cryptography-46.0.7-cp38-abi3-macosx_10_9_universal2.whl", hash = "sha256:462ad5cb1c148a22b2e3bcc5ad52504dff325d17daf5df8d88c17dda1f75f2a4", size = 7165618, upload-time = "2026-04-08T01:57:10.645Z" }, + { url = "https://files.pythonhosted.org/packages/a5/d0/36a49f0262d2319139d2829f773f1b97ef8aef7f97e6e5bd21455e5a8fb5/cryptography-46.0.7-cp38-abi3-manylinux2014_aarch64.manylinux_2_17_aarch64.whl", hash = "sha256:84d4cced91f0f159a7ddacad249cc077e63195c36aac40b4150e7a57e84fffe7", size = 4270628, upload-time = "2026-04-08T01:57:12.885Z" }, + { url = "https://files.pythonhosted.org/packages/8a/6c/1a42450f464dda6ffbe578a911f773e54dd48c10f9895a23a7e88b3e7db5/cryptography-46.0.7-cp38-abi3-manylinux2014_x86_64.manylinux_2_17_x86_64.whl", hash = "sha256:128c5edfe5e5938b86b03941e94fac9ee793a94452ad1365c9fc3f4f62216832", size = 4415405, upload-time = "2026-04-08T01:57:14.923Z" }, + { url = "https://files.pythonhosted.org/packages/9a/92/4ed714dbe93a066dc1f4b4581a464d2d7dbec9046f7c8b7016f5286329e2/cryptography-46.0.7-cp38-abi3-manylinux_2_28_aarch64.whl", hash = "sha256:5e51be372b26ef4ba3de3c167cd3d1022934bc838ae9eaad7e644986d2a3d163", size = 4272715, upload-time = "2026-04-08T01:57:16.638Z" }, + { url = "https://files.pythonhosted.org/packages/b7/e6/a26b84096eddd51494bba19111f8fffe976f6a09f132706f8f1bf03f51f7/cryptography-46.0.7-cp38-abi3-manylinux_2_28_ppc64le.whl", hash = "sha256:cdf1a610ef82abb396451862739e3fc93b071c844399e15b90726ef7470eeaf2", size = 4918400, upload-time = "2026-04-08T01:57:19.021Z" }, + { url = "https://files.pythonhosted.org/packages/c7/08/ffd537b605568a148543ac3c2b239708ae0bd635064bab41359252ef88ed/cryptography-46.0.7-cp38-abi3-manylinux_2_28_x86_64.whl", hash = "sha256:1d25aee46d0c6f1a501adcddb2d2fee4b979381346a78558ed13e50aa8a59067", size = 4450634, upload-time = "2026-04-08T01:57:21.185Z" }, + { url = "https://files.pythonhosted.org/packages/16/01/0cd51dd86ab5b9befe0d031e276510491976c3a80e9f6e31810cce46c4ad/cryptography-46.0.7-cp38-abi3-manylinux_2_31_armv7l.whl", hash = "sha256:cdfbe22376065ffcf8be74dc9a909f032df19bc58a699456a21712d6e5eabfd0", size = 3985233, upload-time = "2026-04-08T01:57:22.862Z" }, + { url = "https://files.pythonhosted.org/packages/92/49/819d6ed3a7d9349c2939f81b500a738cb733ab62fbecdbc1e38e83d45e12/cryptography-46.0.7-cp38-abi3-manylinux_2_34_aarch64.whl", hash = "sha256:abad9dac36cbf55de6eb49badd4016806b3165d396f64925bf2999bcb67837ba", size = 4271955, upload-time = "2026-04-08T01:57:24.814Z" }, + { url = "https://files.pythonhosted.org/packages/80/07/ad9b3c56ebb95ed2473d46df0847357e01583f4c52a85754d1a55e29e4d0/cryptography-46.0.7-cp38-abi3-manylinux_2_34_ppc64le.whl", hash = "sha256:935ce7e3cfdb53e3536119a542b839bb94ec1ad081013e9ab9b7cfd478b05006", size = 4879888, upload-time = "2026-04-08T01:57:26.88Z" }, + { url = "https://files.pythonhosted.org/packages/b8/c7/201d3d58f30c4c2bdbe9b03844c291feb77c20511cc3586daf7edc12a47b/cryptography-46.0.7-cp38-abi3-manylinux_2_34_x86_64.whl", hash = "sha256:35719dc79d4730d30f1c2b6474bd6acda36ae2dfae1e3c16f2051f215df33ce0", size = 4449961, upload-time = "2026-04-08T01:57:29.068Z" }, + { url = "https://files.pythonhosted.org/packages/a5/ef/649750cbf96f3033c3c976e112265c33906f8e462291a33d77f90356548c/cryptography-46.0.7-cp38-abi3-musllinux_1_2_aarch64.whl", hash = "sha256:7bbc6ccf49d05ac8f7d7b5e2e2c33830d4fe2061def88210a126d130d7f71a85", size = 4401696, upload-time = "2026-04-08T01:57:31.029Z" }, + { url = "https://files.pythonhosted.org/packages/41/52/a8908dcb1a389a459a29008c29966c1d552588d4ae6d43f3a1a4512e0ebe/cryptography-46.0.7-cp38-abi3-musllinux_1_2_x86_64.whl", hash = "sha256:a1529d614f44b863a7b480c6d000fe93b59acee9c82ffa027cfadc77521a9f5e", size = 4664256, upload-time = "2026-04-08T01:57:33.144Z" }, + { url = "https://files.pythonhosted.org/packages/4b/fa/f0ab06238e899cc3fb332623f337a7364f36f4bb3f2534c2bb95a35b132c/cryptography-46.0.7-cp38-abi3-win32.whl", hash = "sha256:f247c8c1a1fb45e12586afbb436ef21ff1e80670b2861a90353d9b025583d246", size = 3013001, upload-time = "2026-04-08T01:57:34.933Z" }, + { url = "https://files.pythonhosted.org/packages/d2/f1/00ce3bde3ca542d1acd8f8cfa38e446840945aa6363f9b74746394b14127/cryptography-46.0.7-cp38-abi3-win_amd64.whl", hash = "sha256:506c4ff91eff4f82bdac7633318a526b1d1309fc07ca76a3ad182cb5b686d6d3", size = 3472985, upload-time = "2026-04-08T01:57:36.714Z" }, + { url = "https://files.pythonhosted.org/packages/63/0c/dca8abb64e7ca4f6b2978769f6fea5ad06686a190cec381f0a796fdcaaba/cryptography-46.0.7-pp311-pypy311_pp73-macosx_11_0_arm64.whl", hash = "sha256:fc9ab8856ae6cf7c9358430e49b368f3108f050031442eaeb6b9d87e4dcf4e4f", size = 3476879, upload-time = "2026-04-08T01:57:38.664Z" }, + { url = "https://files.pythonhosted.org/packages/3a/ea/075aac6a84b7c271578d81a2f9968acb6e273002408729f2ddff517fed4a/cryptography-46.0.7-pp311-pypy311_pp73-manylinux_2_28_aarch64.whl", hash = "sha256:d3b99c535a9de0adced13d159c5a9cf65c325601aa30f4be08afd680643e9c15", size = 4219700, upload-time = "2026-04-08T01:57:40.625Z" }, + { url = "https://files.pythonhosted.org/packages/6c/7b/1c55db7242b5e5612b29fc7a630e91ee7a6e3c8e7bf5406d22e206875fbd/cryptography-46.0.7-pp311-pypy311_pp73-manylinux_2_28_x86_64.whl", hash = "sha256:d02c738dacda7dc2a74d1b2b3177042009d5cab7c7079db74afc19e56ca1b455", size = 4385982, upload-time = "2026-04-08T01:57:42.725Z" }, + { url = "https://files.pythonhosted.org/packages/cb/da/9870eec4b69c63ef5925bf7d8342b7e13bc2ee3d47791461c4e49ca212f4/cryptography-46.0.7-pp311-pypy311_pp73-manylinux_2_34_aarch64.whl", hash = "sha256:04959522f938493042d595a736e7dbdff6eb6cc2339c11465b3ff89343b65f65", size = 4219115, upload-time = "2026-04-08T01:57:44.939Z" }, + { url = "https://files.pythonhosted.org/packages/f4/72/05aa5832b82dd341969e9a734d1812a6aadb088d9eb6f0430fc337cc5a8f/cryptography-46.0.7-pp311-pypy311_pp73-manylinux_2_34_x86_64.whl", hash = "sha256:3986ac1dee6def53797289999eabe84798ad7817f3e97779b5061a95b0ee4968", size = 4385479, upload-time = "2026-04-08T01:57:46.86Z" }, + { url = "https://files.pythonhosted.org/packages/20/2a/1b016902351a523aa2bd446b50a5bc1175d7a7d1cf90fe2ef904f9b84ebc/cryptography-46.0.7-pp311-pypy311_pp73-win_amd64.whl", hash = "sha256:258514877e15963bd43b558917bc9f54cf7cf866c38aa576ebf47a77ddbc43a4", size = 3412829, upload-time = "2026-04-08T01:57:48.874Z" }, ] [[package]] @@ -227,15 +227,15 @@ wheels = [ [[package]] name = "google-auth" -version = "2.49.1" +version = "2.49.2" source = { registry = "https://pypi.org/simple" } dependencies = [ { name = "cryptography" }, { name = "pyasn1-modules" }, ] -sdist = { url = "https://files.pythonhosted.org/packages/ea/80/6a696a07d3d3b0a92488933532f03dbefa4a24ab80fb231395b9a2a1be77/google_auth-2.49.1.tar.gz", hash = "sha256:16d40da1c3c5a0533f57d268fe72e0ebb0ae1cc3b567024122651c045d879b64", size = 333825, upload-time = "2026-03-12T19:30:58.135Z" } +sdist = { url = "https://files.pythonhosted.org/packages/c6/fc/e925290a1ad95c975c459e2df070fac2b90954e13a0370ac505dff78cb99/google_auth-2.49.2.tar.gz", hash = "sha256:c1ae38500e73065dcae57355adb6278cf8b5c8e391994ae9cbadbcb9631ab409", size = 333958, upload-time = "2026-04-10T00:41:21.888Z" } wheels = [ - { url = "https://files.pythonhosted.org/packages/e9/eb/c6c2478d8a8d633460be40e2a8a6f8f429171997a35a96f81d3b680dec83/google_auth-2.49.1-py3-none-any.whl", hash = "sha256:195ebe3dca18eddd1b3db5edc5189b76c13e96f29e73043b923ebcf3f1a860f7", size = 240737, upload-time = "2026-03-12T19:30:53.159Z" }, + { url = "https://files.pythonhosted.org/packages/73/76/d241a5c927433420507215df6cac1b1fa4ac0ba7a794df42a84326c68da8/google_auth-2.49.2-py3-none-any.whl", hash = "sha256:c2720924dfc82dedb962c9f52cabb2ab16714fd0a6a707e40561d217574ed6d5", size = 240638, upload-time = "2026-04-10T00:41:14.501Z" }, ] [package.optional-dependencies] @@ -245,7 +245,7 @@ requests = [ [[package]] name = "google-genai" -version = "1.69.0" +version = "1.73.0" source = { registry = "https://pypi.org/simple" } dependencies = [ { name = "anyio" }, @@ -259,9 +259,9 @@ dependencies = [ { name = "typing-extensions" }, { name = "websockets" }, ] -sdist = { url = "https://files.pythonhosted.org/packages/00/5e/c0a5e6ff60d18d3f19819a9b1fbd6a1ef2162d025696d8660550739168dc/google_genai-1.69.0.tar.gz", hash = "sha256:5f1a6a478e0c5851506a3d337534bab27b3c33120e27bf9174507ea79dfb8673", size = 519538, upload-time = "2026-03-28T15:33:27.308Z" } +sdist = { url = "https://files.pythonhosted.org/packages/99/5f/b293b1a78a547b0dd061642a3f6087f0a52c1b723eafa58f94ccdc3e0d2a/google_genai-1.73.0.tar.gz", hash = "sha256:569395b2c225e12bcd8758b8affe1af480e0a1b1c71d652d38c705677057e05f", size = 530812, upload-time = "2026-04-13T20:40:02.642Z" } wheels = [ - { url = "https://files.pythonhosted.org/packages/42/58/ef0586019f54b2ebb36deed7608ccb5efe1377564d2aaea6b1e295d1fadc/google_genai-1.69.0-py3-none-any.whl", hash = "sha256:252e714d724aba74949647b9de511a6a6f7804b3b317ab39ddee9cc2f001cacc", size = 760551, upload-time = "2026-03-28T15:33:24.957Z" }, + { url = "https://files.pythonhosted.org/packages/5a/73/fb36ced456688c9b95a8ab49a1f408f5b3e69a589788f3eb25016002dd7a/google_genai-1.73.0-py3-none-any.whl", hash = "sha256:dfb0214b834bf977e3841de512cfb651d2fe76309f85064b80c2bc11da99d76b", size = 786072, upload-time = "2026-04-13T20:40:00.365Z" }, ] [[package]] @@ -303,14 +303,14 @@ wheels = [ [[package]] name = "hypothesis" -version = "6.151.10" +version = "6.151.14" source = { registry = "https://pypi.org/simple" } dependencies = [ { name = "sortedcontainers" }, ] -sdist = { url = "https://files.pythonhosted.org/packages/f5/dd/633e2cd62377333b7681628aee2ec1d88166f5bdf916b08c98b1e8288ad3/hypothesis-6.151.10.tar.gz", hash = "sha256:6c9565af8b4aa3a080b508f66ce9c2a77dd613c7e9073e27fc7e4ef9f45f8a27", size = 463762, upload-time = "2026-03-29T01:06:22.19Z" } +sdist = { url = "https://files.pythonhosted.org/packages/83/77/3227982784ff12a74fc5b28823f3487f457640e6cc653afe16d090891334/hypothesis-6.151.14.tar.gz", hash = "sha256:14fffdfdb50e816cf114f9946aebbf533d7e0920c07ddc1531889f0a22ffaa20", size = 464375, upload-time = "2026-04-13T21:50:11.188Z" } wheels = [ - { url = "https://files.pythonhosted.org/packages/40/da/439bb2e451979f5e88c13bbebc3e9e17754429cfb528c93677b2bd81783b/hypothesis-6.151.10-py3-none-any.whl", hash = "sha256:b0d7728f0c8c2be009f89fcdd6066f70c5439aa0f94adbb06e98261d05f49b05", size = 529493, upload-time = "2026-03-29T01:06:19.161Z" }, + { url = "https://files.pythonhosted.org/packages/b7/60/1d19db13777148efb57c27a8ceea48afb80cba9ce6da85b57ccbe0e8f44f/hypothesis-6.151.14-py3-none-any.whl", hash = "sha256:0c27a1e1092752d8c424b7f1caeb6ecfbed9af87914f510b59c1be69945e85a5", size = 530046, upload-time = "2026-04-13T21:50:08.282Z" }, ] [[package]] @@ -404,7 +404,7 @@ wheels = [ [[package]] name = "mp" -version = "1.28.22" +version = "1.29.0" source = { editable = "." } dependencies = [ { name = "anyio" }, @@ -444,7 +444,7 @@ requires-dist = [ { name = "anyio", specifier = ">=4.12.1" }, { name = "deepdiff", specifier = ">=8.6.1" }, { name = "defusedxml", specifier = ">=0.7.1" }, - { name = "google-genai", specifier = ">=1.59.0" }, + { name = "google-genai", specifier = ">=1.73.0" }, { name = "jinja2", specifier = ">=3.1.6" }, { name = "libcst", specifier = ">=1.8.2" }, { name = "packaging", specifier = ">=26.0" }, @@ -456,21 +456,21 @@ requires-dist = [ { name = "requests", specifier = ">=2.32.4" }, { name = "rich", specifier = ">=14.0.0" }, { name = "ruamel-yaml", specifier = "==0.17.40" }, - { name = "ruff", specifier = ">=0.15.0" }, + { name = "ruff", specifier = ">=0.15.9" }, { name = "tenacity", specifier = ">=9.1.2" }, { name = "toml", specifier = ">=0.10.2" }, { name = "toon-format", git = "https://github.com/toon-format/toon-python.git" }, - { name = "ty", specifier = ">=0.0.15" }, + { name = "ty", specifier = ">=0.0.29" }, { name = "typer", specifier = ">=0.16.0" }, { name = "uv", specifier = ">=0.7.13" }, ] [package.metadata.requires-dev] dev = [ - { name = "hypothesis", specifier = ">=6.147.0" }, - { name = "pytest", specifier = ">=8.4.0" }, - { name = "pytest-cov", specifier = ">=6.2.1" }, - { name = "pytest-xdist", specifier = ">=3.7.0" }, + { name = "hypothesis", specifier = ">=6.151.12" }, + { name = "pytest", specifier = ">=9.0.3" }, + { name = "pytest-cov", specifier = ">=7.1.0" }, + { name = "pytest-xdist", specifier = ">=3.8.0" }, ] [[package]] @@ -493,28 +493,28 @@ wheels = [ [[package]] name = "pillow" -version = "12.1.1" -source = { registry = "https://pypi.org/simple" } -sdist = { url = "https://files.pythonhosted.org/packages/1f/42/5c74462b4fd957fcd7b13b04fb3205ff8349236ea74c7c375766d6c82288/pillow-12.1.1.tar.gz", hash = "sha256:9ad8fa5937ab05218e2b6a4cff30295ad35afd2f83ac592e68c0d871bb0fdbc4", size = 46980264, upload-time = "2026-02-11T04:23:07.146Z" } -wheels = [ - { url = "https://files.pythonhosted.org/packages/2b/46/5da1ec4a5171ee7bf1a0efa064aba70ba3d6e0788ce3f5acd1375d23c8c0/pillow-12.1.1-cp311-cp311-macosx_10_10_x86_64.whl", hash = "sha256:e879bb6cd5c73848ef3b2b48b8af9ff08c5b71ecda8048b7dd22d8a33f60be32", size = 5304084, upload-time = "2026-02-11T04:20:27.501Z" }, - { url = "https://files.pythonhosted.org/packages/78/93/a29e9bc02d1cf557a834da780ceccd54e02421627200696fcf805ebdc3fb/pillow-12.1.1-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:365b10bb9417dd4498c0e3b128018c4a624dc11c7b97d8cc54effe3b096f4c38", size = 4657866, upload-time = "2026-02-11T04:20:29.827Z" }, - { url = "https://files.pythonhosted.org/packages/13/84/583a4558d492a179d31e4aae32eadce94b9acf49c0337c4ce0b70e0a01f2/pillow-12.1.1-cp311-cp311-manylinux2014_aarch64.manylinux_2_17_aarch64.whl", hash = "sha256:d4ce8e329c93845720cd2014659ca67eac35f6433fd3050393d85f3ecef0dad5", size = 6232148, upload-time = "2026-02-11T04:20:31.329Z" }, - { url = "https://files.pythonhosted.org/packages/d5/e2/53c43334bbbb2d3b938978532fbda8e62bb6e0b23a26ce8592f36bcc4987/pillow-12.1.1-cp311-cp311-manylinux2014_x86_64.manylinux_2_17_x86_64.whl", hash = "sha256:fc354a04072b765eccf2204f588a7a532c9511e8b9c7f900e1b64e3e33487090", size = 8038007, upload-time = "2026-02-11T04:20:34.225Z" }, - { url = "https://files.pythonhosted.org/packages/b8/a6/3d0e79c8a9d58150dd98e199d7c1c56861027f3829a3a60b3c2784190180/pillow-12.1.1-cp311-cp311-manylinux_2_27_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:7e7976bf1910a8116b523b9f9f58bf410f3e8aa330cd9a2bb2953f9266ab49af", size = 6345418, upload-time = "2026-02-11T04:20:35.858Z" }, - { url = "https://files.pythonhosted.org/packages/a2/c8/46dfeac5825e600579157eea177be43e2f7ff4a99da9d0d0a49533509ac5/pillow-12.1.1-cp311-cp311-manylinux_2_27_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:597bd9c8419bc7c6af5604e55847789b69123bbe25d65cc6ad3012b4f3c98d8b", size = 7034590, upload-time = "2026-02-11T04:20:37.91Z" }, - { url = "https://files.pythonhosted.org/packages/af/bf/e6f65d3db8a8bbfeaf9e13cc0417813f6319863a73de934f14b2229ada18/pillow-12.1.1-cp311-cp311-musllinux_1_2_aarch64.whl", hash = "sha256:2c1fc0f2ca5f96a3c8407e41cca26a16e46b21060fe6d5b099d2cb01412222f5", size = 6458655, upload-time = "2026-02-11T04:20:39.496Z" }, - { url = "https://files.pythonhosted.org/packages/f9/c2/66091f3f34a25894ca129362e510b956ef26f8fb67a0e6417bc5744e56f1/pillow-12.1.1-cp311-cp311-musllinux_1_2_x86_64.whl", hash = "sha256:578510d88c6229d735855e1f278aa305270438d36a05031dfaae5067cc8eb04d", size = 7159286, upload-time = "2026-02-11T04:20:41.139Z" }, - { url = "https://files.pythonhosted.org/packages/7b/5a/24bc8eb526a22f957d0cec6243146744966d40857e3d8deb68f7902ca6c1/pillow-12.1.1-cp311-cp311-win32.whl", hash = "sha256:7311c0a0dcadb89b36b7025dfd8326ecfa36964e29913074d47382706e516a7c", size = 6328663, upload-time = "2026-02-11T04:20:43.184Z" }, - { url = "https://files.pythonhosted.org/packages/31/03/bef822e4f2d8f9d7448c133d0a18185d3cce3e70472774fffefe8b0ed562/pillow-12.1.1-cp311-cp311-win_amd64.whl", hash = "sha256:fbfa2a7c10cc2623f412753cddf391c7f971c52ca40a3f65dc5039b2939e8563", size = 7031448, upload-time = "2026-02-11T04:20:44.696Z" }, - { url = "https://files.pythonhosted.org/packages/49/70/f76296f53610bd17b2e7d31728b8b7825e3ac3b5b3688b51f52eab7c0818/pillow-12.1.1-cp311-cp311-win_arm64.whl", hash = "sha256:b81b5e3511211631b3f672a595e3221252c90af017e399056d0faabb9538aa80", size = 2453651, upload-time = "2026-02-11T04:20:46.243Z" }, - { url = "https://files.pythonhosted.org/packages/56/11/5d43209aa4cb58e0cc80127956ff1796a68b928e6324bbf06ef4db34367b/pillow-12.1.1-pp311-pypy311_pp73-macosx_10_15_x86_64.whl", hash = "sha256:600fd103672b925fe62ed08e0d874ea34d692474df6f4bf7ebe148b30f89f39f", size = 5228606, upload-time = "2026-02-11T04:22:52.106Z" }, - { url = "https://files.pythonhosted.org/packages/5f/d5/3b005b4e4fda6698b371fa6c21b097d4707585d7db99e98d9b0b87ac612a/pillow-12.1.1-pp311-pypy311_pp73-macosx_11_0_arm64.whl", hash = "sha256:665e1b916b043cef294bc54d47bf02d87e13f769bc4bc5fa225a24b3a6c5aca9", size = 4622321, upload-time = "2026-02-11T04:22:53.827Z" }, - { url = "https://files.pythonhosted.org/packages/df/36/ed3ea2d594356fd8037e5a01f6156c74bc8d92dbb0fa60746cc96cabb6e8/pillow-12.1.1-pp311-pypy311_pp73-manylinux2014_aarch64.manylinux_2_17_aarch64.whl", hash = "sha256:495c302af3aad1ca67420ddd5c7bd480c8867ad173528767d906428057a11f0e", size = 5247579, upload-time = "2026-02-11T04:22:56.094Z" }, - { url = "https://files.pythonhosted.org/packages/54/9a/9cc3e029683cf6d20ae5085da0dafc63148e3252c2f13328e553aaa13cfb/pillow-12.1.1-pp311-pypy311_pp73-manylinux2014_x86_64.manylinux_2_17_x86_64.whl", hash = "sha256:8fd420ef0c52c88b5a035a0886f367748c72147b2b8f384c9d12656678dfdfa9", size = 6989094, upload-time = "2026-02-11T04:22:58.288Z" }, - { url = "https://files.pythonhosted.org/packages/00/98/fc53ab36da80b88df0967896b6c4b4cd948a0dc5aa40a754266aa3ae48b3/pillow-12.1.1-pp311-pypy311_pp73-manylinux_2_27_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:f975aa7ef9684ce7e2c18a3aa8f8e2106ce1e46b94ab713d156b2898811651d3", size = 5313850, upload-time = "2026-02-11T04:23:00.554Z" }, - { url = "https://files.pythonhosted.org/packages/30/02/00fa585abfd9fe9d73e5f6e554dc36cc2b842898cbfc46d70353dae227f8/pillow-12.1.1-pp311-pypy311_pp73-manylinux_2_27_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:8089c852a56c2966cf18835db62d9b34fef7ba74c726ad943928d494fa7f4735", size = 5963343, upload-time = "2026-02-11T04:23:02.934Z" }, - { url = "https://files.pythonhosted.org/packages/f2/26/c56ce33ca856e358d27fda9676c055395abddb82c35ac0f593877ed4562e/pillow-12.1.1-pp311-pypy311_pp73-win_amd64.whl", hash = "sha256:cb9bb857b2d057c6dfc72ac5f3b44836924ba15721882ef103cecb40d002d80e", size = 7029880, upload-time = "2026-02-11T04:23:04.783Z" }, +version = "12.2.0" +source = { registry = "https://pypi.org/simple" } +sdist = { url = "https://files.pythonhosted.org/packages/8c/21/c2bcdd5906101a30244eaffc1b6e6ce71a31bd0742a01eb89e660ebfac2d/pillow-12.2.0.tar.gz", hash = "sha256:a830b1a40919539d07806aa58e1b114df53ddd43213d9c8b75847eee6c0182b5", size = 46987819, upload-time = "2026-04-01T14:46:17.687Z" } +wheels = [ + { url = "https://files.pythonhosted.org/packages/68/e1/748f5663efe6edcfc4e74b2b93edfb9b8b99b67f21a854c3ae416500a2d9/pillow-12.2.0-cp311-cp311-macosx_10_10_x86_64.whl", hash = "sha256:8be29e59487a79f173507c30ddf57e733a357f67881430449bb32614075a40ab", size = 5354347, upload-time = "2026-04-01T14:42:44.255Z" }, + { url = "https://files.pythonhosted.org/packages/47/a1/d5ff69e747374c33a3b53b9f98cca7889fce1fd03d79cdc4e1bccc6c5a87/pillow-12.2.0-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:71cde9a1e1551df7d34a25462fc60325e8a11a82cc2e2f54578e5e9a1e153d65", size = 4695873, upload-time = "2026-04-01T14:42:46.452Z" }, + { url = "https://files.pythonhosted.org/packages/df/21/e3fbdf54408a973c7f7f89a23b2cb97a7ef30c61ab4142af31eee6aebc88/pillow-12.2.0-cp311-cp311-manylinux2014_aarch64.manylinux_2_17_aarch64.whl", hash = "sha256:f490f9368b6fc026f021db16d7ec2fbf7d89e2edb42e8ec09d2c60505f5729c7", size = 6280168, upload-time = "2026-04-01T14:42:49.228Z" }, + { url = "https://files.pythonhosted.org/packages/d3/f1/00b7278c7dd52b17ad4329153748f87b6756ec195ff786c2bdf12518337d/pillow-12.2.0-cp311-cp311-manylinux2014_x86_64.manylinux_2_17_x86_64.whl", hash = "sha256:8bd7903a5f2a4545f6fd5935c90058b89d30045568985a71c79f5fd6edf9b91e", size = 8088188, upload-time = "2026-04-01T14:42:51.735Z" }, + { url = "https://files.pythonhosted.org/packages/ad/cf/220a5994ef1b10e70e85748b75649d77d506499352be135a4989c957b701/pillow-12.2.0-cp311-cp311-manylinux_2_27_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:3997232e10d2920a68d25191392e3a4487d8183039e1c74c2297f00ed1c50705", size = 6394401, upload-time = "2026-04-01T14:42:54.343Z" }, + { url = "https://files.pythonhosted.org/packages/e9/bd/e51a61b1054f09437acfbc2ff9106c30d1eb76bc1453d428399946781253/pillow-12.2.0-cp311-cp311-manylinux_2_27_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:e74473c875d78b8e9d5da2a70f7099549f9eb37ded4e2f6a463e60125bccd176", size = 7079655, upload-time = "2026-04-01T14:42:56.954Z" }, + { url = "https://files.pythonhosted.org/packages/6b/3d/45132c57d5fb4b5744567c3817026480ac7fc3ce5d4c47902bc0e7f6f853/pillow-12.2.0-cp311-cp311-musllinux_1_2_aarch64.whl", hash = "sha256:56a3f9c60a13133a98ecff6197af34d7824de9b7b38c3654861a725c970c197b", size = 6503105, upload-time = "2026-04-01T14:42:59.847Z" }, + { url = "https://files.pythonhosted.org/packages/7d/2e/9df2fc1e82097b1df3dce58dc43286aa01068e918c07574711fcc53e6fb4/pillow-12.2.0-cp311-cp311-musllinux_1_2_x86_64.whl", hash = "sha256:90e6f81de50ad6b534cab6e5aef77ff6e37722b2f5d908686f4a5c9eba17a909", size = 7203402, upload-time = "2026-04-01T14:43:02.664Z" }, + { url = "https://files.pythonhosted.org/packages/bd/2e/2941e42858ebb67e50ae741473de81c2984e6eff7b397017623c676e2e8d/pillow-12.2.0-cp311-cp311-win32.whl", hash = "sha256:8c984051042858021a54926eb597d6ee3012393ce9c181814115df4c60b9a808", size = 6378149, upload-time = "2026-04-01T14:43:05.274Z" }, + { url = "https://files.pythonhosted.org/packages/69/42/836b6f3cd7f3e5fa10a1f1a5420447c17966044c8fbf589cc0452d5502db/pillow-12.2.0-cp311-cp311-win_amd64.whl", hash = "sha256:6e6b2a0c538fc200b38ff9eb6628228b77908c319a005815f2dde585a0664b60", size = 7082626, upload-time = "2026-04-01T14:43:08.557Z" }, + { url = "https://files.pythonhosted.org/packages/c2/88/549194b5d6f1f494b485e493edc6693c0a16f4ada488e5bd974ed1f42fad/pillow-12.2.0-cp311-cp311-win_arm64.whl", hash = "sha256:9a8a34cc89c67a65ea7437ce257cea81a9dad65b29805f3ecee8c8fe8ff25ffe", size = 2463531, upload-time = "2026-04-01T14:43:10.743Z" }, + { url = "https://files.pythonhosted.org/packages/4e/b7/2437044fb910f499610356d1352e3423753c98e34f915252aafecc64889f/pillow-12.2.0-pp311-pypy311_pp73-macosx_10_15_x86_64.whl", hash = "sha256:0538bd5e05efec03ae613fd89c4ce0368ecd2ba239cc25b9f9be7ed426b0af1f", size = 5273969, upload-time = "2026-04-01T14:45:55.538Z" }, + { url = "https://files.pythonhosted.org/packages/f6/f4/8316e31de11b780f4ac08ef3654a75555e624a98db1056ecb2122d008d5a/pillow-12.2.0-pp311-pypy311_pp73-macosx_11_0_arm64.whl", hash = "sha256:394167b21da716608eac917c60aa9b969421b5dcbbe02ae7f013e7b85811c69d", size = 4659674, upload-time = "2026-04-01T14:45:58.093Z" }, + { url = "https://files.pythonhosted.org/packages/d4/37/664fca7201f8bb2aa1d20e2c3d5564a62e6ae5111741966c8319ca802361/pillow-12.2.0-pp311-pypy311_pp73-manylinux2014_aarch64.manylinux_2_17_aarch64.whl", hash = "sha256:5d04bfa02cc2d23b497d1e90a0f927070043f6cbf303e738300532379a4b4e0f", size = 5288479, upload-time = "2026-04-01T14:46:01.141Z" }, + { url = "https://files.pythonhosted.org/packages/49/62/5b0ed78fce87346be7a5cfcfaaad91f6a1f98c26f86bdbafa2066c647ef6/pillow-12.2.0-pp311-pypy311_pp73-manylinux2014_x86_64.manylinux_2_17_x86_64.whl", hash = "sha256:0c838a5125cee37e68edec915651521191cef1e6aa336b855f495766e77a366e", size = 7032230, upload-time = "2026-04-01T14:46:03.874Z" }, + { url = "https://files.pythonhosted.org/packages/c3/28/ec0fc38107fc32536908034e990c47914c57cd7c5a3ece4d8d8f7ffd7e27/pillow-12.2.0-pp311-pypy311_pp73-manylinux_2_27_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:4a6c9fa44005fa37a91ebfc95d081e8079757d2e904b27103f4f5fa6f0bf78c0", size = 5355404, upload-time = "2026-04-01T14:46:06.33Z" }, + { url = "https://files.pythonhosted.org/packages/5e/8b/51b0eddcfa2180d60e41f06bd6d0a62202b20b59c68f5a132e615b75aecf/pillow-12.2.0-pp311-pypy311_pp73-manylinux_2_27_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:25373b66e0dd5905ed63fa3cae13c82fbddf3079f2c8bf15c6fb6a35586324c1", size = 6002215, upload-time = "2026-04-01T14:46:08.83Z" }, + { url = "https://files.pythonhosted.org/packages/bc/60/5382c03e1970de634027cee8e1b7d39776b778b81812aaf45b694dfe9e28/pillow-12.2.0-pp311-pypy311_pp73-win_amd64.whl", hash = "sha256:bfa9c230d2fe991bed5318a5f119bd6780cda2915cca595393649fc118ab895e", size = 7080946, upload-time = "2026-04-01T14:46:11.734Z" }, ] [[package]] @@ -528,11 +528,11 @@ wheels = [ [[package]] name = "platformdirs" -version = "4.9.4" +version = "4.9.6" source = { registry = "https://pypi.org/simple" } -sdist = { url = "https://files.pythonhosted.org/packages/19/56/8d4c30c8a1d07013911a8fdbd8f89440ef9f08d07a1b50ab8ca8be5a20f9/platformdirs-4.9.4.tar.gz", hash = "sha256:1ec356301b7dc906d83f371c8f487070e99d3ccf9e501686456394622a01a934", size = 28737, upload-time = "2026-03-05T18:34:13.271Z" } +sdist = { url = "https://files.pythonhosted.org/packages/9f/4a/0883b8e3802965322523f0b200ecf33d31f10991d0401162f4b23c698b42/platformdirs-4.9.6.tar.gz", hash = "sha256:3bfa75b0ad0db84096ae777218481852c0ebc6c727b3168c1b9e0118e458cf0a", size = 29400, upload-time = "2026-04-09T00:04:10.812Z" } wheels = [ - { url = "https://files.pythonhosted.org/packages/63/d7/97f7e3a6abb67d8080dd406fd4df842c2be0efaf712d1c899c32a075027c/platformdirs-4.9.4-py3-none-any.whl", hash = "sha256:68a9a4619a666ea6439f2ff250c12a853cd1cbd5158d258bd824a7df6be2f868", size = 21216, upload-time = "2026-03-05T18:34:12.172Z" }, + { url = "https://files.pythonhosted.org/packages/75/a6/a0a304dc33b49145b21f4808d763822111e67d1c3a32b524a1baf947b6e1/platformdirs-4.9.6-py3-none-any.whl", hash = "sha256:e61adb1d5e5cb3441b4b7710bea7e4c12250ca49439228cc1021c00dcfac0917", size = 21348, upload-time = "2026-04-09T00:04:09.463Z" }, ] [[package]] @@ -576,7 +576,7 @@ wheels = [ [[package]] name = "pydantic" -version = "2.12.5" +version = "2.13.0" source = { registry = "https://pypi.org/simple" } dependencies = [ { name = "annotated-types" }, @@ -584,46 +584,47 @@ dependencies = [ { name = "typing-extensions" }, { name = "typing-inspection" }, ] -sdist = { url = "https://files.pythonhosted.org/packages/69/44/36f1a6e523abc58ae5f928898e4aca2e0ea509b5aa6f6f392a5d882be928/pydantic-2.12.5.tar.gz", hash = "sha256:4d351024c75c0f085a9febbb665ce8c0c6ec5d30e903bdb6394b7ede26aebb49", size = 821591, upload-time = "2025-11-26T15:11:46.471Z" } +sdist = { url = "https://files.pythonhosted.org/packages/84/6b/69fd5c7194b21ebde0f8637e2a4ddc766ada29d472bfa6a5ca533d79549a/pydantic-2.13.0.tar.gz", hash = "sha256:b89b575b6e670ebf6e7448c01b41b244f471edd276cd0b6fe02e7e7aca320070", size = 843468, upload-time = "2026-04-13T10:51:35.571Z" } wheels = [ - { url = "https://files.pythonhosted.org/packages/5a/87/b70ad306ebb6f9b585f114d0ac2137d792b48be34d732d60e597c2f8465a/pydantic-2.12.5-py3-none-any.whl", hash = "sha256:e561593fccf61e8a20fc46dfc2dfe075b8be7d0188df33f221ad1f0139180f9d", size = 463580, upload-time = "2025-11-26T15:11:44.605Z" }, + { url = "https://files.pythonhosted.org/packages/01/d7/c3a52c61f5b7be648e919005820fbac33028c6149994cd64453f49951c17/pydantic-2.13.0-py3-none-any.whl", hash = "sha256:ab0078b90da5f3e2fd2e71e3d9b457ddcb35d0350854fbda93b451e28d56baaf", size = 471872, upload-time = "2026-04-13T10:51:33.343Z" }, ] [[package]] name = "pydantic-core" -version = "2.41.5" +version = "2.46.0" source = { registry = "https://pypi.org/simple" } dependencies = [ { name = "typing-extensions" }, ] -sdist = { url = "https://files.pythonhosted.org/packages/71/70/23b021c950c2addd24ec408e9ab05d59b035b39d97cdc1130e1bce647bb6/pydantic_core-2.41.5.tar.gz", hash = "sha256:08daa51ea16ad373ffd5e7606252cc32f07bc72b28284b6bc9c6df804816476e", size = 460952, upload-time = "2025-11-04T13:43:49.098Z" } -wheels = [ - { url = "https://files.pythonhosted.org/packages/e8/72/74a989dd9f2084b3d9530b0915fdda64ac48831c30dbf7c72a41a5232db8/pydantic_core-2.41.5-cp311-cp311-macosx_10_12_x86_64.whl", hash = "sha256:a3a52f6156e73e7ccb0f8cced536adccb7042be67cb45f9562e12b319c119da6", size = 2105873, upload-time = "2025-11-04T13:39:31.373Z" }, - { url = "https://files.pythonhosted.org/packages/12/44/37e403fd9455708b3b942949e1d7febc02167662bf1a7da5b78ee1ea2842/pydantic_core-2.41.5-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:7f3bf998340c6d4b0c9a2f02d6a400e51f123b59565d74dc60d252ce888c260b", size = 1899826, upload-time = "2025-11-04T13:39:32.897Z" }, - { url = "https://files.pythonhosted.org/packages/33/7f/1d5cab3ccf44c1935a359d51a8a2a9e1a654b744b5e7f80d41b88d501eec/pydantic_core-2.41.5-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:378bec5c66998815d224c9ca994f1e14c0c21cb95d2f52b6021cc0b2a58f2a5a", size = 1917869, upload-time = "2025-11-04T13:39:34.469Z" }, - { url = "https://files.pythonhosted.org/packages/6e/6a/30d94a9674a7fe4f4744052ed6c5e083424510be1e93da5bc47569d11810/pydantic_core-2.41.5-cp311-cp311-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:e7b576130c69225432866fe2f4a469a85a54ade141d96fd396dffcf607b558f8", size = 2063890, upload-time = "2025-11-04T13:39:36.053Z" }, - { url = "https://files.pythonhosted.org/packages/50/be/76e5d46203fcb2750e542f32e6c371ffa9b8ad17364cf94bb0818dbfb50c/pydantic_core-2.41.5-cp311-cp311-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:6cb58b9c66f7e4179a2d5e0f849c48eff5c1fca560994d6eb6543abf955a149e", size = 2229740, upload-time = "2025-11-04T13:39:37.753Z" }, - { url = "https://files.pythonhosted.org/packages/d3/ee/fed784df0144793489f87db310a6bbf8118d7b630ed07aa180d6067e653a/pydantic_core-2.41.5-cp311-cp311-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:88942d3a3dff3afc8288c21e565e476fc278902ae4d6d134f1eeda118cc830b1", size = 2350021, upload-time = "2025-11-04T13:39:40.94Z" }, - { url = "https://files.pythonhosted.org/packages/c8/be/8fed28dd0a180dca19e72c233cbf58efa36df055e5b9d90d64fd1740b828/pydantic_core-2.41.5-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:f31d95a179f8d64d90f6831d71fa93290893a33148d890ba15de25642c5d075b", size = 2066378, upload-time = "2025-11-04T13:39:42.523Z" }, - { url = "https://files.pythonhosted.org/packages/b0/3b/698cf8ae1d536a010e05121b4958b1257f0b5522085e335360e53a6b1c8b/pydantic_core-2.41.5-cp311-cp311-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:c1df3d34aced70add6f867a8cf413e299177e0c22660cc767218373d0779487b", size = 2175761, upload-time = "2025-11-04T13:39:44.553Z" }, - { url = "https://files.pythonhosted.org/packages/b8/ba/15d537423939553116dea94ce02f9c31be0fa9d0b806d427e0308ec17145/pydantic_core-2.41.5-cp311-cp311-musllinux_1_1_aarch64.whl", hash = "sha256:4009935984bd36bd2c774e13f9a09563ce8de4abaa7226f5108262fa3e637284", size = 2146303, upload-time = "2025-11-04T13:39:46.238Z" }, - { url = "https://files.pythonhosted.org/packages/58/7f/0de669bf37d206723795f9c90c82966726a2ab06c336deba4735b55af431/pydantic_core-2.41.5-cp311-cp311-musllinux_1_1_armv7l.whl", hash = "sha256:34a64bc3441dc1213096a20fe27e8e128bd3ff89921706e83c0b1ac971276594", size = 2340355, upload-time = "2025-11-04T13:39:48.002Z" }, - { url = "https://files.pythonhosted.org/packages/e5/de/e7482c435b83d7e3c3ee5ee4451f6e8973cff0eb6007d2872ce6383f6398/pydantic_core-2.41.5-cp311-cp311-musllinux_1_1_x86_64.whl", hash = "sha256:c9e19dd6e28fdcaa5a1de679aec4141f691023916427ef9bae8584f9c2fb3b0e", size = 2319875, upload-time = "2025-11-04T13:39:49.705Z" }, - { url = "https://files.pythonhosted.org/packages/fe/e6/8c9e81bb6dd7560e33b9053351c29f30c8194b72f2d6932888581f503482/pydantic_core-2.41.5-cp311-cp311-win32.whl", hash = "sha256:2c010c6ded393148374c0f6f0bf89d206bf3217f201faa0635dcd56bd1520f6b", size = 1987549, upload-time = "2025-11-04T13:39:51.842Z" }, - { url = "https://files.pythonhosted.org/packages/11/66/f14d1d978ea94d1bc21fc98fcf570f9542fe55bfcc40269d4e1a21c19bf7/pydantic_core-2.41.5-cp311-cp311-win_amd64.whl", hash = "sha256:76ee27c6e9c7f16f47db7a94157112a2f3a00e958bc626e2f4ee8bec5c328fbe", size = 2011305, upload-time = "2025-11-04T13:39:53.485Z" }, - { url = "https://files.pythonhosted.org/packages/56/d8/0e271434e8efd03186c5386671328154ee349ff0354d83c74f5caaf096ed/pydantic_core-2.41.5-cp311-cp311-win_arm64.whl", hash = "sha256:4bc36bbc0b7584de96561184ad7f012478987882ebf9f9c389b23f432ea3d90f", size = 1972902, upload-time = "2025-11-04T13:39:56.488Z" }, - { url = "https://files.pythonhosted.org/packages/11/72/90fda5ee3b97e51c494938a4a44c3a35a9c96c19bba12372fb9c634d6f57/pydantic_core-2.41.5-graalpy311-graalpy242_311_native-macosx_10_12_x86_64.whl", hash = "sha256:b96d5f26b05d03cc60f11a7761a5ded1741da411e7fe0909e27a5e6a0cb7b034", size = 2115441, upload-time = "2025-11-04T13:42:39.557Z" }, - { url = "https://files.pythonhosted.org/packages/1f/53/8942f884fa33f50794f119012dc6a1a02ac43a56407adaac20463df8e98f/pydantic_core-2.41.5-graalpy311-graalpy242_311_native-macosx_11_0_arm64.whl", hash = "sha256:634e8609e89ceecea15e2d61bc9ac3718caaaa71963717bf3c8f38bfde64242c", size = 1930291, upload-time = "2025-11-04T13:42:42.169Z" }, - { url = "https://files.pythonhosted.org/packages/79/c8/ecb9ed9cd942bce09fc888ee960b52654fbdbede4ba6c2d6e0d3b1d8b49c/pydantic_core-2.41.5-graalpy311-graalpy242_311_native-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:93e8740d7503eb008aa2df04d3b9735f845d43ae845e6dcd2be0b55a2da43cd2", size = 1948632, upload-time = "2025-11-04T13:42:44.564Z" }, - { url = "https://files.pythonhosted.org/packages/2e/1b/687711069de7efa6af934e74f601e2a4307365e8fdc404703afc453eab26/pydantic_core-2.41.5-graalpy311-graalpy242_311_native-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:f15489ba13d61f670dcc96772e733aad1a6f9c429cc27574c6cdaed82d0146ad", size = 2138905, upload-time = "2025-11-04T13:42:47.156Z" }, - { url = "https://files.pythonhosted.org/packages/5f/9b/1b3f0e9f9305839d7e84912f9e8bfbd191ed1b1ef48083609f0dabde978c/pydantic_core-2.41.5-pp311-pypy311_pp73-macosx_10_12_x86_64.whl", hash = "sha256:b2379fa7ed44ddecb5bfe4e48577d752db9fc10be00a6b7446e9663ba143de26", size = 2101980, upload-time = "2025-11-04T13:43:25.97Z" }, - { url = "https://files.pythonhosted.org/packages/a4/ed/d71fefcb4263df0da6a85b5d8a7508360f2f2e9b3bf5814be9c8bccdccc1/pydantic_core-2.41.5-pp311-pypy311_pp73-macosx_11_0_arm64.whl", hash = "sha256:266fb4cbf5e3cbd0b53669a6d1b039c45e3ce651fd5442eff4d07c2cc8d66808", size = 1923865, upload-time = "2025-11-04T13:43:28.763Z" }, - { url = "https://files.pythonhosted.org/packages/ce/3a/626b38db460d675f873e4444b4bb030453bbe7b4ba55df821d026a0493c4/pydantic_core-2.41.5-pp311-pypy311_pp73-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:58133647260ea01e4d0500089a8c4f07bd7aa6ce109682b1426394988d8aaacc", size = 2134256, upload-time = "2025-11-04T13:43:31.71Z" }, - { url = "https://files.pythonhosted.org/packages/83/d9/8412d7f06f616bbc053d30cb4e5f76786af3221462ad5eee1f202021eb4e/pydantic_core-2.41.5-pp311-pypy311_pp73-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:287dad91cfb551c363dc62899a80e9e14da1f0e2b6ebde82c806612ca2a13ef1", size = 2174762, upload-time = "2025-11-04T13:43:34.744Z" }, - { url = "https://files.pythonhosted.org/packages/55/4c/162d906b8e3ba3a99354e20faa1b49a85206c47de97a639510a0e673f5da/pydantic_core-2.41.5-pp311-pypy311_pp73-musllinux_1_1_aarch64.whl", hash = "sha256:03b77d184b9eb40240ae9fd676ca364ce1085f203e1b1256f8ab9984dca80a84", size = 2143141, upload-time = "2025-11-04T13:43:37.701Z" }, - { url = "https://files.pythonhosted.org/packages/1f/f2/f11dd73284122713f5f89fc940f370d035fa8e1e078d446b3313955157fe/pydantic_core-2.41.5-pp311-pypy311_pp73-musllinux_1_1_armv7l.whl", hash = "sha256:a668ce24de96165bb239160b3d854943128f4334822900534f2fe947930e5770", size = 2330317, upload-time = "2025-11-04T13:43:40.406Z" }, - { url = "https://files.pythonhosted.org/packages/88/9d/b06ca6acfe4abb296110fb1273a4d848a0bfb2ff65f3ee92127b3244e16b/pydantic_core-2.41.5-pp311-pypy311_pp73-musllinux_1_1_x86_64.whl", hash = "sha256:f14f8f046c14563f8eb3f45f499cc658ab8d10072961e07225e507adb700e93f", size = 2316992, upload-time = "2025-11-04T13:43:43.602Z" }, - { url = "https://files.pythonhosted.org/packages/36/c7/cfc8e811f061c841d7990b0201912c3556bfeb99cdcb7ed24adc8d6f8704/pydantic_core-2.41.5-pp311-pypy311_pp73-win_amd64.whl", hash = "sha256:56121965f7a4dc965bff783d70b907ddf3d57f6eba29b6d2e5dabfaf07799c51", size = 2145302, upload-time = "2025-11-04T13:43:46.64Z" }, +sdist = { url = "https://files.pythonhosted.org/packages/6f/0a/9414cddf82eda3976b14048cc0fa8f5b5d1aecb0b22e1dcd2dbfe0e139b1/pydantic_core-2.46.0.tar.gz", hash = "sha256:82d2498c96be47b47e903e1378d1d0f770097ec56ea953322f39936a7cf34977", size = 471441, upload-time = "2026-04-13T09:06:33.813Z" } +wheels = [ + { url = "https://files.pythonhosted.org/packages/ce/43/9bc38d43a6a48794209e4eb6d61e9c68395f69b7949f66842854b0cd1344/pydantic_core-2.46.0-cp311-cp311-macosx_10_12_x86_64.whl", hash = "sha256:0027da787ae711f7fbd5a76cb0bb8df526acba6c10c1e44581de1b838db10b7b", size = 2121004, upload-time = "2026-04-13T09:05:17.531Z" }, + { url = "https://files.pythonhosted.org/packages/8c/1d/f43342b7107939b305b5e4efeef7d54e267a5ef51515570a5c1d77726efb/pydantic_core-2.46.0-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:63e288fc18d7eaeef5f16c73e65c4fd0ad95b25e7e21d8a5da144977b35eb997", size = 1947505, upload-time = "2026-04-13T09:04:48.975Z" }, + { url = "https://files.pythonhosted.org/packages/4a/cd/ccf48cbbcaf0d99ba65969459ebfbf7037600b2cfdcca3062084dd83a008/pydantic_core-2.46.0-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:080a3bdc6807089a1fe1fbc076519cea287f1a964725731d80b49d8ecffaa217", size = 1973301, upload-time = "2026-04-13T09:05:42.149Z" }, + { url = "https://files.pythonhosted.org/packages/c2/ff/a7bb1e7a762fb1f40ad5ef4e6a92c012864a017b7b1fdfb71cf91faa8b73/pydantic_core-2.46.0-cp311-cp311-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:c065f1c3e54c3e79d909927a8cb48ccbc17b68733552161eba3e0628c38e5d19", size = 2042208, upload-time = "2026-04-13T09:05:32.591Z" }, + { url = "https://files.pythonhosted.org/packages/ea/64/d3f11c6f6ace71526f3b03646df95eaab3f21edd13e00daae3f20f4e5a09/pydantic_core-2.46.0-cp311-cp311-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:7e2db58ab46cfe602d4255381cce515585998c3b6699d5b1f909f519bc44a5aa", size = 2229046, upload-time = "2026-04-13T09:04:18.59Z" }, + { url = "https://files.pythonhosted.org/packages/d0/64/93db9a63cce71630c58b376d63de498aa93cb341c72cd5f189b5c08f5c28/pydantic_core-2.46.0-cp311-cp311-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:c660974890ec1e4c65cff93f5670a5f451039f65463e9f9c03ad49746b49fc78", size = 2292138, upload-time = "2026-04-13T09:04:13.816Z" }, + { url = "https://files.pythonhosted.org/packages/e9/96/936fccce22f1f2ae8b2b694de651c2c929847be5f701c927a0bb3b1eb679/pydantic_core-2.46.0-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:d3be91482a8db77377c902cca87697388a4fb68addeb3e943ac74f425201a099", size = 2093333, upload-time = "2026-04-13T09:05:15.729Z" }, + { url = "https://files.pythonhosted.org/packages/75/76/c325e7fda69d589e26e772272044fe704c7e525c47d0d32a74f8345ac657/pydantic_core-2.46.0-cp311-cp311-manylinux_2_31_riscv64.whl", hash = "sha256:1c72de82115233112d70d07f26a48cf6996eb86f7e143423ec1a182148455a9d", size = 2138802, upload-time = "2026-04-13T09:03:51.142Z" }, + { url = "https://files.pythonhosted.org/packages/c0/6f/ccaa2ff7d53a017b66841e2d38edd1f38d19ae1a2d0c5efee17f2d432229/pydantic_core-2.46.0-cp311-cp311-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:7904e58768cd79304b992868d7710bfc85dc6c7ed6163f0f68dbc1dcd72dc231", size = 2181358, upload-time = "2026-04-13T09:04:30.737Z" }, + { url = "https://files.pythonhosted.org/packages/6c/71/0c4b6303e92d63edcb81f5301695cdf70bb351775b4733eea65acdac8384/pydantic_core-2.46.0-cp311-cp311-musllinux_1_1_aarch64.whl", hash = "sha256:1af8d88718005f57bb4768f92f4ff16bf31a747d39dfc919b22211b84e72c053", size = 2183985, upload-time = "2026-04-13T09:04:06.792Z" }, + { url = "https://files.pythonhosted.org/packages/71/eb/f6bf255de38a4393aaa10bff224e882b630576bc26ebfb401e42bb965092/pydantic_core-2.46.0-cp311-cp311-musllinux_1_1_armv7l.whl", hash = "sha256:a5b891301b02770a5852253f4b97f8bd192e5710067bc129e20d43db5403ede2", size = 2328559, upload-time = "2026-04-13T09:06:14.143Z" }, + { url = "https://files.pythonhosted.org/packages/f2/71/93895a1545f50823a24b21d7761c2bd1b1afea7a6ddc019787caec237361/pydantic_core-2.46.0-cp311-cp311-musllinux_1_1_x86_64.whl", hash = "sha256:48b671fe59031fd9754c7384ac05b3ed47a0cccb7d4db0ec56121f0e6a541b90", size = 2367466, upload-time = "2026-04-13T09:05:59.613Z" }, + { url = "https://files.pythonhosted.org/packages/78/39/62331b3e71f41fb13d486621e2aec49900ba56567fb3a0ae5999fded0005/pydantic_core-2.46.0-cp311-cp311-win32.whl", hash = "sha256:0a52b7262b6cc67033823e9549a41bb77580ac299dc964baae4e9c182b2e335c", size = 1981367, upload-time = "2026-04-13T09:07:37.563Z" }, + { url = "https://files.pythonhosted.org/packages/9f/51/caac70958420e2d6115962f550676df59647c11f96a44c2fcb61662fcd16/pydantic_core-2.46.0-cp311-cp311-win_amd64.whl", hash = "sha256:4103fea1beeef6b3a9fed8515f27d4fa30c929a1973655adf8f454dc49ee0662", size = 2065942, upload-time = "2026-04-13T09:06:37.873Z" }, + { url = "https://files.pythonhosted.org/packages/b2/cf/576b2a4eb5500a1a5da485613b1ea8bc0d7279b27e0426801574b284ae65/pydantic_core-2.46.0-cp311-cp311-win_arm64.whl", hash = "sha256:3137cd88938adb8e567c5e938e486adc7e518ffc96b4ae1ec268e6a4275704d7", size = 2052532, upload-time = "2026-04-13T09:06:03.697Z" }, + { url = "https://files.pythonhosted.org/packages/2d/f1/6731c2d6caf03efe822101edb4783eb3f212f34b7b005a34f039f67e76e1/pydantic_core-2.46.0-graalpy311-graalpy242_311_native-macosx_10_12_x86_64.whl", hash = "sha256:ce2e38e27de73ff6a0312a9e3304c398577c418d90bbde97f0ba1ee3ab7ac39f", size = 2121259, upload-time = "2026-04-13T09:07:34.845Z" }, + { url = "https://files.pythonhosted.org/packages/72/fd/ac34d4c92e739e37a040be9e7ea84d116afec5f983a7db856c27135fba77/pydantic_core-2.46.0-graalpy311-graalpy242_311_native-macosx_11_0_arm64.whl", hash = "sha256:f0d34ba062396de0be7421e6e69c9a6821bf6dc73a0ab9959a48a5a6a1e24754", size = 1945798, upload-time = "2026-04-13T09:04:24.729Z" }, + { url = "https://files.pythonhosted.org/packages/b6/a4/f413a522c4047c46b109be6805a3095d35e5a4882fd5b4fdc0909693dfc0/pydantic_core-2.46.0-graalpy311-graalpy242_311_native-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:c4c0a12147b4026dd68789fb9f22f1a8769e457f9562783c181880848bbd6412", size = 1986062, upload-time = "2026-04-13T09:05:57.177Z" }, + { url = "https://files.pythonhosted.org/packages/91/2e/9760025ea8b0f49903c0ceebdfc2d8ef839da872426f2b03cae9de036a7c/pydantic_core-2.46.0-graalpy311-graalpy242_311_native-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:a99896d9db56df901ab4a63cd6a36348a569cff8e05f049db35f4016a817a3d9", size = 2145344, upload-time = "2026-04-13T09:03:56.924Z" }, + { url = "https://files.pythonhosted.org/packages/09/ed/fbd8127e4a19c4fdbb2f4983cf72c7b3534086df640c813c5c0ec4218177/pydantic_core-2.46.0-pp311-pypy311_pp73-macosx_10_12_x86_64.whl", hash = "sha256:be3e04979ba4d68183f247202c7f4f483f35df57690b3f875c06340a1579b47c", size = 2119951, upload-time = "2026-04-13T09:04:35.923Z" }, + { url = "https://files.pythonhosted.org/packages/ec/77/df8711ebb45910412f90d75198430fa1120f5618336b71fa00303601c5a4/pydantic_core-2.46.0-pp311-pypy311_pp73-macosx_11_0_arm64.whl", hash = "sha256:b1eae8d7d9b8c2a90b34d3d9014804dca534f7f40180197062634499412ea14e", size = 1953812, upload-time = "2026-04-13T09:05:40.293Z" }, + { url = "https://files.pythonhosted.org/packages/12/fe/14b35df69112bd812d6818a395eeab22eeaa2befc6f85bc54ed648430186/pydantic_core-2.46.0-pp311-pypy311_pp73-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:3a95a2773680dd4b6b999d4eccdd1b577fd71c31739fb4849f6ada47eabb9c56", size = 2139585, upload-time = "2026-04-13T09:06:46.94Z" }, + { url = "https://files.pythonhosted.org/packages/1f/f0/4fea4c14ebbdeb87e5f6edd2620735fcbd384865f06707fe229c021ce041/pydantic_core-2.46.0-pp311-pypy311_pp73-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:25988c3159bb097e06abfdf7b21b1fcaf90f187c74ca6c7bb842c1f72ce74fa8", size = 2179154, upload-time = "2026-04-13T09:04:15.639Z" }, + { url = "https://files.pythonhosted.org/packages/5c/36/6329aa79ba32b73560e6e453164fb29702b115fd3b2b650e796e1dc27862/pydantic_core-2.46.0-pp311-pypy311_pp73-musllinux_1_1_aarch64.whl", hash = "sha256:747d89bd691854c719a3381ba46b6124ef916ae85364c79e11db9c84995d8d03", size = 2182917, upload-time = "2026-04-13T09:07:24.483Z" }, + { url = "https://files.pythonhosted.org/packages/92/61/edbf7aea71052d410347846a2ea43394f74651bf6822b8fad8703ca00575/pydantic_core-2.46.0-pp311-pypy311_pp73-musllinux_1_1_armv7l.whl", hash = "sha256:909a7327b83ca93b372f7d48df0ebc7a975a5191eb0b6e024f503f4902c24124", size = 2327716, upload-time = "2026-04-13T09:06:31.681Z" }, + { url = "https://files.pythonhosted.org/packages/a4/11/aa5089b941e85294b1d5d526840b18f0d4464f842d43d8999ce50ef881c1/pydantic_core-2.46.0-pp311-pypy311_pp73-musllinux_1_1_x86_64.whl", hash = "sha256:2f7e6a3752378a69fadf3f5ee8bc5fa082f623703eec0f4e854b12c548322de0", size = 2365925, upload-time = "2026-04-13T09:05:38.338Z" }, + { url = "https://files.pythonhosted.org/packages/0c/75/e187b0ea247f71f2009d156df88b7d8449c52a38810c9a1bd55dd4871206/pydantic_core-2.46.0-pp311-pypy311_pp73-win_amd64.whl", hash = "sha256:ef47ee0a3ac4c2bb25a083b3acafb171f65be4a0ac1e84edef79dd0016e25eaa", size = 2193856, upload-time = "2026-04-13T09:05:03.114Z" }, ] [[package]] @@ -637,7 +638,7 @@ wheels = [ [[package]] name = "pytest" -version = "9.0.2" +version = "9.0.3" source = { registry = "https://pypi.org/simple" } dependencies = [ { name = "colorama", marker = "sys_platform == 'win32'" }, @@ -646,9 +647,9 @@ dependencies = [ { name = "pluggy" }, { name = "pygments" }, ] -sdist = { url = "https://files.pythonhosted.org/packages/d1/db/7ef3487e0fb0049ddb5ce41d3a49c235bf9ad299b6a25d5780a89f19230f/pytest-9.0.2.tar.gz", hash = "sha256:75186651a92bd89611d1d9fc20f0b4345fd827c41ccd5c299a868a05d70edf11", size = 1568901, upload-time = "2025-12-06T21:30:51.014Z" } +sdist = { url = "https://files.pythonhosted.org/packages/7d/0d/549bd94f1a0a402dc8cf64563a117c0f3765662e2e668477624baeec44d5/pytest-9.0.3.tar.gz", hash = "sha256:b86ada508af81d19edeb213c681b1d48246c1a91d304c6c81a427674c17eb91c", size = 1572165, upload-time = "2026-04-07T17:16:18.027Z" } wheels = [ - { url = "https://files.pythonhosted.org/packages/3b/ab/b3226f0bd7cdcf710fbede2b3548584366da3b19b5021e74f5bde2a8fa3f/pytest-9.0.2-py3-none-any.whl", hash = "sha256:711ffd45bf766d5264d487b917733b453d917afd2b0ad65223959f59089f875b", size = 374801, upload-time = "2025-12-06T21:30:49.154Z" }, + { url = "https://files.pythonhosted.org/packages/d4/24/a372aaf5c9b7208e7112038812994107bc65a84cd00e0354a88c2c77a617/pytest-9.0.3-py3-none-any.whl", hash = "sha256:2c5efc453d45394fdd706ade797c0a81091eccd1d6e4bccfcd476e2b8e0ab5d9", size = 375249, upload-time = "2026-04-07T17:16:16.13Z" }, ] [[package]] @@ -712,15 +713,15 @@ wheels = [ [[package]] name = "rich" -version = "14.3.3" +version = "15.0.0" source = { registry = "https://pypi.org/simple" } dependencies = [ { name = "markdown-it-py" }, { name = "pygments" }, ] -sdist = { url = "https://files.pythonhosted.org/packages/b3/c6/f3b320c27991c46f43ee9d856302c70dc2d0fb2dba4842ff739d5f46b393/rich-14.3.3.tar.gz", hash = "sha256:b8daa0b9e4eef54dd8cf7c86c03713f53241884e814f4e2f5fb342fe520f639b", size = 230582, upload-time = "2026-02-19T17:23:12.474Z" } +sdist = { url = "https://files.pythonhosted.org/packages/c0/8f/0722ca900cc807c13a6a0c696dacf35430f72e0ec571c4275d2371fca3e9/rich-15.0.0.tar.gz", hash = "sha256:edd07a4824c6b40189fb7ac9bc4c52536e9780fbbfbddf6f1e2502c31b068c36", size = 230680, upload-time = "2026-04-12T08:24:00.75Z" } wheels = [ - { url = "https://files.pythonhosted.org/packages/14/25/b208c5683343959b670dc001595f2f3737e051da617f66c31f7c4fa93abc/rich-14.3.3-py3-none-any.whl", hash = "sha256:793431c1f8619afa7d3b52b2cdec859562b950ea0d4b6b505397612db8d5362d", size = 310458, upload-time = "2026-02-19T17:23:13.732Z" }, + { url = "https://files.pythonhosted.org/packages/82/3b/64d4899d73f91ba49a8c18a8ff3f0ea8f1c1d75481760df8c68ef5235bf5/rich-15.0.0-py3-none-any.whl", hash = "sha256:33bd4ef74232fb73fe9279a257718407f169c09b78a87ad3d296f548e27de0bb", size = 310654, upload-time = "2026-04-12T08:24:02.83Z" }, ] [[package]] @@ -755,27 +756,27 @@ wheels = [ [[package]] name = "ruff" -version = "0.15.8" -source = { registry = "https://pypi.org/simple" } -sdist = { url = "https://files.pythonhosted.org/packages/14/b0/73cf7550861e2b4824950b8b52eebdcc5adc792a00c514406556c5b80817/ruff-0.15.8.tar.gz", hash = "sha256:995f11f63597ee362130d1d5a327a87cb6f3f5eae3094c620bcc632329a4d26e", size = 4610921, upload-time = "2026-03-26T18:39:38.675Z" } -wheels = [ - { url = "https://files.pythonhosted.org/packages/4a/92/c445b0cd6da6e7ae51e954939cb69f97e008dbe750cfca89b8cedc081be7/ruff-0.15.8-py3-none-linux_armv6l.whl", hash = "sha256:cbe05adeba76d58162762d6b239c9056f1a15a55bd4b346cfd21e26cd6ad7bc7", size = 10527394, upload-time = "2026-03-26T18:39:41.566Z" }, - { url = "https://files.pythonhosted.org/packages/eb/92/f1c662784d149ad1414cae450b082cf736430c12ca78367f20f5ed569d65/ruff-0.15.8-py3-none-macosx_10_12_x86_64.whl", hash = "sha256:d3e3d0b6ba8dca1b7ef9ab80a28e840a20070c4b62e56d675c24f366ef330570", size = 10905693, upload-time = "2026-03-26T18:39:30.364Z" }, - { url = "https://files.pythonhosted.org/packages/ca/f2/7a631a8af6d88bcef997eb1bf87cc3da158294c57044aafd3e17030613de/ruff-0.15.8-py3-none-macosx_11_0_arm64.whl", hash = "sha256:6ee3ae5c65a42f273f126686353f2e08ff29927b7b7e203b711514370d500de3", size = 10323044, upload-time = "2026-03-26T18:39:33.37Z" }, - { url = "https://files.pythonhosted.org/packages/67/18/1bf38e20914a05e72ef3b9569b1d5c70a7ef26cd188d69e9ca8ef588d5bf/ruff-0.15.8-py3-none-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:fdce027ada77baa448077ccc6ebb2fa9c3c62fd110d8659d601cf2f475858d94", size = 10629135, upload-time = "2026-03-26T18:39:44.142Z" }, - { url = "https://files.pythonhosted.org/packages/d2/e9/138c150ff9af60556121623d41aba18b7b57d95ac032e177b6a53789d279/ruff-0.15.8-py3-none-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:12e617fc01a95e5821648a6df341d80456bd627bfab8a829f7cfc26a14a4b4a3", size = 10348041, upload-time = "2026-03-26T18:39:52.178Z" }, - { url = "https://files.pythonhosted.org/packages/02/f1/5bfb9298d9c323f842c5ddeb85f1f10ef51516ac7a34ba446c9347d898df/ruff-0.15.8-py3-none-manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:432701303b26416d22ba696c39f2c6f12499b89093b61360abc34bcc9bf07762", size = 11121987, upload-time = "2026-03-26T18:39:55.195Z" }, - { url = "https://files.pythonhosted.org/packages/10/11/6da2e538704e753c04e8d86b1fc55712fdbdcc266af1a1ece7a51fff0d10/ruff-0.15.8-py3-none-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:d910ae974b7a06a33a057cb87d2a10792a3b2b3b35e33d2699fdf63ec8f6b17a", size = 11951057, upload-time = "2026-03-26T18:39:19.18Z" }, - { url = "https://files.pythonhosted.org/packages/83/f0/c9208c5fd5101bf87002fed774ff25a96eea313d305f1e5d5744698dc314/ruff-0.15.8-py3-none-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:2033f963c43949d51e6fdccd3946633c6b37c484f5f98c3035f49c27395a8ab8", size = 11464613, upload-time = "2026-03-26T18:40:06.301Z" }, - { url = "https://files.pythonhosted.org/packages/f8/22/d7f2fabdba4fae9f3b570e5605d5eb4500dcb7b770d3217dca4428484b17/ruff-0.15.8-py3-none-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:0f29b989a55572fb885b77464cf24af05500806ab4edf9a0fd8977f9759d85b1", size = 11257557, upload-time = "2026-03-26T18:39:57.972Z" }, - { url = "https://files.pythonhosted.org/packages/71/8c/382a9620038cf6906446b23ce8632ab8c0811b8f9d3e764f58bedd0c9a6f/ruff-0.15.8-py3-none-manylinux_2_31_riscv64.whl", hash = "sha256:ac51d486bf457cdc985a412fb1801b2dfd1bd8838372fc55de64b1510eff4bec", size = 11169440, upload-time = "2026-03-26T18:39:22.205Z" }, - { url = "https://files.pythonhosted.org/packages/4d/0d/0994c802a7eaaf99380085e4e40c845f8e32a562e20a38ec06174b52ef24/ruff-0.15.8-py3-none-musllinux_1_2_aarch64.whl", hash = "sha256:c9861eb959edab053c10ad62c278835ee69ca527b6dcd72b47d5c1e5648964f6", size = 10605963, upload-time = "2026-03-26T18:39:46.682Z" }, - { url = "https://files.pythonhosted.org/packages/19/aa/d624b86f5b0aad7cef6bbf9cd47a6a02dfdc4f72c92a337d724e39c9d14b/ruff-0.15.8-py3-none-musllinux_1_2_armv7l.whl", hash = "sha256:8d9a5b8ea13f26ae90838afc33f91b547e61b794865374f114f349e9036835fb", size = 10357484, upload-time = "2026-03-26T18:39:49.176Z" }, - { url = "https://files.pythonhosted.org/packages/35/c3/e0b7835d23001f7d999f3895c6b569927c4d39912286897f625736e1fd04/ruff-0.15.8-py3-none-musllinux_1_2_i686.whl", hash = "sha256:c2a33a529fb3cbc23a7124b5c6ff121e4d6228029cba374777bd7649cc8598b8", size = 10830426, upload-time = "2026-03-26T18:40:03.702Z" }, - { url = "https://files.pythonhosted.org/packages/f0/51/ab20b322f637b369383adc341d761eaaa0f0203d6b9a7421cd6e783d81b9/ruff-0.15.8-py3-none-musllinux_1_2_x86_64.whl", hash = "sha256:75e5cd06b1cf3f47a3996cfc999226b19aa92e7cce682dcd62f80d7035f98f49", size = 11345125, upload-time = "2026-03-26T18:39:27.799Z" }, - { url = "https://files.pythonhosted.org/packages/37/e6/90b2b33419f59d0f2c4c8a48a4b74b460709a557e8e0064cf33ad894f983/ruff-0.15.8-py3-none-win32.whl", hash = "sha256:bc1f0a51254ba21767bfa9a8b5013ca8149dcf38092e6a9eb704d876de94dc34", size = 10571959, upload-time = "2026-03-26T18:39:36.117Z" }, - { url = "https://files.pythonhosted.org/packages/1f/a2/ef467cb77099062317154c63f234b8a7baf7cb690b99af760c5b68b9ee7f/ruff-0.15.8-py3-none-win_amd64.whl", hash = "sha256:04f79eff02a72db209d47d665ba7ebcad609d8918a134f86cb13dd132159fc89", size = 11743893, upload-time = "2026-03-26T18:39:25.01Z" }, - { url = "https://files.pythonhosted.org/packages/15/e2/77be4fff062fa78d9b2a4dea85d14785dac5f1d0c1fb58ed52331f0ebe28/ruff-0.15.8-py3-none-win_arm64.whl", hash = "sha256:cf891fa8e3bb430c0e7fac93851a5978fc99c8fa2c053b57b118972866f8e5f2", size = 11048175, upload-time = "2026-03-26T18:40:01.06Z" }, +version = "0.15.10" +source = { registry = "https://pypi.org/simple" } +sdist = { url = "https://files.pythonhosted.org/packages/e7/d9/aa3f7d59a10ef6b14fe3431706f854dbf03c5976be614a9796d36326810c/ruff-0.15.10.tar.gz", hash = "sha256:d1f86e67ebfdef88e00faefa1552b5e510e1d35f3be7d423dc7e84e63788c94e", size = 4631728, upload-time = "2026-04-09T14:06:09.884Z" } +wheels = [ + { url = "https://files.pythonhosted.org/packages/eb/00/a1c2fdc9939b2c03691edbda290afcd297f1f389196172826b03d6b6a595/ruff-0.15.10-py3-none-linux_armv6l.whl", hash = "sha256:0744e31482f8f7d0d10a11fcbf897af272fefdfcb10f5af907b18c2813ff4d5f", size = 10563362, upload-time = "2026-04-09T14:06:21.189Z" }, + { url = "https://files.pythonhosted.org/packages/5c/15/006990029aea0bebe9d33c73c3e28c80c391ebdba408d1b08496f00d422d/ruff-0.15.10-py3-none-macosx_10_12_x86_64.whl", hash = "sha256:b1e7c16ea0ff5a53b7c2df52d947e685973049be1cdfe2b59a9c43601897b22e", size = 10951122, upload-time = "2026-04-09T14:06:02.236Z" }, + { url = "https://files.pythonhosted.org/packages/f2/c0/4ac978fe874d0618c7da647862afe697b281c2806f13ce904ad652fa87e4/ruff-0.15.10-py3-none-macosx_11_0_arm64.whl", hash = "sha256:93cc06a19e5155b4441dd72808fdf84290d84ad8a39ca3b0f994363ade4cebb1", size = 10314005, upload-time = "2026-04-09T14:06:00.026Z" }, + { url = "https://files.pythonhosted.org/packages/da/73/c209138a5c98c0d321266372fc4e33ad43d506d7e5dd817dd89b60a8548f/ruff-0.15.10-py3-none-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:83e1dd04312997c99ea6965df66a14fb4f03ba978564574ffc68b0d61fd3989e", size = 10643450, upload-time = "2026-04-09T14:05:42.137Z" }, + { url = "https://files.pythonhosted.org/packages/ec/76/0deec355d8ec10709653635b1f90856735302cb8e149acfdf6f82a5feb70/ruff-0.15.10-py3-none-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:8154d43684e4333360fedd11aaa40b1b08a4e37d8ffa9d95fee6fa5b37b6fab1", size = 10379597, upload-time = "2026-04-09T14:05:49.984Z" }, + { url = "https://files.pythonhosted.org/packages/dc/be/86bba8fc8798c081e28a4b3bb6d143ccad3fd5f6f024f02002b8f08a9fa3/ruff-0.15.10-py3-none-manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:8ab88715f3a6deb6bde6c227f3a123410bec7b855c3ae331b4c006189e895cef", size = 11146645, upload-time = "2026-04-09T14:06:12.246Z" }, + { url = "https://files.pythonhosted.org/packages/a8/89/140025e65911b281c57be1d385ba1d932c2366ca88ae6663685aed8d4881/ruff-0.15.10-py3-none-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:a768ff5969b4f44c349d48edf4ab4f91eddb27fd9d77799598e130fb628aa158", size = 12030289, upload-time = "2026-04-09T14:06:04.776Z" }, + { url = "https://files.pythonhosted.org/packages/88/de/ddacca9545a5e01332567db01d44bd8cf725f2db3b3d61a80550b48308ea/ruff-0.15.10-py3-none-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:0ee3ef42dab7078bda5ff6a1bcba8539e9857deb447132ad5566a038674540d0", size = 11496266, upload-time = "2026-04-09T14:05:55.485Z" }, + { url = "https://files.pythonhosted.org/packages/bc/bb/7ddb00a83760ff4a83c4e2fc231fd63937cc7317c10c82f583302e0f6586/ruff-0.15.10-py3-none-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:51cb8cc943e891ba99989dd92d61e29b1d231e14811db9be6440ecf25d5c1609", size = 11256418, upload-time = "2026-04-09T14:05:57.69Z" }, + { url = "https://files.pythonhosted.org/packages/dc/8d/55de0d35aacf6cd50b6ee91ee0f291672080021896543776f4170fc5c454/ruff-0.15.10-py3-none-manylinux_2_31_riscv64.whl", hash = "sha256:e59c9bdc056a320fb9ea1700a8d591718b8faf78af065484e801258d3a76bc3f", size = 11288416, upload-time = "2026-04-09T14:05:44.695Z" }, + { url = "https://files.pythonhosted.org/packages/68/cf/9438b1a27426ec46a80e0a718093c7f958ef72f43eb3111862949ead3cc1/ruff-0.15.10-py3-none-musllinux_1_2_aarch64.whl", hash = "sha256:136c00ca2f47b0018b073f28cb5c1506642a830ea941a60354b0e8bc8076b151", size = 10621053, upload-time = "2026-04-09T14:05:52.782Z" }, + { url = "https://files.pythonhosted.org/packages/4c/50/e29be6e2c135e9cd4cb15fbade49d6a2717e009dff3766dd080fcb82e251/ruff-0.15.10-py3-none-musllinux_1_2_armv7l.whl", hash = "sha256:8b80a2f3c9c8a950d6237f2ca12b206bccff626139be9fa005f14feb881a1ae8", size = 10378302, upload-time = "2026-04-09T14:06:14.361Z" }, + { url = "https://files.pythonhosted.org/packages/18/2f/e0b36a6f99c51bb89f3a30239bc7bf97e87a37ae80aa2d6542d6e5150364/ruff-0.15.10-py3-none-musllinux_1_2_i686.whl", hash = "sha256:e3e53c588164dc025b671c9df2462429d60357ea91af7e92e9d56c565a9f1b07", size = 10850074, upload-time = "2026-04-09T14:06:16.581Z" }, + { url = "https://files.pythonhosted.org/packages/11/08/874da392558ce087a0f9b709dc6ec0d60cbc694c1c772dab8d5f31efe8cb/ruff-0.15.10-py3-none-musllinux_1_2_x86_64.whl", hash = "sha256:b0c52744cf9f143a393e284125d2576140b68264a93c6716464e129a3e9adb48", size = 11358051, upload-time = "2026-04-09T14:06:18.948Z" }, + { url = "https://files.pythonhosted.org/packages/e4/46/602938f030adfa043e67112b73821024dc79f3ab4df5474c25fa4c1d2d14/ruff-0.15.10-py3-none-win32.whl", hash = "sha256:d4272e87e801e9a27a2e8df7b21011c909d9ddd82f4f3281d269b6ba19789ca5", size = 10588964, upload-time = "2026-04-09T14:06:07.14Z" }, + { url = "https://files.pythonhosted.org/packages/25/b6/261225b875d7a13b33a6d02508c39c28450b2041bb01d0f7f1a83d569512/ruff-0.15.10-py3-none-win_amd64.whl", hash = "sha256:28cb32d53203242d403d819fd6983152489b12e4a3ae44993543d6fe62ab42ed", size = 11745044, upload-time = "2026-04-09T14:05:39.473Z" }, + { url = "https://files.pythonhosted.org/packages/58/ed/dea90a65b7d9e69888890fb14c90d7f51bf0c1e82ad800aeb0160e4bacfd/ruff-0.15.10-py3-none-win_arm64.whl", hash = "sha256:601d1610a9e1f1c2165a4f561eeaa2e2ea1e97f3287c5aa258d3dab8b57c6188", size = 11035607, upload-time = "2026-04-09T14:05:47.593Z" }, ] [[package]] @@ -848,26 +849,26 @@ source = { git = "https://github.com/toon-format/toon-python.git#90861444e5bf7d6 [[package]] name = "ty" -version = "0.0.26" +version = "0.0.29" source = { registry = "https://pypi.org/simple" } -sdist = { url = "https://files.pythonhosted.org/packages/18/94/4879b81f8681117ccaf31544579304f6dc2ddcc0c67f872afb35869643a2/ty-0.0.26.tar.gz", hash = "sha256:0496b62405d62de7b954d6d677dc1cc5d3046197215d7a0a7fef37745d7b6d29", size = 5393643, upload-time = "2026-03-26T16:27:11.067Z" } +sdist = { url = "https://files.pythonhosted.org/packages/47/d5/853561de49fae38c519e905b2d8da9c531219608f1fccc47a0fc2c896980/ty-0.0.29.tar.gz", hash = "sha256:e7936cca2f691eeda631876c92809688dbbab68687c3473f526cd83b6a9228d8", size = 5469221, upload-time = "2026-04-05T15:01:21.328Z" } wheels = [ - { url = "https://files.pythonhosted.org/packages/83/24/99fe33ecd7e16d23c53b0d4244778c6d1b6eb1663b091236dcba22882d67/ty-0.0.26-py3-none-linux_armv6l.whl", hash = "sha256:35beaa56cf59725fd59ab35d8445bbd40b97fe76db39b052b1fcb31f9bf8adf7", size = 10521856, upload-time = "2026-03-26T16:27:06.335Z" }, - { url = "https://files.pythonhosted.org/packages/55/97/1b5e939e2ff69b9bb279ab680bfa8f677d886309a1ac8d9588fd6ce58146/ty-0.0.26-py3-none-macosx_10_12_x86_64.whl", hash = "sha256:487a0be58ab0eb02e31ba71eb6953812a0f88e50633469b0c0ce3fb795fe0fa1", size = 10320958, upload-time = "2026-03-26T16:27:13.849Z" }, - { url = "https://files.pythonhosted.org/packages/71/25/37081461e13d38a190e5646948d7bc42084f7bd1c6b44f12550be3923e7e/ty-0.0.26-py3-none-macosx_11_0_arm64.whl", hash = "sha256:a01b7de5693379646d423b68f119719a1338a20017ba48a93eefaff1ee56f97b", size = 9799905, upload-time = "2026-03-26T16:26:55.805Z" }, - { url = "https://files.pythonhosted.org/packages/a1/1c/295d8f55a7b0e037dfc3a5ec4bdda3ab3cbca6f492f725bf269f96a4d841/ty-0.0.26-py3-none-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:628c3ee869d113dd2bd249925662fd39d9d0305a6cb38f640ddaa7436b74a1ef", size = 10317507, upload-time = "2026-03-26T16:27:31.887Z" }, - { url = "https://files.pythonhosted.org/packages/1d/62/48b3875c5d2f48fe017468d4bbdde1164c76a8184374f1d5e6162cf7d9b8/ty-0.0.26-py3-none-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:63d04f35f5370cbc91c0b9675dc83e0c53678125a7b629c9c95769e86f123e65", size = 10319821, upload-time = "2026-03-26T16:27:29.647Z" }, - { url = "https://files.pythonhosted.org/packages/ff/28/cfb2d495046d5bf42d532325cea7412fa1189912d549dbfae417a24fd794/ty-0.0.26-py3-none-manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:4a53c4e6f6a91927f8b90e584a4b12bcde05b0c1870ddff8d17462168ad7947a", size = 10831757, upload-time = "2026-03-26T16:27:37.441Z" }, - { url = "https://files.pythonhosted.org/packages/26/bf/dbc3e42f448a2d862651de070b4108028c543ca18cab096b38d7de449915/ty-0.0.26-py3-none-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:caf2ced0e58d898d5e3ba5cb843e0ebd377c8a461464748586049afbd9321f51", size = 11369556, upload-time = "2026-03-26T16:26:58.655Z" }, - { url = "https://files.pythonhosted.org/packages/92/4c/6d2f8f34bc6d502ab778c9345a4a936a72ae113de11329c1764bb1f204f6/ty-0.0.26-py3-none-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:384807bbcb7d7ce9b97ee5aaa6417a8ae03ccfb426c52b08018ca62cf60f5430", size = 11085679, upload-time = "2026-03-26T16:27:21.746Z" }, - { url = "https://files.pythonhosted.org/packages/cc/f4/f3f61c203bc980dd9bba0ba7ed3c6e81ddfd36b286330f9487c2c7d041aa/ty-0.0.26-py3-none-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:8a2c766a94d79b4f82995d41229702caf2d76e5c440ec7e543d05c70e98bf8ab", size = 10900581, upload-time = "2026-03-26T16:27:24.39Z" }, - { url = "https://files.pythonhosted.org/packages/3d/fd/3ca1b4e4bdd129829e9ce78677e0f8e0f1038a7702dccecfa52f037c6046/ty-0.0.26-py3-none-musllinux_1_2_aarch64.whl", hash = "sha256:f41ac45a0f8e3e8e181508d863a0a62156341db0f624ffd004b97ee550a9de80", size = 10294401, upload-time = "2026-03-26T16:27:03.999Z" }, - { url = "https://files.pythonhosted.org/packages/de/20/4ee3d8c3f90e008843795c765cb8bb245f188c23e5e5cc612c7697406fba/ty-0.0.26-py3-none-musllinux_1_2_armv7l.whl", hash = "sha256:73eb8327a34d529438dfe4db46796946c4e825167cbee434dc148569892e435f", size = 10351469, upload-time = "2026-03-26T16:27:19.003Z" }, - { url = "https://files.pythonhosted.org/packages/3d/b1/9fb154ade65906d4148f0b999c4a8257c2a34253cb72e15d84c1f04a064e/ty-0.0.26-py3-none-musllinux_1_2_i686.whl", hash = "sha256:4bb53a79259516535a1b55f613ba1619e9c666854946474ca8418c35a5c4fd60", size = 10529488, upload-time = "2026-03-26T16:27:01.378Z" }, - { url = "https://files.pythonhosted.org/packages/a5/70/9b02b03b1862e27b64143db65946d68b138160a5b6bfea193bee0b8bbc34/ty-0.0.26-py3-none-musllinux_1_2_x86_64.whl", hash = "sha256:2f0e75edc1aeb1b4b84af516c7891f631254a4ca3dcd15e848fa1e061e1fe9da", size = 10999015, upload-time = "2026-03-26T16:27:34.636Z" }, - { url = "https://files.pythonhosted.org/packages/21/16/0a56b8667296e2989b9d48095472d98ebf57a0006c71f2a101bbc62a142d/ty-0.0.26-py3-none-win32.whl", hash = "sha256:943c998c5523ed6b519c899c0c39b26b4c751a9759e460fb964765a44cde226f", size = 9912378, upload-time = "2026-03-26T16:27:08.999Z" }, - { url = "https://files.pythonhosted.org/packages/60/c2/fef0d4bba9cd89a82d725b3b1a66efb1b36629ecf0fb1d8e916cb75b8829/ty-0.0.26-py3-none-win_amd64.whl", hash = "sha256:19c856d343efeb1ecad8ee220848f5d2c424daf7b2feda357763ad3036e2172f", size = 10863737, upload-time = "2026-03-26T16:27:27.06Z" }, - { url = "https://files.pythonhosted.org/packages/4d/05/888ebcb3c4d3b6b72d5d3241fddd299142caa3c516e6d26a9cd887dfed3b/ty-0.0.26-py3-none-win_arm64.whl", hash = "sha256:2cde58ccffa046db1223dc28f3e7d4f2c7da8267e97cc5cd186af6fe85f1758a", size = 10285408, upload-time = "2026-03-26T16:27:16.432Z" }, + { url = "https://files.pythonhosted.org/packages/03/b7/911f9962115acfa24e3b2ec9d4992dd994c38e8769e1b1d7680bb4d28a51/ty-0.0.29-py3-none-linux_armv6l.whl", hash = "sha256:b8a40955f7660d3eaceb0d964affc81b790c0765e7052921a5f861ff8a471c30", size = 10568206, upload-time = "2026-04-05T15:01:19.165Z" }, + { url = "https://files.pythonhosted.org/packages/fe/c3/fcae2167d4c77a97269f92f11d1b43b03617f81de1283d5d05b43432110c/ty-0.0.29-py3-none-macosx_10_12_x86_64.whl", hash = "sha256:6b6849adae15b00bbe2d3c5b078967dcb62eba37d38936b8eeb4c81a82d2e3b8", size = 10442530, upload-time = "2026-04-05T15:01:28.471Z" }, + { url = "https://files.pythonhosted.org/packages/97/33/5a6bfa240cfcb9c36046ae2459fa9ea23238d20130d8656ff5ac4d6c012a/ty-0.0.29-py3-none-macosx_11_0_arm64.whl", hash = "sha256:dcdd9b17209788152f7b7ea815eda07989152325052fe690013537cc7904ce49", size = 9915735, upload-time = "2026-04-05T15:01:10.365Z" }, + { url = "https://files.pythonhosted.org/packages/b3/1e/318f45fae232118e81a6306c30f50de42c509c412128d5bd231eab699ffb/ty-0.0.29-py3-none-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:9d8ed4789bae78ffaf94462c0d25589a734cab0366b86f2bbcb1bb90e1a7a169", size = 10419748, upload-time = "2026-04-05T15:01:32.375Z" }, + { url = "https://files.pythonhosted.org/packages/a9/a8/5687872e2ab5a0f7dd4fd8456eac31e9381ad4dc74961f6f29965ad4dd91/ty-0.0.29-py3-none-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:91ec374b8565e0ad0900011c24641ebbef2da51adbd4fb69ff3280c8a7eceb02", size = 10394738, upload-time = "2026-04-05T15:01:06.473Z" }, + { url = "https://files.pythonhosted.org/packages/de/68/015d118097eeb95e6a44c4abce4c0a28b7b9dfb3085b7f0ee48e4f099633/ty-0.0.29-py3-none-manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:298a8d5faa2502d3810bbbb47a030b9455495b9921594206043c785dd61548cf", size = 10910613, upload-time = "2026-04-05T15:01:17.17Z" }, + { url = "https://files.pythonhosted.org/packages/1c/01/47ce3c6c53e0670eadbe80756b167bf80ed6681d1ba57cfde2e8065a13d1/ty-0.0.29-py3-none-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:3c8fba1a3524c6109d1e020d92301c79d41bf442fa8d335b9fa366239339cb70", size = 11475750, upload-time = "2026-04-05T15:01:30.461Z" }, + { url = "https://files.pythonhosted.org/packages/c4/cf/e361845b1081c9264ad5b7c963231bab03f2666865a9f2a115c4233f2137/ty-0.0.29-py3-none-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:4c48adf88a70d264128c39ee922ed14a947817fced1e93c08c1a89c9244edcde", size = 11190055, upload-time = "2026-04-05T15:01:12.369Z" }, + { url = "https://files.pythonhosted.org/packages/79/12/0fb0857e9a62cb11586e9a712103877bbf717f5fb570d16634408cfdefee/ty-0.0.29-py3-none-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:2ce0a7a0e96bc7b42518cd3a1a6a6298ef64ff40ca4614355c1aa807059b5c6f", size = 11020539, upload-time = "2026-04-05T15:01:37.022Z" }, + { url = "https://files.pythonhosted.org/packages/20/36/5a26753802083f80cd125db6c4348ad42b3c982ec36e718e0bf4c18f75e5/ty-0.0.29-py3-none-musllinux_1_2_aarch64.whl", hash = "sha256:a6ac86a05b4a3731d45365ab97780acc7b8146fa62fccb3cbe94fe6546c67a97", size = 10396399, upload-time = "2026-04-05T15:01:26.167Z" }, + { url = "https://files.pythonhosted.org/packages/00/e6/b4e75b5752239ab3ab400f19faef4dbef81d05aab5d3419fda0c062a3765/ty-0.0.29-py3-none-musllinux_1_2_armv7l.whl", hash = "sha256:6bbbf53141af0f3150bf288d716263f1a3550054e4b3551ca866d38192ba9891", size = 10421461, upload-time = "2026-04-05T15:01:08.367Z" }, + { url = "https://files.pythonhosted.org/packages/c0/21/1084b5b609f9abed62070ec0b31c283a403832a6310c8bbc208bd45ee1e6/ty-0.0.29-py3-none-musllinux_1_2_i686.whl", hash = "sha256:1c9e06b770c1d0ff5efc51e34312390db31d53fcf3088163f413030b42b74f84", size = 10599187, upload-time = "2026-04-05T15:01:23.52Z" }, + { url = "https://files.pythonhosted.org/packages/ab/a1/ce19a2ca717bbcc1ee11378aba52ef70b6ce5b87245162a729d9fdc2360f/ty-0.0.29-py3-none-musllinux_1_2_x86_64.whl", hash = "sha256:0307fe37e3f000ef1a4ae230bbaf511508a78d24a5e51b40902a21b09d5e6037", size = 11121198, upload-time = "2026-04-05T15:01:15.22Z" }, + { url = "https://files.pythonhosted.org/packages/6b/6b/f1430b279af704321566ce7ec2725d3d8258c2f815ebd93e474c64cd4543/ty-0.0.29-py3-none-win32.whl", hash = "sha256:7a2a898217960a825f8bc0087e1fdbaf379606175e98f9807187221d53a4a8ed", size = 9995331, upload-time = "2026-04-05T15:01:01.32Z" }, + { url = "https://files.pythonhosted.org/packages/d2/ef/3ef01c17785ff9a69378465c7d0faccd48a07b163554db0995e5d65a5a23/ty-0.0.29-py3-none-win_amd64.whl", hash = "sha256:fc1294200226b91615acbf34e0a9ad81caf98c081e9c6a912a31b0a7b603bc3f", size = 11023644, upload-time = "2026-04-05T15:01:04.432Z" }, + { url = "https://files.pythonhosted.org/packages/2c/55/87280a994d6a2d2647c65e12abbc997ed49835794366153c04c4d9304d76/ty-0.0.29-py3-none-win_arm64.whl", hash = "sha256:f9794bbd1bb3ce13f78c191d0c89ae4c63f52c12b6daa0c6fe220b90d019d12c", size = 10428165, upload-time = "2026-04-05T15:01:34.665Z" }, ] [[package]] @@ -917,28 +918,28 @@ wheels = [ [[package]] name = "uv" -version = "0.11.2" -source = { registry = "https://pypi.org/simple" } -sdist = { url = "https://files.pythonhosted.org/packages/ba/9e/65dfeeafe5644a2e0bdd9dfdd4bdc37c87b06067fdff4596eeba0bc0f2f5/uv-0.11.2.tar.gz", hash = "sha256:ef226af1d814466df45dc8a746c5220a951643d0832296a00c30ac3db95a3a4c", size = 4010086, upload-time = "2026-03-26T21:22:13.185Z" } -wheels = [ - { url = "https://files.pythonhosted.org/packages/29/6f/6469561a85b81d690ad63eac1135ce4d4f8269cb4fc92da20ff7efa5fa4f/uv-0.11.2-py3-none-linux_armv6l.whl", hash = "sha256:f27ca998085eb8dc095ff9d7568aa08d9ce7c0d2b74bd525da5cd2e5b7367b71", size = 23387567, upload-time = "2026-03-26T21:22:02.49Z" }, - { url = "https://files.pythonhosted.org/packages/27/2a/313b5de76e52cc75e38fd3e5f1644d6b16d4d4bdb9aaff8508ec955255ed/uv-0.11.2-py3-none-macosx_10_12_x86_64.whl", hash = "sha256:00054a0041c25b3ec3d0f4f6221d3cbfda32e70f7d1c60bee36f1a9736f47b68", size = 22819340, upload-time = "2026-03-26T21:22:42.942Z" }, - { url = "https://files.pythonhosted.org/packages/3a/74/64ea01a48383748f0e1087e617fab0d88176f506fc47e3a18fb936a22a3d/uv-0.11.2-py3-none-macosx_11_0_arm64.whl", hash = "sha256:89972042233c90adf8b8150ec164444a4df41938739e5736773ac00870840887", size = 21425465, upload-time = "2026-03-26T21:22:05.232Z" }, - { url = "https://files.pythonhosted.org/packages/b6/85/d9d71a940e90d1ec130483a02d25711010609c613d245abd48ff14fdfd1d/uv-0.11.2-py3-none-manylinux_2_17_aarch64.manylinux2014_aarch64.musllinux_1_1_aarch64.whl", hash = "sha256:e1f98621b3ffd5dd40bec12bd716e67aec552a7978c7753b709206d7a0e4f93f", size = 23140501, upload-time = "2026-03-26T21:22:31.896Z" }, - { url = "https://files.pythonhosted.org/packages/59/4d/c25126473337acf071b0d572ff94fb6444364641b3d311568028349c964d/uv-0.11.2-py3-none-manylinux_2_17_armv7l.manylinux2014_armv7l.musllinux_1_1_armv7l.whl", hash = "sha256:66925ceb0e76826b5280937a93e31f0b093c9edfafbb52db7936595b1ef205b8", size = 23003445, upload-time = "2026-03-26T21:22:15.371Z" }, - { url = "https://files.pythonhosted.org/packages/5b/3e/1ef69d9fc88e04037ffebd5c41f70dadeb73021033ced57b2e186b23ac7c/uv-0.11.2-py3-none-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:a10911b6a555d31beb835653cedc0bc491b656e964d30be8eb9186f1fe0ef88c", size = 22989489, upload-time = "2026-03-26T21:22:26.226Z" }, - { url = "https://files.pythonhosted.org/packages/a0/04/0398b4a5be0f3dd07be80d31275754338ae8857f78309b9776ab854d0a85/uv-0.11.2-py3-none-manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:2b8fa0a2ddc69c9ed373d72144b950ac2af81e3d95047c2d02564a8a03be538c", size = 24603289, upload-time = "2026-03-26T21:22:45.967Z" }, - { url = "https://files.pythonhosted.org/packages/e6/79/0388bbb629db283a883e4412d5f54cf62ec4b9f7bb6631781fbbb49c0792/uv-0.11.2-py3-none-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:fbbd6e6e682b7f0bbdfff3348e580ea0fa58a07741e54cc8641b919bdf6f9128", size = 25218467, upload-time = "2026-03-26T21:22:20.701Z" }, - { url = "https://files.pythonhosted.org/packages/25/5c/725442191dee62e5b906576ed0ff432a1f2e3b38994c81e16156574e97ab/uv-0.11.2-py3-none-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:8f9f3ac825561edec6494588d6aed7d3f4a08618b167eb256b4a9027b13304a6", size = 24418929, upload-time = "2026-03-26T21:22:23.446Z" }, - { url = "https://files.pythonhosted.org/packages/9f/6e/f49ca8ad037919e5d44a2070af3d369792be3419c594cfb92f4404ab7832/uv-0.11.2-py3-none-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:be4bb136bbc8840ede58663e8ba5a9bbf3b5376f7f933f915df28d4078bb9095", size = 24586892, upload-time = "2026-03-26T21:22:18.044Z" }, - { url = "https://files.pythonhosted.org/packages/83/08/aff0a8098ac5946d195e67bf091d494f34c1009ea6e163d0c23e241527e1/uv-0.11.2-py3-none-manylinux_2_28_aarch64.whl", hash = "sha256:fea7efc97f9fcfb345e588c71fa56250c0db8c2bfd8d4e2cd4d21e1308c4e6ac", size = 23232598, upload-time = "2026-03-26T21:22:51.865Z" }, - { url = "https://files.pythonhosted.org/packages/1c/43/eced218d15f8ed58fbb081f0b826e4f016b501b50ec317ab6c331b60c15c/uv-0.11.2-py3-none-manylinux_2_31_riscv64.musllinux_1_1_riscv64.whl", hash = "sha256:b5529572ea7150311f5a17b5d09ef19781c2484932e14eed44a0c038f93ef722", size = 23998818, upload-time = "2026-03-26T21:22:49.097Z" }, - { url = "https://files.pythonhosted.org/packages/62/96/da68d159ba3f49a516796273463288b53d675675c5a0df71c14301ec4323/uv-0.11.2-py3-none-manylinux_2_31_riscv64.whl", hash = "sha256:0919096889e26d0edcbc731e95c4a4d1f47ef881fb46970cbf0800bf17d4840e", size = 24047673, upload-time = "2026-03-26T21:22:37.6Z" }, - { url = "https://files.pythonhosted.org/packages/62/be/db2400f4699717b4f34e036e7a1c54bc1f89c7c5b3303abc8d8a00664071/uv-0.11.2-py3-none-musllinux_1_1_i686.whl", hash = "sha256:7a05747eecca4534c284dbab213526468092317e8f6aec7a6c9f89ce3d1248d3", size = 23733334, upload-time = "2026-03-26T21:22:40.247Z" }, - { url = "https://files.pythonhosted.org/packages/29/27/4045960075f4898a44f092625e9f08ee8af4229be7df6ad487d58aa7d51e/uv-0.11.2-py3-none-musllinux_1_1_x86_64.whl", hash = "sha256:00cbf1829e158b053b0bdc675d9f9c13700b29be90a9bad966cc9b586c01265b", size = 24790898, upload-time = "2026-03-26T21:22:07.812Z" }, - { url = "https://files.pythonhosted.org/packages/e4/9d/7470f39bf72683f1908e7ba70f5379f14e4984c8e6a65f7563f3dfb19f13/uv-0.11.2-py3-none-win32.whl", hash = "sha256:a1b8a39b17cf9e3183a35a44dffa103c91c412f003569a210883ffb537c2c65d", size = 22516649, upload-time = "2026-03-26T21:22:34.806Z" }, - { url = "https://files.pythonhosted.org/packages/f6/a3/c88fa454a7c07785ce63e96b6c1c7b24b5abcb3a6afbc6ad8b29b9bc1a1d/uv-0.11.2-py3-none-win_amd64.whl", hash = "sha256:d4dbcecf6daca8605f46fba232f49e9b49d06ebe3b9cba5e59e608c5be03890e", size = 24989876, upload-time = "2026-03-26T21:22:28.917Z" }, - { url = "https://files.pythonhosted.org/packages/a2/50/fae409a028d87db02ffbf3a3b5ac39980fbeb3d9a0356f49943722b2cabb/uv-0.11.2-py3-none-win_arm64.whl", hash = "sha256:e5b8570e88af5073ce5aa5df4866484e69035a6e66caab8a5c51a988a989a467", size = 23450736, upload-time = "2026-03-26T21:22:10.838Z" }, +version = "0.11.6" +source = { registry = "https://pypi.org/simple" } +sdist = { url = "https://files.pythonhosted.org/packages/dd/f3/8aceeab67ea69805293ab290e7ca8cc1b61a064d28b8a35c76d8eba063dd/uv-0.11.6.tar.gz", hash = "sha256:e3b21b7e80024c95ff339fcd147ac6fc3dd98d3613c9d45d3a1f4fd1057f127b", size = 4073298, upload-time = "2026-04-09T12:09:01.738Z" } +wheels = [ + { url = "https://files.pythonhosted.org/packages/1f/fe/4b61a3d5ad9d02e8a4405026ccd43593d7044598e0fa47d892d4dafe44c9/uv-0.11.6-py3-none-linux_armv6l.whl", hash = "sha256:ada04dcf89ddea5b69d27ac9cdc5ef575a82f90a209a1392e930de504b2321d6", size = 23780079, upload-time = "2026-04-09T12:08:56.609Z" }, + { url = "https://files.pythonhosted.org/packages/52/db/d27519a9e1a5ffee9d71af1a811ad0e19ce7ab9ae815453bef39dd479389/uv-0.11.6-py3-none-macosx_10_12_x86_64.whl", hash = "sha256:5be013888420f96879c6e0d3081e7bcf51b539b034a01777041934457dfbedf3", size = 23214721, upload-time = "2026-04-09T12:09:32.228Z" }, + { url = "https://files.pythonhosted.org/packages/a6/8f/4399fa8b882bd7e0efffc829f73ab24d117d490a93e6bc7104a50282b854/uv-0.11.6-py3-none-macosx_11_0_arm64.whl", hash = "sha256:ffa5dc1cbb52bdce3b8447e83d1601a57ad4da6b523d77d4b47366db8b1ceb18", size = 21750109, upload-time = "2026-04-09T12:09:24.357Z" }, + { url = "https://files.pythonhosted.org/packages/32/07/5a12944c31c3dda253632da7a363edddb869ed47839d4d92a2dc5f546c93/uv-0.11.6-py3-none-manylinux_2_17_aarch64.manylinux2014_aarch64.musllinux_1_1_aarch64.whl", hash = "sha256:bfb107b4dade1d2c9e572992b06992d51dd5f2136eb8ceee9e62dd124289e825", size = 23551146, upload-time = "2026-04-09T12:09:10.439Z" }, + { url = "https://files.pythonhosted.org/packages/79/5b/2ec8b0af80acd1016ed596baf205ddc77b19ece288473b01926c4a9cf6db/uv-0.11.6-py3-none-manylinux_2_17_armv7l.manylinux2014_armv7l.musllinux_1_1_armv7l.whl", hash = "sha256:9e2fe7ce12161d8016b7deb1eaad7905a76ff7afec13383333ca75e0c4b5425d", size = 23331192, upload-time = "2026-04-09T12:09:34.792Z" }, + { url = "https://files.pythonhosted.org/packages/62/7d/eea35935f2112b21c296a3e42645f3e4b1aa8bcd34dcf13345fbd55134b7/uv-0.11.6-py3-none-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:7ed9c6f70c25e8dfeedddf4eddaf14d353f5e6b0eb43da9a14d3a1033d51d915", size = 23337686, upload-time = "2026-04-09T12:09:18.522Z" }, + { url = "https://files.pythonhosted.org/packages/21/47/2584f5ab618f6ebe9bdefb2f765f2ca8540e9d739667606a916b35449eec/uv-0.11.6-py3-none-manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:d68a013e609cebf82077cbeeb0809ed5e205257814273bfd31e02fc0353bbfc2", size = 25008139, upload-time = "2026-04-09T12:09:03.983Z" }, + { url = "https://files.pythonhosted.org/packages/95/81/497ae5c1d36355b56b97dc59f550c7e89d0291c163a3f203c6f341dff195/uv-0.11.6-py3-none-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:93f736dddca03dae732c6fdea177328d3bc4bf137c75248f3d433c57416a4311", size = 25712458, upload-time = "2026-04-09T12:09:07.598Z" }, + { url = "https://files.pythonhosted.org/packages/3c/1c/74083238e4fab2672b63575b9008f1ea418b02a714bcfcf017f4f6a309b6/uv-0.11.6-py3-none-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:e96a66abe53fced0e3389008b8d2eff8278cfa8bb545d75631ae8ceb9c929aba", size = 24915507, upload-time = "2026-04-09T12:08:50.892Z" }, + { url = "https://files.pythonhosted.org/packages/5a/ee/e14fe10ba455a823ed18233f12de6699a601890905420b5c504abf115116/uv-0.11.6-py3-none-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:0b096311b2743b228df911a19532b3f18fa420bf9530547aecd6a8e04bbfaccd", size = 24971011, upload-time = "2026-04-09T12:08:54.016Z" }, + { url = "https://files.pythonhosted.org/packages/3c/a1/7b9c83eaadf98e343317ff6384a7227a4855afd02cdaf9696bcc71ee6155/uv-0.11.6-py3-none-manylinux_2_28_aarch64.whl", hash = "sha256:904d537b4a6e798015b4a64ff5622023bd4601b43b6cd1e5f423d63471f5e948", size = 23640234, upload-time = "2026-04-09T12:09:15.735Z" }, + { url = "https://files.pythonhosted.org/packages/d6/51/75ccdd23e76ff1703b70eb82881cd5b4d2a954c9679f8ef7e0136ef2cfab/uv-0.11.6-py3-none-manylinux_2_31_riscv64.musllinux_1_1_riscv64.whl", hash = "sha256:4ed8150c26b5e319381d75ae2ce6aba1e9c65888f4850f4e3b3fa839953c90a5", size = 24452664, upload-time = "2026-04-09T12:09:26.875Z" }, + { url = "https://files.pythonhosted.org/packages/4d/86/ace80fe47d8d48b5e3b5aee0b6eb1a49deaacc2313782870250b3faa36f5/uv-0.11.6-py3-none-manylinux_2_31_riscv64.whl", hash = "sha256:1c9218c8d4ac35ca6e617fb0951cc0ab2d907c91a6aea2617de0a5494cf162c0", size = 24494599, upload-time = "2026-04-09T12:09:37.368Z" }, + { url = "https://files.pythonhosted.org/packages/05/2d/4b642669b56648194f026de79bc992cbfc3ac2318b0a8d435f3c284934e8/uv-0.11.6-py3-none-musllinux_1_1_i686.whl", hash = "sha256:9e211c83cc890c569b86a4183fcf5f8b6f0c7adc33a839b699a98d30f1310d3a", size = 24159150, upload-time = "2026-04-09T12:09:13.17Z" }, + { url = "https://files.pythonhosted.org/packages/ae/24/7eecd76fe983a74fed1fc700a14882e70c4e857f1d562a9f2303d4286c12/uv-0.11.6-py3-none-musllinux_1_1_x86_64.whl", hash = "sha256:d2a1d2089afdf117ad19a4c1dd36b8189c00ae1ad4135d3bfbfced82342595cf", size = 25164324, upload-time = "2026-04-09T12:08:59.56Z" }, + { url = "https://files.pythonhosted.org/packages/27/e0/bbd4ba7c2e5067bbba617d87d306ec146889edaeeaa2081d3e122178ca08/uv-0.11.6-py3-none-win32.whl", hash = "sha256:6e8344f38fa29f85dcfd3e62dc35a700d2448f8e90381077ef393438dcd5012e", size = 22865693, upload-time = "2026-04-09T12:09:21.415Z" }, + { url = "https://files.pythonhosted.org/packages/a5/33/1983ce113c538a856f2d620d16e39691962ecceef091a84086c5785e32e5/uv-0.11.6-py3-none-win_amd64.whl", hash = "sha256:a28bea69c1186303d1200f155c7a28c449f8a4431e458fcf89360cc7ef546e40", size = 25371258, upload-time = "2026-04-09T12:09:40.52Z" }, + { url = "https://files.pythonhosted.org/packages/35/01/be0873f44b9c9bc250fcbf263367fcfc1f59feab996355bcb6b52fff080d/uv-0.11.6-py3-none-win_arm64.whl", hash = "sha256:a78f6d64b9950e24061bc7ec7f15ff8089ad7f5a976e7b65fcadce58fe02f613", size = 23869585, upload-time = "2026-04-09T12:09:29.425Z" }, ] [[package]]